Category Archives: VoIP Security Tools

Avaya Acquires UC Security Firm and SBC Vendor Sipera Systems

Fascinating news today that Avaya has acquired Sipera Systems for an undisclosed sum. We’ve covered Sipera here on this blog any number of times over the past years as they have been one of the few firms very specifically focused on “VoIP security”, or, to be more appropriately buzzword-compliant in 2011, “Unified Communications security.” In fact, the first video podcast I did for the Blue Box Podcast (when I was doing that) way back in August 2007 was with Sipera.

Over the years Sipera has hired some truly excellent people in the field, released some useful tools, originated great research and done a great bit in general to help keep the dialog going on publicly about VoIP/UC security.

The Avaya purchase is fascinating because, as Eric Krapf noted in a NoJitter post this morning, Avaya has been OEMing a Session Border Controller (SBC) solution from market leader Acme Packet for quite some time. As Eric notes:

The deal therefore could represent a shift in the enterprise SBC market, at a moment when E-SBCs are emerging as a key component of enterprise real-time communications deployments, especially in SIP trunking deployments. Acme Packet has been far and away the market share leader in SBCs, with over 50%, and its SBC works with all the leading enterprise communications platforms.

However, enterprise vendors including Cisco and Siemens (and now, it seems, Avaya) have released their own SBCs, and in the case of Siemens, the SBC only talks to Siemens platforms on the enterprise side of the device. It remains to be seen whether the Sipera SBC will work only with Avaya Aura–but it seems unlikely that anyone other than an Avaya customer would buy an Avaya SBC.

Now, the news release of course plays up how Sipera’s solutions work with both Avaya and non-Avaya systems but to Eric’s point there may in the future be little incentive for non-Avaya customers to purchase a solution, given that there are other “independent” players out there in the SBC market like Acme Packet, Ingate Systems, Sonus Networks and others.

Regardless of how it all shakes out, it is an interesting move and one that bears watching.

Congrats to our friends at Sipera and Avaya on the acquisition, and we look forward to seeing how it evolves. – a hosted service for scanning IP-PBXs

VoipscannerThis week at the SIPNOC event near DC, an attendee asked if I knew of any hosted services that would scan the external interface of a network to see if the VoIP services were secure. He sells SIP connectivity to small businesses, many of whom typically have purchased an IP-PBX from somewhere like a retail store and have minimal IT expertise. He wondered if there was a service he could refer these small businesses to so that they could check the security of their system. Basically something for VoIP along the lines of hosted services like “Shields Up” that will check the security of your firewall.

I didn’t know of such a service, but posted the question to the VOIPSEC mailing list. A couple of people contacted me privately about some services in the works, but then someone did pass along a link to a public service available now:

Now, I’ve not used this service but I’m certainly aware of Sandro Gauci and a number of the different tools he has been working on, including SIPVicious and VOIPPACK. After watching his short video and seeing the sample report, this definitely looks like an interesting service.

Of course, with any hosted service my security paranoia is heightened and I want to know what will be done with my data. Will the scan of my IP-PBX be recorded on the servers? Will a copy of my report be saved there? Basically… can I trust the site? In looking through the terms of service after you click the graphic to “apply” for access I didn’t see any wording around this… but it’s also Friday and I’m tired… I could have missed it.

Anyway, this service is out there and for those of you comfortable with using such a service it may be useful for you. If you know of other similar services I’d also love to hear about them.

VoIP Fraud Detection/Analysis on VUC Conf Call Today at Noon US Eastern

vuc-1-1.jpgIt may be a wee bit of a late notice for folks to join the call live, but in about 50 minutes, the VoIP Users Conference will have their weekly live call talking this week with folks from Humbug Telecom Labs about their tools for detecting and analyzing VoIP fraud.

You can join the live call via SIP, Skype or the regular old PSTN. There is also an IRC backchannel that gets heavy usage during the call.

If you can’t attend the call live, a recording of the session will be made available later from the episode’s web page.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Weaponizing the Nokia N900 – Part 1

In the 80s movie “The Color of Money” there’s a great scene where a player challenges Tom Cruise’s character to a game. He strolls up to Vincent and says “So what you got in there?” — to which Vincent replies. “Doom.”

This is akin to how I felt a few weeks ago after I finally got ahold of a Nokia N900 smartphone. Calling it a phone is a bit of a stretch, as it is primarily a Debian Linux tablet with impressive hardware specs and a huge number of .deb packages available for installation…oh, and you can make cellular phone calls with it. Many people use this phone, and despite some glitches it is rapidly developing into a formidable platform for security tools and penetration testing.

Broadly speaking, the objective of this series of blog posts is to introduce folks to the tools available and the potential for this phone as a security testing platform. Given the fact I’m a bit late in obtaining this phone, some smart people out there have already started to address the n900’s capabilities and available tools, and I would be remiss not to mention, and build upon, their insightful work. The key phrase here is “build upon” and get the word out, not to steal or simply re-hash their fine work and efforts!

I’ve one caveat to this series of blog posts. As my n900 is for now a “production phone” for me in that I need to use it and can’t brick it just yet, the path of this blog series on “Weaponizing the Nokia N900” will progress from known, tested and functioning security tools on this phone — and therefore lower risk of bricking — to more advanced, edgy tools that require more tweaks and modifications, such as replacing the stock kernel. If someone out there finds this series useful, and has interest in furthering research on running security tools on the n900, I’d welcome the donation of a n900 for development and testing, and would credit them for their support. Please ping me offline if you’re interested ūüôā

NeoPwn and the Nokia N900

One project to watch in particular is the upcoming release of NeoPwn, which is based on BackTrack and bills itself as the “First Ever Network Auditing Distribution for a Mobile Phone Platform” and is due for release sometime this month, hopefully before DefCon. I am fortunate to be in the BETA and will write up a blog post for this series on NeoPwn once I get full access to the NeoPwn toolset.

Worthy Resources on Nokia n900 Security Tools

1. Metasploit on the Nokia n900. ‘Nuff said.

metaspolit n900

2. Blog SimonLR wrote an excellent post on “Using the N900 for Fun and Profit” that covers several awesome tools, such as Metasploit, Dsniff, SSLstrip, Aircrack-NG, etc. He’s clearly savvy and his future blogging on tools for the n900 will be great to see.

3. Asterisk on the n900

Asterisk n900

When I added the extra package repositories to my n900, I was more than a bit surprised to see a full version of Asterisk available as a .deb package. Wow. Think about this for a moment. One can run a full Asterisk server on a phone in their pocket. The capability of Asterisk on the n900 could enable attackers to do all sorts of mischief, such as running the SPITTER tool from their pocket as a simple example. From a surveillance aspect, think of “bad people” with n900s in their pockets running Asterisk servers on their phones and connecting to each other point-to-point over encrypted tunnels — now that’s a challenge.

Stay tuned for more posts on “Weaponizing the Nokia N900” ūüôā

New Open Source VoIP software released

Two new versions of existing open source VoIP software were recently released and deserve mention.

Last week, the folks at SIPfoundry¬†released the 4.0 version of their SIP server, sipXecs. ¬†I don’t hear a lot of talk about sipXecs so let me say a few things about it here:

* it’s a great SIP software proxy/registrar package, with an active development and support community

* It’s free.

* It has a distributed component software design, which optimizes HA configurations for clustering

* It has a very intuitive web console GUI, and it has a bootable CD with all software pre-loaded on it

* Great documentation wiki.  For example, I had set up a working SIP trunk configuration in under five minutes.

This is not to take away from other high quality open source ¬†SIP server software projects like opensips, but I’ve been using and testing the previous version of sipXecs for a while now, and love this software. ¬†I’ve just started testing this exciting new 4.0 release. ¬†The most noticeable feature of this release is full sip trunking and remote worker support (far-end and near-end NAT traversal, and HA media anchoring). ¬†What this means is that you have a full solution for running your own SBC and SIP Proxy. ¬†The sipxbridge component of sipXecs is the SBC software component. ¬† With sipXecs and sipxbridge, you can set up a proof of concept service provider network in your home, set up an enterprise lab for interop testing and comparison to commercial SBC vendors, use the software for a security testing demo toolkit, or just use the solution to register your remote phones into your network, and place outbound calls. ¬†Great job and thanks to SIPfoundry for this work.

A new version of the VoIP Hopper security assessment tool was released earlier this week, with Nortel VLAN Discovery support.  VoIP Hopper is a free security assessment tool that supports VLAN Hopping Рin essence, it mimicks the behavior of an IP phone for the Voice VLAN Discovery protocol or mechanism.  Then it rapidly automates a VLAN Hop, tagging the DHCP request and all subsequent Voice traffic with the discovered Voice VLAN ID.  Since most new VoIP deployments use the segmentation of discrete Voice VLANs for increasing QoS requirements, an attacker must sometimes first gain access into the Voice VLAN as a prerequisite vector, before running other VoIP exploits.  VoIP Hopper enables a regular PC to become a member of the IP Phone VLAN.  The tool is simple yet powerful, and has been used in many security assessments in the past.  The new features of VoIP Hopper:

* Nortel Voice VLAN Discovery and VLAN Hop

* A new CDP Spoof mode for more rapid and automated VLAN Hop in a CDP network

* An integrated DHCP client 

From the VoIP Hopper website, the next features planned for VoIP Hopper are LLDP-MED support and trunk port testing.

Finally, I recently used the SIPVicious tool in a¬†remote VoIP security assessment, and it’s a very useful tool that any VoIP security professional should have. ¬†When you look at the business risk of toll fraud / service theft, this tool can be pretty valuable in enumerating vulnerabilities that can be a risk to your business in the form of remote attackers trying to gain unauthorized access to your VoIP network and placing unauthorized calls. ¬†As VoIP proliferates, we’ll see more usage of tools like this to conduct reconnaissance of open SIP services, valid users, and the brute forcing of subscriber/user passwords. ¬†On the proactive protection side, it’s also good to see folks contributing open source proof of concepts for mitigating this risk. ¬†Here is a “Simple Asterisk Based Toll Fraud Prevention Script”. ¬†If you use an active response firewall/IDS/IPS solution, you could actually detect the attempts to toll fraud/service theft attacks based on a signature, and have your VoIP IPS and/or firewall block the source IP address of the would-be attacker. ¬†It’s called a “Voice Toll-Fraud Intrusion Prevention¬†System” ¬†(VTIPS) ;-). ¬†Good to see open source software progress in this direction.

Tricking SIP Endpoints Into Divulging Authentication Credentials

This is a neat trick. By doing a little up-front scanning and/or guesswork, an attacker can send an INVITE directly to a SIP user agent, causing the device to ring.¬† Then, when the user agent issues the BYE message to hang-up, the attacker can respond with a 407 Proxy authorization required message, causing the endpoint to then respond with it’s authentication credentials, essentially handing them directly to the attacker.

The page linked above indicates that this attack is currently implemented in the VoIP Pack for CANVAS, so it’s essentially packaged and ready to use for you CANVAS users.¬† You can see a video of this being used in CANVAS here.¬† I would expect to see this credential-harvesting attack in other exploitation frameworks or stand-alone tools shortly…

Shall We Play a Game?

HD Moore of Metasploit Project fame has just released a new set of free War Dialing tools called WarVOX.  What makes these new tools so interesting is that they leverage VoIP service providers to scan and analyze hundreds of phone numbers, finding modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders much much faster than any modem ever could.  Check out the WarVOX screenshots which show the interface and slick reporting features.

Video demo of “sipautohack” tool

Over in the VOIPSEC mailing list, Shawn Merdinger recently pointed out a video produced by the folks at Enable Security to highlight one of their new tools, “sipautohack”, that they sell as part of one of their packages of tools called “VOIPPack”. From their description page, VOIPPack includes:

  • sipscan – Scans the network for SIP devices and identifies the user-agent and if the device is a PBX
  • sipenumerate – Enumerates extensions on a PBX server
  • sipcrack – Launches password attacks on the PBX server
  • sipautohack – Given a target network, this module will scan for SIP devices, enumerate any extensions on all PBX servers found and try to guess their password

This video, then, is a demonstration of the last of the listed tools:

Demonstrating sipautohack from Sandro Gauci on Vimeo.

We here at VOIPSA have no connection to this tool or vendor and cannot say anything positive or negative about the tool or company… it’s just another entry in the very long list of VoIP security tools out there (see our Tools list). I just think it’s great to see video screencasts out there showing what tools like this can do. (And if you have a screencast related to VoIP security out there you’d like us to mention, feel free to contact me.)

Technorati Tags:
, , , ,

XTest – a tool to test how well 802.1X endpoints secure your VoIP infrastructure

Back in August, the folks at Sipera’s VIPER Lab released a free test tool, XTest, that tests how well (or not) 802.1X with EAP-MD5 protects IP phones and the overall VoIP infrastructure. You can get it at

(And yes, I’ve been meaning to write about this since back in August…. and was intending to write a more thorough review. Perhaps I will at some point, but for now I thought I’d mention the tool’s availability.)

Mark Collier and SecureLogix release new VoIP security tools

In a message to the VOIPSEC mailing list over the weekend, Mark Collier announced the release of a new suite of VoIP security test tools. Mark, as you may recall, is the co-author with (VOIPSA Chair) David Endler of the book “Hacking Exposed: VoIP” and as part of the book publication he and Dave made available a series of voip security tools through their website.

Now, Mark’s back with a second version of those VoIP security tools. He describes the new tools in one blog post on his VoIP security blog and announces their availability in a second blog post. Here’s his description of new tools:

We also built several new tools:

– Several new flood-based DoS tools, which generate floods using different SIP requests, including byeflood, optionsflood, regflood, and subflood. The regflood tool is certainly the most potent of the group.

– dirsniff and dirsortmerge ‚Äď a passive scanner that builds a directory of valid SIP phone addresses. By using the dirsortmerge tool, you can manage results from this tool, as well as output from the dirscan active scanner.

– Call Monitor and sipsniffer ‚Äď this tool provides a GUI that shows active SIP calls. The tool allows you to select a call and terminate it (via teardown) or insert/mix in audio (via rtpinsertsound or rtpmixsound). The tool allows you to define up to 10 sound files, that can be inserted/mixed in on command. The tool also streams the call audio to the XMMS player, so you can listen in and ‚Äútime‚ÄĚ when you affect the call.

The Call Monitor tool is particularly interesting. It makes using the rtpinsertsound/rtpmixsound tools a lot easier and more effective. It makes real audio manipulation possible.

Interestingly, the tools are not being made available through but rather directly from SecureLogix’s web site, where you have to register first to download the tools.

Mark also provides a PowerPoint presentation about the “Call Monitor” tool he mentions here. He’d mentioned this tool to me once before when we met at one of the conferences…. basically it provides a “point-and-click” interface to allow you to inject or mix in new audio into existing audio streams. Making it this easy is definitely a scary prospect (and another good argument for why you should be using SRTP to encrypt audio streams).

Anyway, the new tools are now out there if you want to try them out. (Joining the long list of existing VoIP security tools.)

Technorati Tags:
, , , , , ,