uc security with microsoft office communication server r1/r2 frhack sept 8, 2009 abhijeet hatekar...

UC Securitywith Microsoft Office Communication Server R1/R2

FRHACKSept 8, 2009

Abhijeet HatekarVulnerability Research Engineer

© 2008 Sipera Systems, Inc. All Rights Reserved.

Agenda

Introduction

Overview of VoIP/UC Security

Microsoft OCS Overview

OAT Demo - Online Dictionary Attack

OAT Demo - IM Flood/ Call Walk/ Call DoS

OAT Reporting

Future Research Areas

Conclusion

FRHACK 2 Sipera Confidential - Do not reproduce or distribute without express written consent


Introduction

About VIPER Lab VIPER ~ Voice over IP Exploit Research Security research lab dedicated to finding

New UC / VoIP attack vectors Structural vulnerabilities in insecure protocol / deployment /

configuration Penetration testing team specialized in VoIP / UC Security Passionate about VoIP / UC Security Replicated a production, enterprise network in VIPER Lab Security assessment professionals supported by research and

exploit developers



Introduction

Who am I?Vulnerability Research Engineer in VIPER Lab

Tools I have Authored• Xtest (http://xtest.sf.net)

• VideoJak (http://videojak.sf.net)


http://xtest.sf.net/

http://videojak.sf.net/


Agenda Introduction

Overview of Unified Communication and Security- What is Unified Communication?- VoIP Vulnerabilities- VoIP Attacks




OAT Reporting


Conclusion



What is UC?

Integration of real time communication services with non real time communication

services.

Suite of products for communication across multiple devices and media types.



VoIP Vulnerabilities And Attacks

• Signaling Vulnerabilities- Most hard-phones have limited or underpowered hardware.- Protocol stack are poorly implemented.- Protocols lack authentication and encryption.- Different responses for valid/invalid usernames

• Signaling Attacks- Flooding, Fuzzing, DoS- Signaling message injection- Call Teardown, Registration Hijack, Media Hijack- Caller-ID spoofing, - Username Enumeration



VoIP Vulnerabilities And Attacks

• Media Vulnerabilities

- Media channels are unauthenticated.- Media protocols are un-encrypted.- Poor implementation of Media protocols

• Media Manipulation Attacks

- Media QoS Degradation, DoS- Media Injection, Modification, Deletion- Eavesdropping Media



Agenda Introduction

Overview of Unified Communication and Security

Microsoft OCS Overview• Introduction to OCS• OAT Overview

- Why OAT- OAT features



OAT Reporting


Conclusion




• A Software based UC Solution from Microsoft• Streamlined Communications• Operational Flexibility and Control• Extensible Communications Platform



OAT Overview

• MS Office Communication Server Assessment Tool (OAT)• Result of reverse engineering of OCS client• Started RE work in Feb 2008 and developed PoC tool to register with OCS using

normal Win32 SDK APIs in May 2008• Used UC SDK to build OAT and supported features



OAT Features• Features in OAT v1.0

- Online Dictionary Attack- Presence Stealing- Contact List Stealing- IM Flood- Call Walk- Spam Call- User friendly interface- TCP transport- NTLM authentication

protocol support- Basic reports


• What's New in OAT v2.0?– Call DoS attack feature– Targeted IM and Call Walk– Auto detection of

authentication protocol between NTLM & Kerberos

– TLS transport support– More organized settings

and attack tab pages – Verbose reports in various

formats including PDF, Word, RTF and Text


OAT Internal Assessment Mode• Typical Deployment


• Supported Attacks- Online Dictionary Attacks- Domain User

Enumeration- Presence Stealing- Contact List Stealing- Domain IM Flood- Domain Call Walk- Call DoS


OAT External Assessment Mode• Typical Deployment


• Supported Attacks- Online Dictionary Attacks- Domain User

Enumeration- Presence Stealing- Contact List Stealing- Contact List IM Flood- Contact List Call Walk- Call DoS


Agenda Introduction



OAT Demo - Online Dictionary Attack• Overview• Demo


OAT Reporting


Conclusion



OAT Online Dictionary Attack


• OAT tests the password strength of OCS enabled users.• Imitates a real outside attack.• Successful attack opens a door for launching attacks with dire implications.


Agenda Introduction




OAT Demo - IM Flood/ Call Walk/ Call DoS• Overview• Demo

OAT Reporting


Conclusion



OAT IM Flood


• OAT IM Flood feature can flood targeted user(s) with custom IM messages.• Can be used to send SPAM IM• Can be used for fishing attack if proper measures are not enabled.


OAT Call Walk


• OAT Call Walk feature enumerate all OCS enabled users • Steal their presence information• Make prank calls and play custom SPAM audio clip


OAT Attacks from External Network


• OAT Call Walk feature steal contact list from External Network• Steal their presence information• Make prank calls and play custom SPAM audio clip


OAT Call DoS


• OAT Call DoS feature can flood targeted user with custom hi-priority Calls• Results in DoS on Communicator client, need to forcefully restart communicator client .• Works on Hard pones and force user to re-register with OCS server.


Agenda Introduction





OAT Reporting• Verbose Reports• Report formats include - PDF, Word, RTF and Text


Conclusion



OAT Reports


• Generate detailed report of configuration, selected attack and result.• Can save report in PDF, DOC, RTF and Text file format.• Reports can used in final penetration testing report.


Agenda Introduction





OAT Reporting

Future Research Areas• Group Chat Server • OCS Video Calls and Web Conference

Conclusion





• Office Communication Server R2 Audio/Video Conferencing Sever

• Office Communication Server R2 Group Chat Server


Conclusion


The objective of OAT is to help identify vulnerabilities in the configuration and deployment of Microsoft OCS.

OAT is not a hacking tool to expose vulnerabilities that can’t be protected against.

All of the security issues uncovered by the tool can be mitigated by following Microsoft recommended Security Best Practices.

Resources• Microsoft OCS Best Practices Analyzer Tool

http://www.microsoft.com/downloads/details.aspx?FamilyId=1B90993C-072A-4C84-B385-B76D23B2F27C&displaylang=en




Contact Information


Abhijeet Hatekar• Vulnerability Research Engineer• [email protected]; abhi,[email protected]

For more information about Sipera VIPER Lab, visit us online at http://www.viperlab.net

For more information about Sipera Systems, visit us online at http://www.sipera.com

mailto:[email protected]

mailto:[email protected]

uc security with microsoft office communication server r1/r2 frhack sept 8, 2009 abhijeet hatekar...

Documents