Reverse Shell via Voice (SIP, Skype)

Bongard, Michel and Illi, Dominique (2019) Reverse Shell via Voice (SIP, Skype). Student Research Project thesis, HSR Hochschule für Technik Rapperswil.

[thumbnail of HS 2019 2020-SA-EP-Illi-Bongard-Reverse Shell via Voice (SIP, Skype).pdf]
Preview
Text
HS 2019 2020-SA-EP-Illi-Bongard-Reverse Shell via Voice (SIP, Skype).pdf - Supplemental Material

Download (10MB) | Preview

Abstract

Initial Situation:
Nowadays, there are less and less points of entry for a hacker to attack a network. Modern network infrastructures are specifically designed to deny any attempt of direct access from the internet into an internal network. To circumvent those restrictions, it is often easier to initiate a data-channel from within the internal network.
There already exist certain ways to establish such inside out channels such as the TCP reverse shell. However, most of these attacks are not very difficult to detect by network intrusion detection systems.
One alternative is the encapsulation of payload inside of VoIP packets. This thesis is a feasibility study containing a proof of concept to establish the practicality of a reverse shell over VoIP.

Approach / Technology:
Due to the popularity of SIP and Skype, this thesis focuses on these two VoIP protocols. First, a thorough understanding of both protocols had to be acquired. After an initial research phase, the decision was made to develop the proof of concept for SIP. Because SIP is open source, existing libraries can be used as a foundation. Skype's proprietary nature would require reverse engineering the protocol.
In the final proof of concept an open source C-library is used. The attacker encodes a shell command to audio using a mapping between the ASCII table and different frequencies. The audio is then placed inside RTP packets and transmitted to the victim. There, the audio gets converted back to text and the shell command is executed. The shell output is sent back to the attacker the same way.

Result:
This thesis proofed that a reverse shell over VoIP is possible.
At the moment it works only when both attacker and victim are in the same network. To make the solution work over the internet as well, UDP packet loss needs to be handled.
However, when both clients are in the same LAN, a SIP connection can be established between the victim and the attacker, allowing the attacker to execute shell commands on the victim's client at a speed of 50 Bytes per second.

Item Type: Thesis (Student Research Project)
Subjects: Topics > Internet Technologies and Applications > P2P (Peer to Peer)
Technologies > Programming Languages > C
Technologies > Communication > VoIP (Voice over IP)
Technologies > Protocols > SIP
Technologies > Network
Divisions: Bachelor of Science FHO in Informatik > Student Research Project
Depositing User: HSR Deposit User
Contributors:
Contribution
Name
Email
Thesis advisor
Brunschwiler, Cyrill
UNSPECIFIED
Date Deposited: 09 Apr 2020 12:43
Last Modified: 09 Apr 2020 12:43
URI: https://eprints.ost.ch/id/eprint/853

Actions (login required)

View Item
View Item