.

VoIP - Setting a lab and using good tools?

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Sun Sep 11, 2011 2:48 pm

VoIP - Setting a lab and using good tools?

Hi everyone,

I am starting to play with VoIP and I have a couple questions for you guys:

1) How can I set up a lab? Is there some LiveCD or VM image I can use? I know installing everything myself is the best way, but I have limited time now and I always like to learn slowly...

2) What tools (free/$$$) do you use for vulnerability assessment? And for exploitation?

When looking at this site, it is easy to get confused... http://voipsa.org/Resources/tools.php

I am asking because I *may* have to audit a network with VoIP soon. Although I will not be the prime consultant for pentesting the VoIP component this network, I really need to know more about this technology...

Thanks guys
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sun Sep 11, 2011 6:45 pm

Re: VoIP - Setting a lab and using good tools?

By any chance do you have the 4th edition of Grey Hat Hacking? There is about 20 pages in there on hacking VOIP. Let me know if you dont,
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Sep 12, 2011 9:44 am

Re: VoIP - Setting a lab and using good tools?

Pentesting VoIP is no different from pentsting say an e-mail server. In a VoIP based PBX there are accounts similar to an email server:

VOIP
Username
Password
Registrar

EMAIL
Username
Password
Domain

Your best bet would be to run the typical scans (nmap, etc) along with sipvicious to test for weak usernames and passwords. NMAP will tell you what is visible in similar fashion to any server: "This port is open" what is it doing, what is it running, are there any known vulnerabilties against that version. sipvicious is similar to say hydra and NMAP. Give a target and a list of usernames or passwords and it will try to register an account on the machine.

The key to it all is ingenuity. In a VoIP environment, too many admins have the tendency to make extensions usernames. For example:

VOIP
[i]Username[/i] 1001
Password 1001
Registrar this.is-my-pbx.net

There is no reason other than lack of understanding risk to configure accounts like this.  Its akin to an email admin creating the following

EMAIL
Username John
Password John
Registrar corp-mail.server-here.com

So your goal would be recon in similar fashion to figuring out what a username is for email, only in this instance, it is VoIP. I would start with extensions as a username, e.g., 1000-1999 and so on. Here is a live example of someone on one of my Asterisk honeypots with numbers adding to the beginning:


  Code:
1: <--- Transmitting (NAT) to 79.117.57.167:5060 --->
2: SIP/2.0 180 Ringing
3: Via: SIP/2.0/UDP 79.117.57.167:5060;branch=z9hG4bK-d8754z-4c30389f4dd4dbfc-1---d8754z-;received=79.117.57.167
4: From: <sip:3097@xxx.xxx.xxx.195;transport=UDP>;tag=3023bf3b
5: To: <sip:00263912792068@xxx.xxx.xxx.195;transport=UDP>;tag=as30fa28c1
6: Contact: <sip:00263912792068@xxx.xxx.xxx.195>


Line 1 shows their external IP address. When this phone registers, I can see their internal IP space in Asterisk. Verbose logging will show me the registered device's egress, in this case from a Romanian attacker.

Line 2 states back and forth from client to server (PBX) that the number called is going through the ringing stage

Line 3 shows the detailed information about the call and who is connected to it

Line 4 shows the extension (USERNAME) making the call

Line 5 shows what number the user is trying to call.

In this example, an attacker from Romania (1) tried calling 00263912792068 (5) using the extension (username) 3097 on my honeypot xxx.xxx.xxx.195 The log entry shows how extensions / usernames are done in many PBXs. Therefore, recon may be able to tell you what extension ranges are visible. Google the company name + mailing lists. See if you can get a signature from someone:

John Doe
Pentest My Company
VP Operations
212 555 2000 ext 3097

The 3097 is the range I would test first with sipvicious, e.g. ranges 3000-3200 and go longer if I see extensions hit say 3198. As for the setup, depends on what type of PBX they're using. Cisco Call Manager, Avaya, PBXNSIP, SnomOne, etc., they all differ however, they WILL NOT differ in terms of registrations. Registrations meaning usernames, passwords, registrar.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Sep 12, 2011 11:07 am

Re: VoIP - Setting a lab and using good tools?

Thanks again and again Sil!!

Very good explaination. I will also read your document tonight: http://infiltrated.net/asterisk-ips.html

More questions to come!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Mon Sep 12, 2011 11:15 am

Re: VoIP - Setting a lab and using good tools?

Good explanation Sil.

I saw three time VoIP attack and in the three times they were sucessfull. The conclusion was: outupdated system and low password
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software