SLIDE 1
Sachin Wagh
Security Analyst
Security Intelligence Team @ Symantec Speaker at Hakon and Geek Street - Infosecurity Europe Bug Hunter | Penetration Tester Security Blogger @tiger_tigerboy
Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst - - PowerPoint PPT Presentation
Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst - - PowerPoint PPT Presentation
Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @ Symantec Speaker at Hakon and Geek Street - Infosecurity Europe Bug Hunter | Penetration Tester Security Blogger @tiger_tigerboy
SLIDE 2
SLIDE 3
Himanshu Mehta
Senior Threat Analysis Engineer
Security Intelligence Team @ Symantec Speaker at National Cyber Security Conference, Hakon & Geek Street - Infosecurity Europe Advisory Board Member @EC-Council & Convetit Bug Hunter | Penetration Tester @LionHeartRoxx
SLIDE 4
Content
- What is PBX
- Features
- Searching
- Softphone
- Vulnerabilities
- Mitigations
Hunting PBX for Vulnerabilities
SLIDE 5
Private Branch Exchange
Hunting PBX for Vulnerabilities
Source: http://www.cealcomz.co.za
SLIDE 6
Features
Hunting PBX for Vulnerabilities
- Call Forwarding
- Call Transfer
- Conference Calls
- Automatic Call Delivery (ACD)
- Voice Messaging
- Call Queue ..etc
SLIDE 7
Searching
Hunting PBX for Vulnerabilities
SLIDE 8
Shodan:
Hunting PBX for Vulnerabilities
"NCH Software Axon Virtual PBX“
SLIDE 9
Call Details Records
Hunting PBX for Vulnerabilities
SLIDE 10
Censys:
Hunting PBX for Vulnerabilities
"FreePBX Administration“
SLIDE 11
Censys:
Hunting PBX for Vulnerabilities
"FreePBX Administration“
SLIDE 12
Hunting PBX for Vulnerabilities
SLIDE 13
Shodan:
Hunting PBX for Vulnerabilities
“polycom+command+shell“
SLIDE 14
File Transfer Protocol (FTP)
Hunting PBX for Vulnerabilities
SLIDE 15
Call Details Records
Hunting PBX for Vulnerabilities
SLIDE 16
Server Message Block (smb)
Hunting PBX for Vulnerabilities
SLIDE 17
Server Message Block (smb)
Hunting PBX for Vulnerabilities
SLIDE 18
Shodan:
Hunting PBX for Vulnerabilities
“port:23 console gateway -password“
SLIDE 19
Softphone
Hunting PBX for Vulnerabilities
SLIDE 20
Vulnerabilities
Hunting PBX for Vulnerabilities
SLIDE 21
TRIXBOX
Hunting PBX for Vulnerabilities
SLIDE 22
Blind OS Command Injection
Hunting PBX for Vulnerabilities
I AM NOT BLIND I’VE JUST SEEN ENOUGH
SLIDE 23
Hunting PBX for Vulnerabilities
SLIDE 24
Blind OS Command Injection [DEMO]
Hunting PBX for Vulnerabilities
CVE-2017-14535
SLIDE 25
Path Traversal
Hunting PBX for Vulnerabilities
SLIDE 26
Hunting PBX for Vulnerabilities
Path Traversal [DEMO]
CVE-2017-14537
SLIDE 27
Hunting PBX for Vulnerabilities
Path Traversal [DEMO]
CVE-2017-14537
SLIDE 28
Cross-site Scripting
Hunting PBX for Vulnerabilities
source:gif-finder.com SLIDE 29
Hunting PBX for Vulnerabilities
Cross-site Scripting [DEMO]
CVE-2017-14536
SLIDE 30
AXON
Hunting PBX for Vulnerabilities
SLIDE 31
Hunting PBX for Vulnerabilities
Cross-site Scripting [DEMO]
CVE-2018-11552
SLIDE 32
Local Code Execution
Hunting PBX for Vulnerabilities
SLIDE 33
Hunting PBX for Vulnerabilities
Local Code Execution [DEMO]
CVE-2018-11551
SLIDE 34
Hunting PBX for Vulnerabilities
SLIDE 35
Hunting PBX for Vulnerabilities
Local Code Execution [DEMO]
CVE-2018-11551
SLIDE 36
Hunting PBX for Vulnerabilities
SLIDE 37
Mitigations
POLICIES AND PROCEDURES : SECURITY TRAINING PASSWORD POLICY INCIDENT RESPONSE PROCEDURE OS LEVEL SECURITY : PATCHES APPLICATIONS AND SERVICES PRIVILEGES
Hunting PBX for Vulnerabilities
SLIDE 38
Thank You
Hunting PBX for Vulnerabilities