Tag Archives: VoIP Security Tools

Voipscanner.com – a hosted service for scanning IP-PBXs

VoipscannerThis week at the SIPNOC event near DC, an attendee asked if I knew of any hosted services that would scan the external interface of a network to see if the VoIP services were secure. He sells SIP connectivity to small businesses, many of whom typically have purchased an IP-PBX from somewhere like a retail store and have minimal IT expertise. He wondered if there was a service he could refer these small businesses to so that they could check the security of their system. Basically something for VoIP along the lines of hosted services like “Shields Up” that will check the security of your firewall.

I didn’t know of such a service, but posted the question to the VOIPSEC mailing list. A couple of people contacted me privately about some services in the works, but then someone did pass along a link to a public service available now:


Now, I’ve not used this service but I’m certainly aware of Sandro Gauci and a number of the different tools he has been working on, including SIPVicious and VOIPPACK. After watching his short video and seeing the sample report, this definitely looks like an interesting service.

Of course, with any hosted service my security paranoia is heightened and I want to know what will be done with my data. Will the scan of my IP-PBX be recorded on the Voipscanner.com servers? Will a copy of my report be saved there? Basically… can I trust the site? In looking through the terms of service after you click the graphic to “apply” for access I didn’t see any wording around this… but it’s also Friday and I’m tired… I could have missed it.

Anyway, this service is out there and for those of you comfortable with using such a service it may be useful for you. If you know of other similar services I’d also love to hear about them.

New Open Source VoIP software released

Two new versions of existing open source VoIP software were recently released and deserve mention.

Last week, the folks at SIPfoundry released the 4.0 version of their SIP server, sipXecs.  I don’t hear a lot of talk about sipXecs so let me say a few things about it here:

* it’s a great SIP software proxy/registrar package, with an active development and support community

* It’s free.

* It has a distributed component software design, which optimizes HA configurations for clustering

* It has a very intuitive web console GUI, and it has a bootable CD with all software pre-loaded on it

* Great documentation wiki.  For example, I had set up a working SIP trunk configuration in under five minutes.

This is not to take away from other high quality open source  SIP server software projects like opensips, but I’ve been using and testing the previous version of sipXecs for a while now, and love this software.  I’ve just started testing this exciting new 4.0 release.  The most noticeable feature of this release is full sip trunking and remote worker support (far-end and near-end NAT traversal, and HA media anchoring).  What this means is that you have a full solution for running your own SBC and SIP Proxy.  The sipxbridge component of sipXecs is the SBC software component.   With sipXecs and sipxbridge, you can set up a proof of concept service provider network in your home, set up an enterprise lab for interop testing and comparison to commercial SBC vendors, use the software for a security testing demo toolkit, or just use the solution to register your remote phones into your network, and place outbound calls.  Great job and thanks to SIPfoundry for this work.

A new version of the VoIP Hopper security assessment tool was released earlier this week, with Nortel VLAN Discovery support.  VoIP Hopper is a free security assessment tool that supports VLAN Hopping – in essence, it mimicks the behavior of an IP phone for the Voice VLAN Discovery protocol or mechanism.  Then it rapidly automates a VLAN Hop, tagging the DHCP request and all subsequent Voice traffic with the discovered Voice VLAN ID.  Since most new VoIP deployments use the segmentation of discrete Voice VLANs for increasing QoS requirements, an attacker must sometimes first gain access into the Voice VLAN as a prerequisite vector, before running other VoIP exploits.  VoIP Hopper enables a regular PC to become a member of the IP Phone VLAN.  The tool is simple yet powerful, and has been used in many security assessments in the past.  The new features of VoIP Hopper:

* Nortel Voice VLAN Discovery and VLAN Hop

* A new CDP Spoof mode for more rapid and automated VLAN Hop in a CDP network

* An integrated DHCP client 

From the VoIP Hopper website, the next features planned for VoIP Hopper are LLDP-MED support and trunk port testing.

Finally, I recently used the SIPVicious tool in a remote VoIP security assessment, and it’s a very useful tool that any VoIP security professional should have.  When you look at the business risk of toll fraud / service theft, this tool can be pretty valuable in enumerating vulnerabilities that can be a risk to your business in the form of remote attackers trying to gain unauthorized access to your VoIP network and placing unauthorized calls.  As VoIP proliferates, we’ll see more usage of tools like this to conduct reconnaissance of open SIP services, valid users, and the brute forcing of subscriber/user passwords.  On the proactive protection side, it’s also good to see folks contributing open source proof of concepts for mitigating this risk.  Here is a “Simple Asterisk Based Toll Fraud Prevention Script”.  If you use an active response firewall/IDS/IPS solution, you could actually detect the attempts to toll fraud/service theft attacks based on a signature, and have your VoIP IPS and/or firewall block the source IP address of the would-be attacker.  It’s called a “Voice Toll-Fraud Intrusion Prevention System”  (VTIPS) ;-).  Good to see open source software progress in this direction.