nullcon 2011 - Chupa Rustam

http://null.co.in/ http://nullcon.net/

Remember these Titans???

Spying was a manual labor!

Spying has become digital

Meet

Abhijeet Hatekar

A Geek who works for

Who happens to be a hardcore

Linux Guy

Delves into…

Loves to develop

New Security /

Hacking Tools

Also, a good cook!

I was at

Where I developed tools like…

oat.sf.net

Presented papers at…

And active contributor for

a magazine

Can be followed at my blog

and reached at my website: www.chackraview.net

What

brings

me here?

What

brings

me here?

What

brings

me here?

What

brings

me here?

What

brings

me here?

Let’s go

a step

ahead

Unified Communication

VoIP is a piece of technical excellence

VoIP Benefits

�Cost efficient

�Flexibility

�Feature rich

�Simple and Scalable

infrastructure

Competition: a Goose

race

To provide rich features,

Slick boxes within slim

timeline; vendors often

overlook security issues.

VoIP Attack Vectors

Eavesdropping

Denial of Service(DOS)

Call Hijack

Call Teardown

Call Fraud

Media Manipulations

Codec Manipulation

What’s at stake???

Money

Data

Reputation and faith

&...

YOU

Let’s focus on

something

more

interesting!

Prologue

Major Global Video Phone

Solutions Providers

Why Grandstream???

Cheap

Reliable

Feature Rich

Features of

Grandstream Video Phone

nmap scan

The Awareness Hurdle

Non-aware

95%

The Hack Begins….

Login Authentication

Survey Facts

78% people do not change the default password.

Out of remaining 22%, 42.98% just increment a number.

e.g.Password1, admin2 etc.

Source: Symantec Inc.

75% of social networking username and password samples

collected online were identical to those used for email

accounts.

69.30% people write down their password to remember.

Source: www.securityweek.com

63% people do not change their password often.

Source: www.cnet.com

The Password

leaks some

facts ☺

The Wireshark Trace

The Wireshark Trace

The Research

After burning the midnight oil over couple of smokes

Packet captures

Grey cells

I found out different interesting configuration variables.

The Research:

Mapping Configuration Variables

P2 = password

P97 = iLBC Frame size

P927 = Video packet size

P39 = local RTP port

P928 = ??? <interesting>

The Research

These variables correspond

to some features directly

affecting the Grandstream

phone.

Among all the variables,P928

caught my attention because

as soon as I set that variable.

The Research: 2nd nmap Scan

The Research

P928 starts RTSP server on phone

P928 starts RTSP server on phone

Can stream video from the video phone camera Can stream video from

the video phone camera

User is not aware of this and moreover

User is not aware of this and moreover

User cannot control it from phone menu

User cannot control it from phone menu

Cracking SRTP Authentication

• Phone tries to authenticate RTSP

client

• http digest authentication mode

• QoP is only auth and not

auth_int(little safe)

• Vulnerable to MiTM and

password brute force attacks

So far I have not seen this

room getting into

the sleeping zone…

I believe then it’s not that

boring ☺

Crack web password

Enable RTSP Server

Crack RTSP authentication

Profit / fun

Synopsis

Presenting

Chupa Rustam FundamentalsWritten in “C”..

Uses libvlc

For Linux Platform

Generic Grandstreamweb cracking support

Remote administration of surveillance feature

RTSP password cracker SSL support

Chupa Rustam

Features

Getting back to

“something more

interesting”…

Titans are back…

with ninja skills!

Worldwide Usage of

Grandstream Video Phones

Grandstream GXV 3xx Series Clients

Lessons Learned for Vendors

� Use strong authentication

mechanisms

� Document all features and secure

them

� provide features only if necessary

Lessons Learned for End Users

Change default passwords

to something better than

alphanumeric

There is no fix for the human

stupidity

DON’T bring video phones to your bedroom ☺

http://tools.chackraview.net/chuparustam

How can I get Chupa-Rustam?

Got questions???

Hit ‘em!

Thank You

&

Stay safe!

[email protected]