hpr-knowledge-base/hpr_transcripts/hpr0471.txt

Episode: 471
Title: HPR0471: Interview with Andrej Hajto about VOIP
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0471/hpr0471.mp3
Transcribed: 2025-10-07 21:15:04

---

.
Welcome to my talk about the open source and age 3-2-3. My name is Andre Heiton.
I'm a 4 year ethical hacker student of other day. I work about 2 years with VoIP.
Most of it is a system, but also I just support VoIP platforms, mostly based on age 3-2-3.
You can contact me on email, jubber, and this is my website.
So, you can question after the talk or something. So, feel free to contact me.
I'm going to talk about VoIP in general, kind of introduction to VoIP.
Then, we follow what's age 3-2-3 is. It's every texture.
Then, I'm going to speak about no GK, it's an open source gatekeeper.
All these terms I will explain later on. And I will finish with age 3-2-3 security aspects.
So, first of all, everyone is probably VoIP, but just...
VoIP is a voice over internet protocol.
It's a technology which allows for communication over IP networks.
Unlike the traditional public-switch telephone network, VoIP is transmitted over internet or other parts which make networks.
However, we are focused on the internet because that's the most popular method nowadays.
How actually VoIP works? It's...
Actually, it's peak. Then, it goes to the audio to digital converter.
It's kind of a micro-trip. Then, it's digitalized. Then, it's passed to the protocols.
It goes to the internet. Then, it goes to the other side.
It goes digital to audio converter. And then, it goes.
So, that's the basics of VoIP.
We are not going to go into details about the VoIP too much.
What I need to use VoIP, actually, it's...
So, there are, like, that's the most common things.
Most of you probably use them, know them.
It's a VoIP gateway. It's kind of a bridge.
We can conversion our telephone networks and VoIP infrastructure.
It means, like, actually, internet.
VoIP phones, maybe you don't know if you see...
So, these things, it's kind of a normal phone.
However, instead, the LGA 11 connector, it has an LGA 45 connector,
which allows you to connect to the ethernet port, the ethernet cable.
And there's software, which just plenty of them.
For example, IKEA, and there's, like, Skype.
You can tell the Skype is a software as well.
So, that's kind of free, basic things.
Which you need to use VoIP, actually.
The most common technologies, which using VoIP are SIP, H323, and the Skype.
That's a most popular protocol, actually.
And maybe not protocols, it's a technology.
Because, whereas SIP and Skype are protocols, the H323, it's not exactly protocol.
That's I'm going to explain now.
Because H323, it's a set of standards.
So, it's kind of umbrella for protocols, which are used to set up a connection
and make a phone call and all these stuff.
So, it's been approved in 1996 by the ITUT.
It's a telecommunication standardization sector.
And what it does, it actually provides audio and visual data transmission
of our internet protocol networks.
And, of the grant, it's quite your service.
So, it's not only about the audio, H323 is also about the visual transmission,
which is worth to remember.
What are the benefits of H323?
So, first of all, codex standards, because it's kind of a standard.
So, all codex, it means algorithm, which compress the voice,
after being digitized, needs to be compressed somehow.
So, not what codex does.
So, it's a standard for it.
It's independent from networks.
So, as you can see, H323 runs on the top of a common network architecture.
So, it means if any network architecture implement something, which improves her.
So, H323 take advantage of it.
The platform application independence, not tied to an hardware operating system.
So, there are H323 implementation for Windows, Mac, Linux, Unix.
And many vendors use the H323.
So, thanks to that as a standard.
So, using the Cisco box, you can be sure that you'll be able to speak to someone
who's like the other company, or whatever.
And also, it provides the bandwidth management for VDN and the traffic.
So, that's also important in case of...
It takes care of...
It takes care of the fact that if you transmitting the voice, the bandwidth is just regulated
by the H323 protocol.
One actually, we should take care about the H323.
There is a SIP, there is a Skype.
Well, as you can see, that's the data from 2006.
When PSDN, so it's just a regular network.
And it's 75.8% of international voice minutes.
So, then Skype is 4.4%, because a lot.
Other protocols, it's 4% we don't see.
And probably other implementation, H323, it's almost 16%.
So, mostly, H323 is used for communication between telecoms
to terminate and transmit the data.
So, that's why it's 75%.
It's probably nowadays SIP.
It's much higher in the parlor because it's...
Whereas, the thing is that H323 wasn't created for Internet networks.
It was implemented to the Internet networks, where SIP was created for this purpose.
So, that's, I presume, three years later,
the figures would be different, but I think still,
H323 will take a big part of it.
What do we need to actually, to have H323 network?
There are, like, not four elements.
Although, they are necessary to use, however, like,
most important as a terminal.
It's a second one.
It's kind of an endpoint.
So, actually, to make a connected code, you need, like, two endpoints.
So, we need two phones, two one-soft phone, two PCs, whatever.
Anyway, all the PCs will be still in the soft phone.
So, that's the figure.
All it has to be.
We have a gateways.
It's translated in communication, procedures, and transmission formats.
It's kind of, as I said, interface between the PSDN and H323,
and H323 in this case.
Sorry, there's a mistake should be H323 network.
Another entity you can call is an MCU unit.
It provides support for conferences between three or more endpoints,
and gatekeeper, which is also optional.
However, very often, we think that H323 network,
it provides address translation, control, access,
and sometimes also one with management for endpoints,
for other endpoints.
We can call those three things, like endpoints,
and gatekeepers kind of a separate thing, kind of a server,
which manages all these things.
Now, briefly, I'll go through the, just mine.
Because, as I said, H323 is a set of protocols.
So, actually, it's not one protocol, like Civo.
It's set of protocols. So, it uses a lot of other protocols,
and that's also why it's not so popular as a CIP.
Because of the fact, it's quite complicated,
and I found it really complicated,
and I still know maybe 5% about it, maybe less.
And it's a, for a,
carry on the menu, the menu, which is used also on a CIP.
I presume in a sky protocol as well,
is a RTP protocol, which is a protocol,
which defies how devices, or software,
transmit and receive the data.
So, actually, it does a meeting, which carry the data,
voice or video data.
It's described in the RFC.
It's really interesting, RFC, but it's really convenient.
The other protocol of H323 is H325.0,
is a call signaling.
It's used as to establish a connection between two H323 endpoints,
or actually a soft one, or gateways, or anything.
That's the other, my protocol.
Another one is H245.
It's exchange terminal capabilities,
and creates media channels.
So, it just informed the other side,
and other endpoint about, like,
the capabilities we have, like, bandwidth and everything.
So, that's the other protocol.
It's an important protocol in case of the security aspect.
I'm going to talk later.
It's an H225 RAS.
It's a call...
It's like...
It performs, like, a registration,
admission, control, bandwidth, changes status.
In general, it informs about...
It's exchange information between endpoint and gatekeepers.
So, I will show later on, like, exactly what is this protocol about.
And H235 is a security and a connection for H323.
It's kind of a set of the standards.
All these standards were released by ITWT,
the organization I was talking before.
And there is an interesting document.
Unfortunately, it has about 300 pages
to go through it, and we described in details
all H323 protocols, how do they work,
and all these things.
How do we look like on a seven-layer model?
So, as I said, it's a bit complicated,
because there's so many protocols in this,
and a lot of them are actually not on a particular layer.
So, like, Russ, it's between four, five, and six layers,
same like the H225.
So, that's why I said,
it's much more complex than a C protocol.
And maybe that's why it's not as popular.
Right, that was short introduction.
I mean, we don't have time to go in details.
And all these things, I've just tried to show you just bit and pieces.
Now, I'd like to talk a bit about the gatekeeper,
the server I was talking before.
It's called the gatekeeper.
Now it's kind of acronym, it's GNUGK.
So, it's on the public license, no license,
no fees, full source code available.
Many, many companies run this server,
earning a lot of money using it.
Combined feature of the gatekeeper,
border controller, traverse, server, proxy server,
it's like kind of a soft switch for the HP2 free network.
It's kind of a take care about the management of the calls,
about the, as we can, as I said before, like,
a lot, a lot of stuff.
It's actually, to install the GNUGK,
you need, like, that's my libraries.
You need, that's an open implementation of HP2 free,
which is open, HP2 free, and PWA week,
this libraries are HP2 free plus and PGD.
Personally, I use, when I was running the gatekeeper,
I used the first one, combination of the first two.
So, that's what you need to install first,
before you'd like to install the GNUGK.
Well, how to run the gatekeeper?
It's the first is, after you install,
after you install those two libraries,
that's a command we need to run,
GNUGK, TTT, in minus 6.
So, that's a command to just inform the lot of things
so it's, like, kind of, variables, variables.
That's a config file, minus 6.
Well, config file is, and that's a blogman,
where all the logs about what's happening,
will be keeper goals.
And all I do is, well, it's, like, also,
run on a separate console.
This one, time, minus a log file.
So, we're just to see the, the, the, the, the,
the scrolling of the, because this command
just showed you the, in the read time,
any information which appears into the, in the log.
After you run the gatekeeper, successfully,
that's how it looks like.
It's, it's not, it looks weird.
Yeah, that's, like, quite, looks complicated.
However, there's a, inter, a web interface
for a, for a gatekeeper,
however, that's, I, I, I like rather the,
consoles on the stuff.
So, I prefer use these ones.
So, the text, text selection.
So, after you run this, and,
that's what you see.
And actually, that, that's, that's telling you
that everything is going fine, yeah?
And how to manage the gatekeeper,
the gatekeeper.
So, actually, just turn that on the log,
a host on the port 7000.
That's how it looks like.
That's a, one of the, one of the configurations.
And after this, you can enter the commands.
The commands include.
So, as I said, this kind of a soft switch.
So, if two endpoints communicate,
making connections.
So, the voice, and the voice over IP,
goes through the RTP protocol.
Which means the transmission, voice transmission,
goes, it's, it's pure to pure service
between one endpoint and second endpoint.
However, all management start goes through the gatekeeper.
So, if we have like a H323 network.
And we have like a lot of endpoints,
a lot of gateways, a lot of softfalls, IPfalls.
So, all day registered into the,
this one gatekeeper.
So, if you give the command register,
or the FR, I think it's,
so then you see the list of the,
all the endpoints which are registered to the gatekeeper.
So, then you can call, they can call between each other.
So, that's a, that's the way how you,
how you deal with a managing of the gatekeeper structure,
using the command.
As I said, there is a web interface.
I never use it.
So, I have no idea how it works.
That's a website when you can find,
brilliant documentation, my opinion.
There's everything explained step by step,
about how to set up the config file.
I didn't want to, it did a,
the config file because it's really, really long
and quite complicated.
And sometimes if you read the config file,
so it's straight forward, or you know what this,
or this, however, in gatekeepers,
like, you know, just, it's really weird.
However, documentation is really good,
and if you're interested in this,
it's worth to see.
So, to recap, it's like, as I said,
it's not the necessary thing to run the gatekeeper
within the HV23 network.
However, it's worth to do it,
because it provides a lot of optional things,
which, like, for example, it can tell the other side,
all right, we use too much bandwidth,
so you should change the bandwidth,
or also, provides, like,
if you've got two endpoints behind the firewalls,
so you can connect to the gatekeeper,
the information about IPs and everything.
So, yeah, it's worth to have a look.
Well, we go, as I said,
it's like, also weird presentation,
because there's too many topics I would like
to speak about, and just wanted to just,
as I said, bid and bits and pieces about,
like, what's for introduction?
I didn't want it to go too much into deep,
and also wanted a bit to tell more technical stuff,
so I should take much, much more,
so I had actually, unfortunately,
to cut down the presentation.
So, now, I'll tell you something about the HV23 security.
That was some of the pictures we see,
maybe they're not the best quality,
because I took them from my project,
I was doing on the end of February,
so I didn't have the time to resize them,
or change the quality of them.
Right, first of all, that's interesting.
If you run the gatekeeper,
or if you run the void box,
or anything, that's an interesting part we are,
interesting parts.
So, doing any,
if you're trying to attack,
let's say, attack-hack-set system,
or server, first of all,
you have to do the discovery,
what it's about,
so that's the narration,
it take care of.
So, if you want to find out the gatekeeper,
which you want to attack,
so first of all, you have to find yourself.
So, that's, for example,
you're looking for Openport 1780,
or 1719, or 1720.
So, that would tell you that,
possibly, these machines run gatekeepers.
Like, in this case,
so, using the L-map,
you just, no, no, it's coming,
and you just list the interesting ports,
all subnet of 10-bit network,
and then it goes.
So, let's, for example, here,
it's fine, like, Openport 1720,
it's actually showing this H32-3,
or Q9-3, one,
which is one of the protocols,
used by H32-3.
Right,
that, I will say that,
I will tell more about the RIS protocol.
This protocol is about dealing between,
it's about exchanging information
between the gatekeeper and input.
This is how it looks like, usually.
So, we have an input.
The input sends the data
with the framework in gatekeeper request.
So, Matthew is looking for a gatekeeper,
and there is a network,
the L-S-A,
it's a network,
and the input.
Okay, so, we do like to find the gatekeeper.
So, it sends the request,
the gatekeeper request,
then the any gatekeeper,
or more gatekeepers,
because I can be more in the network,
the request,
or gatekeeper confirm,
or gatekeeper rejects,
which means, like,
or, yeah, I'm gatekeeper,
I'm your gatekeeper,
or I'm not your gatekeeper,
it depends.
So, if it sends gatekeeper confirm,
then this endpoint connects to this gatekeeper.
Yeah, we are talking about the enumeration still.
So, now we are talking about the user enumeration,
because of the fact, like,
if you log in to the,
if you have a software,
or if you have a user,
a software,
you have to put your log in and password.
So, somehow,
that's a kind of authentication process.
So,
if, to say it's like,
when, first of all,
is the gatekeeper discovery,
and then, actually,
endpoint connects to the gatekeeper.
So, that's another, like,
registration,
registration request,
endpoint send,
registration request,
after we discover the gatekeeper,
and gatekeeper,
okay, I'm confirming,
you can use me,
actually,
sorry,
but, you know,
you can,
it's a registration confirm,
a registration reject,
so, in this case,
it would be like,
if, if,
it would connect,
so, that would be an registration confirm.
So, why it's important?
Because,
if you run,
wire shark,
or any other scan,
unless they wire shark looks quite good,
so, that's how the exchange looks like.
That's the,
IP of the endpoint,
that's the IP of the gatekeeper,
so, it's sending,
gatekeeper request,
gatekeeper confirm,
there's,
registration request,
and then,
it reject,
in this case,
the gatekeeper reject,
the endpoint,
because of the wrong password,
I think,
as far as I remember.
So, in case,
if the application,
authentication,
would fail,
so, the gatekeeper send,
registration,
a,
a, a, a, a,
a, a, a,
a, a,
a, a,
a,
a,
a,
a, a,
a,
a,
a,
a,
a,
a,
a,
an,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a,
a
a,
There is a user name, but also there is a password based
with hashing authentication.
That's one of the three types of authentication.
H3D3 can use it.
So this one is the most popular because it's a quick
and enough sophisticated, let's say sophisticated.
But the best bit is it also sends a hash of the password,
which means having the user name here and a hash,
we run canable.
That was a simple password due to the fact
I needed for the project.
So I just need to the proof of concept.
So I'm just using the simple thing.
So actually, user 39 was the user name,
and also user 39 was the password in this case.
So in this, now we have the user name and password.
So actually we can connect having the other books
or the gateway and the soft form.
We can pretend that, OK, we are this user 39, yeah?
So and thanks to this, we can prove that if 164 areas,
which is like 164 areas is a phone number
and plan connected to the endpoint.
So actually, you can just just a number like in,
you can like 444, you have like inside the institution,
you got like an internal number.
So that is 164 areas, for example.
So when user name password cracks, it's done.
So actually, you can have a situation
when you don't know that it's like important thing here.
And the important decision has to be made
based on what I'm going to say.
So someone having my password and my user name
can phone like CEO of the company and tell,
OK, he will see on the ID of the display, OK,
internal number 444, oh, that's not this guy.
And then it's like, man, things are happening, yeah?
Did you like intercept it to take like help tasks?
Yeah, help tasks.
Exactly, because you can, yeah, exactly, really bring an example.
Like you can, all right, I'm calling from this room,
yeah, and help this notice.
In this room, there's only this one guy
and see the ID display, the display,
ID of the number.
OK, so, you know, management is going to be
how task you're asking people for that.
Exactly, or other way.
So dangerous thing.
Other thing, which is a H2255 registration
project is kind of a denial service attack.
So doing endpoint registration for the registration request
actually to connect to the network.
So to be authenticated, I have the possibility
to call to make a phone call between other
endpoints within this network.
Using the, I don't know how to pronounce it,
that V and a key K as a software write on script,
you can send registration, reject message, reject.
So before, because you can, after a registration request,
gatekeeper can tell, OK, registration confirm.
But in this case, you're sending a rejection message
to hold the network and looks like this.
So there is a syntax of the, send syntax of the script.
And actually, it looks like it sends from the endpoint
things that this registration reject
is sent from the gatekeeper.
So actually, it's not, it can connect to the gatekeeper.
So actually, you can make call, call, you can register
to the gatekeeper.
So actually, you can't make any phone call.
It's kind of a denial service attack.
Really dangerous in case of you need to make a phone call.
And of course, there is possible about the work.
It's not only about the HTTP freeze, about the CPUs,
well, any photo calls which uses RTP.
It's possible.
That's only the screenshot from the last moment
when actually, we can just record the phone call,
which is just scary, because we're just talking to someone.
And then I can record this phone call in the WAIFI,
and just record it, and then play it,
and do whatever you want, you know what I mean?
It's possible also to inject the files.
But I just wanted to show you just a few things
just to allow you to realize that how vulnerable VoIP is.
And just to be exactly.
And the other thing is, that's actually
thing during my project, I find out this thing.
And I'm not sure it's been released.
So I just briefly, if you manipulate the packet,
which is sent from the gatekeeper during the exchange
of the, again, RIS information.
So if you, there's a few fields which you need to change.
Now based, the fields are based on how to change it.
You will know based on the file that a few things is very
vulnerable, but as I say, I'm nothing to tell you about it.
It's like nothing to say things.
So, and using the Nemesis, you can actually
inject the packet from the gatekeeper.
I mean, you can pretend that to this endpoint,
there's this packet, which is created before.
On the previous, that was the name of the file.
So you can inject this frame, this frame,
this packet to the gatekeeper, to the conversation
between 20 points.
And in this case, endpoints will think that there is a gatekeeper
send the information about the end of the code, which
means the code is disconnected.
So it took me a while to figure out what
needs to be changed, how it works.
However, it works perfectly.
That's a scary because it's using this one.
And using the, it's take a BYU to prepare this packet,
because it's not the default packet.
You have to change any code you have to just
sniff the data, and then, according to the data,
you have changed the information inside the packet.
However, it works, and that's a scary thing as well.
And that's only a few things.
I show you about the vulnerabilities of VoIP,
because there is many, many more of them.
And it's not about only H3 to 3, but also about the 7
and other things.
However, 3CUP is like, yeah, H3 to 3 is an interesting thing,
interesting set over protocols, interesting technology.
And if anyone is interested in VoIP, like in details.
So I think I would like the H3 to 3 protocols,
and it's a lot of fun with them.
So I'm really enjoying them.
So I mean, I'm a network, I just like, I'm a network 3,
but you know, the packet and all this stuff, so.
So if you want to know more, that's a brilliant site.
First one, second one, that's a lot of information
about VoIP, not only about H3 to 3, but just
messy, that's really an information.
That's a website, so if you know the GK,
that's the ITU into my website,
when you can find out the specification
for 300 pages specifications for H3 to 3.
Interesting, worth to read in my opinion.
And that's my references.
Very interesting VoIP.
Great book about VoIP and security.
So I really recommend this one.
A lot of things I read about it.
I actually, that's a book which show me the possibility
of how to, how we can hack VoIP and how we can find
vulnerabilities in VoIP.
So I hope you enjoyed any questions.
I hope not everyone sleeps so much.
And I'm guessing that there are counter measures
you can use yourself to break this hack in mechanical.
Well, not really, it's not everything, you know,
it means so there are also, you can encrypt this stuff.
However, you can sort of dispatch it to run through.
Well, yeah, yeah, actually, yeah.
I didn't find out any counter measure again.
I didn't went so much into details about it.
But to, you know, I spent a lot of time analyzing
the traffic between like, especially the RSA protocol traffic,
how we can intercept it, and how many things you can do with this.
So that's actually the thing I'm going to explore now,
the counter measure, because I'm really into the VoIP security
now.
Is there any difference between VoIP and H3?
It's not a photo, but it doesn't matter.
How's the other term for the same thing?
It's always like voice over IP, telephone over IP,
name it as well.
It's always goes over internal protocols.
Anything else?
Thank you for listening to HACRA Public Radio.
HPR is sponsored by Carol.net, so head on over to