C'est la vie

출처 : http://blog.daum.net/sq599/12721831

Socket이란?

두 프로그램이 네트워크를 통해 서로 통신을 수행 할 수 있도록 양쪽에 생성되는 링크의 단자이다. 두 소켓이 연결되면 서로 다른 프로세스끼리 데이터를 전달 할 수 있다. 결국 소켓이 구현됨으로써 네트워크 및 전송 계층의 캡슐화가 가능해 진다.

 

소켓은 원래 캘리포니아 버클리 대학 분교에서 UNIX용으로 개발 되었으며 UNIX에서의 입출력 메소드의 표준인 개방/읽기/쓰기/닫기 메커니즘을 따른다.

 

소켓형식

1. 스트림

스트림 소켓은 양방향으로 바이트 스트림을 전송 할 수 있는 연결 지향형 소켓으로 양쪽 어플리케이션이 모두 데이터를 주고 받을 수 있다는것을 의미한다. 스트림소켓은 오류수정,전송처리,흐름제어등을 보장해 주며 송신된 순서에 따른 중복되지 않은 데이터를 수신하게 된다. 이 소켓은 각 메세지를 보내기 위해 별도의 연결을 맺는 행위를 하므로 약간의 오버헤드가 존재한다. 그러므로 소량의 데이터보다는 대량의 데이터를 보내는 경우에 적당하다. 스트림소켓은 이러한 품질의 통신을 수행하기 위해서 TCP를 사용한다.

 

2. 데이터그램

명시적으로 연결을 맺지 않으므로써 비 연경형 소켓이라고 한다. 메세지는 대상 소켓으로 전송되며 대상 소켓은 메세지를 적절히 수신한다. 스트림소켓을 사용하는것이 데이터그램 소켓을 사용하는것보다 더 신뢰성이 높은 방법이지만 연결을 수립하는데 드는 오버헤드는 무시할 수 없다. 데이터그램 소켓을 사용하려면 클라이언트에서 서버로 데어터를 전송 할때 UDP를 사용한다. 이 프로토콜에서는 메세지의 크기에 약간의 제한이 있으며 메세지의 확실한 전달 역시 보장하지 않으며 통신 중 데이터를 읽어 버리더라도 오류를 되돌리지 않는다.

 

3. RAW

RAW소켓은 패킷을 가져오면 TCP/IP스택상의 TCP,UDP계층을 우회하여 바로 어플리케이션으로 송신하는 소켓이다. 이런 소켓에서 패킷은 TCP/IP필터를 통해 전달 되지 않으으로 원형 그대로의 패킷을 볼 수 있다. 이는 모든 데이터를 적절히 처리하거나 헤더를 제거하고 이를 파싱하는 과정은 모두 수신 어플리케이션에서 담당해야 하는 것이다. 실제 RAW소켓을 이용하여 프로그래밍을 하는 일은 거의 드물며 만약 시스템 소프트웨어나 패킷을 분석하는 프로그램을 개발할 경우 필요 할수도 있다.

http://blog.naver.com/ptupark?Redirect=Log&logNo=130071129146

http://www.hackingvoip.com/sec_tools.html

VoIP Security Tool List

This VoIP Security Tool List provides categories, descriptions and links to current free and commercial VoIP security tools. Each commercial tool is indicated by the following icon next to it:

The key objectives of this list are as follows:

1. Provide links to tools that help test the efficacy of implemented best practices outlined by VOIPSA's Best Practices Project.
2. Facilitate the open discussion of VoIP security tool information to help users better audit and defend their VoIP devices and deployments.
3. Provide vendors the information needed to proactively test their VoIP devices' ability to function and withstand real-world attacks.

DISCLAIMER: Many of these tools can cause harm to the normal operation of your VoIP network if used improperly. Before using any tools, we recommend that you read the instructions and other d0cumentation available on each of the individual tool's websites. By selecting almost any of these links, you will be leaving VOIPSA's web space. These links and pointers are provided for our visitors' convenience. Please be aware that we do not control or guarantee the accuracy, relevance, timeliness, or completeness of this outside information. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other tools that are more appropriate for your purpose. In no event shall VOIPSA be liable for any direct, indirect, incidental, punitive, or consequential damages of any kind whatsoever with respect to this list. Further, VOIPSA does not endorse any commercial products that may be mentioned in this list. These tools are only meant to be used on networks with the permission of the network owner and in compliance with the law.


Contents Quick Navigation

• VoIP Sniffing Tools
• VoIP Scanning and Enumeration Tools
• VoIP Packet Creation and Flooding Tools
• VoIP Fuzzing Tools
• VoIP Signaling Manipulation Tools
• VoIP Media Manipulation Tools
• Miscellaneous Tools
• Tool Tutorials and Presentations

VoIP Sniffing Tools

• AuthTool - Tool that attempts to determine the password of a user by analyzing SIP traffic.
• Cain & Abel - Multi-purpose tool with the capability to reconstruct RTP media calls.
• CommView VoIP Analyzer - VoIP analysis module for CommView that is suited for real-time capturing and analyzing Internet telephony (VoIP) events, such as call flow, signaling sessions, registrations, media streams, errors, etc.
• Etherpeek - general purpose VoIP and general ethernet sniffer.
• ILTY ("I'm Listening To You") - Open-source, multi-channel SKINNY sniffer.
• NetDude - A framework for inspection, analysis and manipulation of tcpdump trace files.
• Oreka - Oreka is a modular and cross-platform system for recording and retrieval of audio streams.
• PSIPDump - psipdump is a tool for dumping SIP sessions (+RTP traffic, if available) from pcap to disk in a fashion similar to "tcpdump -w".
• rtpBreak - rtpBreak detects, reconstructs and analyzes any RTP session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesn't require the presence of RTCP packets.
• SIPomatic - SIP listener that's part of LinPhone
• SIPv6 Analyzer - An Analyzer for SIP and IPv6.
• UCSniff - UCSniff is an assessment tool that allows users to rapidly test for the threat of unauthorized VoIP eavesdropping. UCSniff supports SIP and Skinny signaling, G.711-ulaw and G.722 codecs, and a MITM ARP Poisoning mode.
• VoiPong - VoIPong is a utility which detects all Voice Over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to separate wave files. It supports SIP, H323, Cisco's Skinny Client Protocol, RTP and RTCP.
• VoIPong ISO Bootable - Bootable "Live-CD" disc version of VoIPong.
• VOMIT - The vomit utility converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players.
• Wireshark - Formerly Ethereal, the premier multi-platform network traffic analyzer.
• WIST - Web Interface for SIP Trace - a PHP Web Interface that permits you to connect on a remote host/port and capture/filter a SIP dialog.

VoIP Scanning and Enumeration Tools

• EnableSecurity VoIPPack for CANVAS - VoIPPack is a set of tools that are designed to work with Immunity CANVAS. The tools perform scans, enumeration, and password attacks.
• enumIAX - An IAX2 (Asterisk) login enumerator using REGREQ messages.
• iaxscan - iaxscan is a Python based scanner for detecting live IAX/2 hosts and then enumerating (by bruteforce) users on those hosts.
• iWar - IAX2 protocol Wardialer
• Nessus - The premier free network vulnerability scanner.
• nmap - the premier open source network port scanner.
• Passive Vulnerability Scanner - The Tenable Passive Vulnerability Scanner (PVS) can find out what is happening on your network without actively scanning it. PVS detects the actual protocol, various administrative interfaces, and VoIP scanner(s). Currently includes over 40 VoIP checks.
• SCTPScan - This tool enumerates open SCTP ports without establishing a full SCTP association with the remote host. You can also scan whole networks to find SCTP-speaking machines.
• SIP Forum Test Framework (SFTF) - The SIP Forum Test Framework (SFTF) was created to allow SIP device vendors to test their devices for common errors.
• SIP-Scan - A fast SIP network scanner
• SIPcrack - SIPcrack is a SIP protocol login cracker. It contains 2 programs, SIPdump to sniff SIP logins over the network and SIPcrack to bruteforce the passwords of the sniffed login.
• Sipflanker - Sipflanker will help you find SIP devices with potentially vulnerable Web GUIs in your network.
• SIPSCAN - SIPSCAN is a SIP username enumerator that uses INVITE, REGISTER, and OPTIONS methods.
• SIPVicious Tool Suite - svmap, svwar, svcrack - svmap is a sip scanner. It lists SIP devices found on an IP range. svwar identifies active extensions on a PBX. svcrack is an online password cracker for SIP PBX
• SiVuS - A SIP Vulnerability Scanner.
• SMAP - SIP Stack Fingerprinting Scanner
• VLANping - VLANPing is a network pinging utility that can work with a VLAN tag.
• VoIPAudit - VoIP specific scanning and vulnerability scanner.

VoIP Packet Creation and Flooding Tools

• IAXFlooder - A packet flooder that creates IAX packets.
• INVITE Flooder - Send a flurry of SIP INVITE messages to a phone or proxy.
• iThinkTest FlowCoder: SiPBlast - SIP Flood/Capacity testing of infrastructure by emulating mass CPE call traffic
• kphone-ddos - Using KPhone for flooding attacks with spoofed SIP packets
• NSAUDITOR - SIP UDP Traffic Generator - Flooder - SIP UDP traffic generator / flooder generates SIP traffic to stress test voice over IP systems, SIP programs and implementations under heavy network load. It is a very simple and fast program which can simulate SIP client and call activity.
• RTP Flooder - Creates "well formed" RTP Packets that can flood a phone or proxy.
• Scapy - Scapy is a powerful interactive packet manipulation program. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery.
• Seagull - a multi-protocol traffic generator especially targeted towards IMS.
• SIPBomber - SIPBomber is sip-protocol testing tool for Linux.
• SIPNess - SIPness Messenger is a SIP testing tool which is used for testing SIP applications.
• SIPp - SIPp is a free Open Source test tool / traffic generator for the SIP protocol.
• SIPsak - SIP swiss army knife.

VoIP Fuzzing Tools

• Asteroid - this is a set of malformed SIP methods (INVITE, CANCEL, BYE, etc.) that can be crafted to send to any phone or proxy.
• Codenomicon VoIP Fuzzers - Commercial versions of the free PROTOS toolset
• Fuzzy Packet - Fuzzy packet is a tool to manipulate messages through the injection, capturing, receiving or sending of packets generated over a network. Can fuzz RTP and includes built-in ARP poisoner.
• Interstate Fuzzer - VoIP Fuzzer
• Mu Dynamics VoIP, IPTV, IMS Fuzzing Platform - Fuzzing appliance for SIP, Diameter, H.323 and MGCP protocols.
• ohrwurm - ohrwurm is a small and simple RTP fuzzer.
• PROTOS H.323 Fuzzer - a java tool that sends a set of malformed H.323 messages designed by the University of OULU in Finland.
• PROTOS SIP Fuzzer - a java tool that sends a set of malformed SIP messages designed by the University of OULU in Finland.
• SIP Forum Test Framework (SFTF) - SFTF was created to allow SIP device vendors to test their devices for common errors. And as a result of these tests improve the interoperability of the devices on the market in general.
• Sip-Proxy - Acts as a proxy between a VoIP UserAgent and a VoIP PBX. Exchanged SIP messages pass through the application and can be recorded, manipulated, or fuzzed.
• Spirent ThreatEx - a commercial protocol fuzzer and ribustness tester.
• VoIPER - VoIPER is a security toolkit that aims to allow developers and security researchers to easily, extensively and automatically test VoIP devices for security vulnerabilties.

VoIP Signaling Manipulation Tools

• BYE Teardown - This tool attempts to disconnect an active VoIP conversation by spoofing the SIP BYE message from the receiving party.
• Check Sync Phone Rebooter - Transmits a special NOTIFY SIP message which will reboot certain phones.
• H225regregject - H225regreject is a tool is used to disconnect H.323 calls. It first monitors the network in order to determine if a call is taking place. Once a call has been identified, it then injects a Registration Reject packet into the call.
• IAXAuthJack - IAXAuthJack is a tool used to actively perform an authentication downgrade attack and force an endpoint to reveal its password in plaintext over the network.
• IAXHangup - The IAXHangup is a tool is used to disconnect IAX calls. It first monitors the network in order to determine if a call is taking place. Once a call has been identified, it then injects a HANGUP control frame into the call.
• iThinkTest FlowCoder: SiPCPE - Evaluate SIP infrastructure protocol compliance using inserted SIP messages.
• RedirectPoison - this tool works in a SIP signaling environment, to monitor for an INVITE request and respond with a SIP redirect response, causing the issuing system to direct a new INVITE to another location.
• Registration Adder - this tool attempts to bind another SIP address to the target, effectively making a phone call ring in two places (the legitimate user's desk and the attacker's)
• Registration Eraser - this tool will effectively cause a denial of service by sending a spoofed SIP REGISTER message to convince the proxy that a phone/user is unavailable.
• Registration Hijacker - this tool tries to spoof SIP REGISTER messages in order to cause all incoming calls to be rerouted to the attacker.
• SIP-Kill - Sniff for SIP-INVITEs and tear down the call.
• SIP-Proxy-Kill - Tears down a SIP-Session at the last proxy before the opposite endpoint in the signaling path.
• SIP-RedirectRTP - Manipulate SDP headers so that RTP packets are redirected to an RTP-proxy.
• SipRogue - a multifunctional SIP proxy that can be inserted between two talking parties
• vnak - VoIP Network Attack Toolkit - vnak combines a number of attacks against multiple protocols in to one easy to use tool. Its aim is to be the one tool a user needs to attack multiple VoIP protocols.
• VoIPHopper - VoIP Hopper is a security validation tool that tests to see if a PC can mimic the behavior of an IP Phone. It rapidly automates a VLAN Hop into the Voice VLAN.

VoIP Media Manipulation Tools

• RTP InsertSound - this tool takes the contents of a .wav or tcpdump format file and inserts the sound into an active conversation.
• RTP MixSound - this tool takes the contents of a .wav or tcpdump format file and mixes the sound into an active conversation.
• RTPInject - RTPInject is a minimal-setup prerequisites attack tool that injects arbitrary audio into established RTP connections. The tool identifies active conversations, enumerates the media codec in use, and allows for the injection of an arbitrary audio file.
• RTPProxy - Wait for incoming RTP packets and send them to wanted (signaled by a tiny protocol) destination.
• SteganRTP - SteganRTP is a steganography tool which establishes a full-duplex steganographic data transfer protocol utilizing Real-time Transfer Protocol (RTP) packet payloads as the cover medium. The tool provides interactive chat, file transfer, and remote shell.
• Vo²IP - With Vo2IP, you can establish a hidden conversation by embedding further compressed voice data into regular PCM-based voice traffic (i.e. G.711 codec).

Miscellaneous Tools

• IAX.Brute - IAX.Brute is a passive dictionary attack tool on IAX's challenge/response authentication method. This attack allows malicious users to steal passwords and hijack endpoint identities.
• SIP-Send-Fun - Sip Send Fun is a tiny command-line based Script, which exploits specific vulnerabilites.
• SIP.Tastic - SIP.Tastic is a passive dictionary attack tool on SIP's digest authentication method. This attack allows malicious users to steal passwords and hijack endpoint identities.
• Spitter - A set of tools for Asterisk to perform VoIP spam testing.
• VoIP Security Audit Program (VSAP) - VSAP is an automated question/answer tool to audit the security of VoIP networks (SIP/H.323/RTP). It provides security topics and audit questions for the end user to complete. Once all the questions are answered, VSAP will provide a final score.
• XTest - A simple, practical, and free, wired 802.1x supplicant security tool implementing the RFC 3847 EAP-MD5 Authentication method.

Tool Tutorials and Presentations

• An Analysis of Security Threats and Tools in SIP-Based VoIP Systems - Shawn McGann and Douglas C. Sicker (University of Colorado at Boulder)
• An Analysis of VoIP Security Threats and Tools - Shawn McGann at 2nd VoIP Security Workshop June 2005
• Hacking VoIP Exposed - David Endler and Mark Collier for BlackHat 2006
• Hacking VoIP Wired and Wireless Phones - Shawn Merdinger for NoConName 2006
• Real-time Steganography with RTP - DEFCON 15 presentation by I)ruid on using steganography with RTP and the SteganRTP tool.
• Security testing of SIP implementations - Christian Wieser, Mark Laakso, and Henning Schulzrinne (Columbia University)
• SIP Stack Fingerprinting and Stack Difference Attacks - Hendrik Scholz, BlackHat USA 2006
• Two attacks against VoIP - by Peter Thermos - The purpose of this article is to discuss two of the most well known attacks that can be carried out in current VoIP deployments using SiVuS.
• VoIP Attacks! - Dustin Trammell for ToorCon 2006

# TCP 
- Layer 4 계층 프로토콜
- 상위 계층에서 생성된 데이터를 전송하도록 TCP 헤더를 삽입하여 캡슐화 실시
- 연결 지향성 프로토콜
- 상대방과 통신 수립단계를 실시한 이후에 데이터 전송을 실시한다.
- 통신 수립 단계 = '3-Way 핸드 쉐이킹'

제어부호 6 비트(Control Flag 6 Bit)
URG 0 -> 1 : 긴급한 데이터
ACK 0 -> 1 : 통신에 대한 응답 신호
PSH 0 -> 1 : 세그먼트를 바로 어플리케이션 계층에 전달
RST 0 -> 1 : 통신을 강제적으로 종료.
SYN 0 -> 1 : 통신 시작
FIN 0 -> 1 : 통신 종료

- 통신 수립 단계 = '3-Way 핸드 쉐이킹' 과정

hostA -------------------------> hostB
                SYN
hostA <------------------------- hostB
              ACK,SYN
hostA -------------------------> hostB
                ACK

- 통신 종료 단계

hostA -------------------------> hostB
                FIN
hostA <------------------------- hostB
                ACK
hostA <------------------------- hostB
                FIN
hostA -------------------------> hostB
                ACK

- 신뢰적인 데이터 전송이 요구되는 환경예서 효율적인 반면에, 대신 신속한 데이터 전송이 요구되는 환경에서는 비효율적이다.(신속함은 필요없고 신뢰적이어야 한다.)

flow control & err control
- 순서화 기능 : 증가되는 데이터 부피를 방지하기 위해서 분할 및 재조립 실시(순서 번호 사용)

- 동기화 기능 : 보낸 정보에 대한 응답(ACK 1bit)를 수신하는 기능(재전송 보장)(확인 번호 사용)

- TCP 헤더 내용
1) 출발지 포트번호(16bit)/목적지 포트번호(16bit) <- 서비스 구분(포트넘버 = 서비스)
2) 제어 부호(Control Flag 6bit) : URG, ACK, PSH, RST, SYN, FIN
3) 순서 번호(32bit) : Sequence number
4) 확인 번호(32bit) : Acknowledgement number
5) 윈도우 사이즈(수신할 수 있는 데이터양) w -> 응답 확인을 받기 전까지 보낼수있는 데이터양 #CCNP 과정 : Qos
6) 에러 체크(check sum) : 검사합

가장 중요한것은 출발지 포트번호 / 목적지 포트번호

[참고] TCP를 사용하는 어플리케이션 프로토콜 및 포트 번호

HTTP(80)
TELNET(23)
SSH(22)
FTP(20,21) : 연결 20 , 데이터 전송 21
SMTP(25) : 서버끼리 메일을 주고 받을 때 사용하는 서비스

POP3(110) : 서버에서 메일을 가져오는 서비스

공통점 : 신뢰적인 데이터 전송이 요구되는 서비스 환경

# UDP

- Layer 4 계층 프로토콜
- 상위 계층에서 생성된 데이터를 전소아도록 UDP 헤더를 삽입하여 캡슐화 실시
- 비연결 지향성 프로토콜 : 통신 수립 단계가 없다. 동기화 기능도 없다.
- 신뢰적인 데이터 전송이 요구되는 환경에서 비효울적이며, 대신 신속한 데이터 전송이 요구되는 환경에서 효율적이다.
- Best Effort 서비스(신뢰성이 보장되지 않는 서비스)
- 브로드캐스트 서비스 & 멀티캐스트 서비스 사용

[참고] 데이터 전송 방식 유형

1) 유니캐스트(Unicast) = 1:1 데이터 전송 방식. TCP 사용
2) 브로드캐스트(Broadcast) = 1:불특정다수 데이터 전송 방식. UDP 사용
3) 멀티캐스트(Multicast) = 1:특정다수 데이터 전송 방식. UDP 사용

- UDP 헤더 내용

1) 출발지 포트 번호(16bit)/목적지 포트 번호(16bit) <- 서비스 구분
2) 에러 체크(check sum) : 검사 합

- UDP를 사용하는 어플리케이션 프로토콜 및 포트 번호

DNS(53) : IP와 도메인 이름 맵핑
DHCP(67/68) : IP 자동배당
TFTP(69) : 적은양의 파일 보낼 때  ex)jumpstart
SNMP(161) : 장비 상태 점검

공통점 : 요청에 의한 신속한 데이터 전송이 요구되는 서비스 환경

# IP (internet protocol)

- Layer 3 계층 프로토콜
- 상위 계층에서 생성된 데이터를 전송하도록 IP 헤더를 삽입하여 캡슐화 실시
- 비연결 지향성 프로토콜 : 통신 수렵 단계 X, 동기화 기능 X
- 신뢰성 보장되지 않는 Best Effort 서비스
- 출발지에서 목적지로 데이터를 전송할 때 최적 경로를 선출하는 일을 담당한다.(routing)
- IP 헤더 내용

1) 출발지 IP 주소(32bit)/목적지 IP 주소(32bit)
2) ToS(8bit) = Type of Services : 데이터 우선 순위를 결정할 때 사용하는 값(CCNP 과정 : Qos)
3) 에러 체크(check sum) : IPv4에서는 있지만, 불필요하다는 이유로 IPv6에서는 삭제됨

# ICMP(Internet Control Messages Protocol)

- IP 프로토콜에 대한 신뢰성을 보장하는 프로토콜 (ping명령어)

- ICMP 동작과정
hostA ------------------------> hostB
      ICMP Echo-Request(Type=8)
hostA <------------------------ hostB
       ICMP Echo-Reply(Type=0)

[참고] DoS 공격, ICMP 스푸핑

- 해결책 : 필터링 & 방화벽을 이용하여 ICMP 차단 (ICMP Reply차단)

[참고] 각 구간별 데이터 전송시 사용 주소

- Layer 2 계층 구간 데이터 전송 주소 : MAC 주소 (Ethernet을 사용하는 LAN 구간)

- Layer 3 게층 구간 데이터 전송 주소 : IP 주소

# ARP

- Layer 3 계층 주소(IP)를 이용하여 Layer 2 계층 주소(MAC)를 학습하는 프로토콜
- ARP 동작과정
------------------------Router---External(라우터가 broadcast를 넘기지 않음)
     |            |
   hostA        hostB
1) ARP Request (Broadcast) : hostA가 broadcast로 광고 hostB는 A의 MAC주소를 자신의 ARP Table에 등록
2) ARP Response (Unicast) : hostB가 Unicast로 hostA에게 자신의 MAC주소를 넘기고 hostA는 그 정보를 자신의 ARP