[VOIPSEC] pentesting voip network-please help
Jason Ostrom
jpo at pobox.com
Fri Jan 29 13:00:46 CST 2010
Ah, an internal VoIP pentest - the fun has begun for you, my friend.
This is one of the things that we live and breathe for.
So from what I gather: you're in the middle of an internal pentest, you
don't know the names of the image files, you can't capture RTP, and you
are connected to the voip vlan, correct?
Let's back up a second and assume nothing, and at the same time suggest
a few general methods, specific steps:
1. Why do you want to download the image files? What attack are you
trying to do here? Unless you can be MitM during the image file
download or have a Ph.d in reverse engineering software, I'm not sure
how downloading the image file from your laptop is going to help you.
2. So you have physical access to the IP Phone. Have you tried using a
hub first for passive eavesdropping? You can share the connection from
the wall with your laptop and phone, and completely fingerprint the IP
Phone downloading it's phone configuration file, and placing sample
calls. This is one of the first methods, and the safest - it does
require an external power supply for the IP Phone. The network trace
file can then be compared against MitM eavesdropping attacks to see what
you are missing when you use a LAN-based MitM ARP Poisoning attack, to
simulate what regular VoIP users are capable of doing.
3. You mention downloading the firmware files via brute force attacks,
and finding interesting information in them, like passwords. I believe
the phone configuration is what you are looking for (not the firmware
image). Can you confirm that the environment uses SIP or Skinny (SCCP)
line side signaling? Since this is UCM 6.1.3 environment, it's likely
that this is SCCP since that is the default signaling. You should be
looking for the SEP CNF xml file. If you know the MAC address of the IP
phone, it's "SEP<mac>.cnf.xml". SIPDefault is for SIP signaling, which
will be rare with the Callmanager version you mention, in a default
installation.
4. You mention that you tried to capture RTP conversations without
success and you are connected to the VoIP VLAN. How do you know you are
connected to the VoIP VLAN? Is your test laptop connected to the PC
port of the IP Phone or have you connected directly to the wall. What
is the native VLAN and Voice VLAN? Does your test machine have a valid
IP address in the voice vlan and how have you verified this? Only then
can you conduct an eavesdropping attack when QoS is configured. There
are many VoIP sniffers out there but in my opinion the best is UCSniff
[1] (I am biased, I am the co-author of this tool). UCSniff is free and
highly specialized for pentesting in a Cisco VoIP environment, and is
constantly tested against the latest Cisco Unified IP Phones and
Callmanager software, simulating the most common Cisco production
enterprise deployments. Some of the things you need to do:
1. First verify that you have a valid IP address in the VoIP VLAN, as a
valid registered IP Phone. Can you ping other IP Phones from the same
VLAN? Does your laptop have a Voice VLAN sub-interface like eth0.x
where x is the voice vlan? When you browse the IP Phone settings in the
LCD, what does the Admin VLAN ID and Operational VLAN ID settings tell you?
2. Run UCSniff in targeted user mode, which will only conduct the VoIP
eavesdropping attack against a single Cisco Unified IP Phone (minimizing
the risk of service impact against entire VoIP VLAN)
3. Run a Wireshark trace in parallel, to see the captured traffic.
What is the audio codec used? Is the trace similar to step 2, with the
passive traffic trace? Do you receive all SCCP signaling to and from
the Phone? Do you receive all RTP media stream traffic to or from the
phone?
4. If you are actually doing a MitM arp poisoning attack against the
network and aren't receiving all traffic to or from the phone, it could
be an issue with GARP Disabled setting on the IP Phone. UCSniff has a
feature to change the configuration of the Cisco IP Phone and also
defeat GARP Disabled with a race condition unicast ARP reply flooding.
See the UCSniff documentation and website for more information.
5. Some of the other VoIP vulnerability demonstrations you can show
your customer: download /theft of VoIP corporate directory (ucsniff
does) for targeted eavesdropping based on corporate directory, UC
keystroke logger (theft of Cisco Unity voice mail passwords, or any
dialed digits, i.e., banking IVR application)
6. There are also other media insertion and replay attacks that you can
do. Please take a look at the VOIPSA tools list [2], some of the VoIP
Hacking Exposed [3] tools, and the free VAST [4] Linux Distro, a VoIP
pentest OS which contains a lot of the VoIP Security tools (including
UCSniff) already pre-installed.
There are many, many layers deep to the methods and specific steps, but
this is an initial starting point. Send any more information to this
list, and we will do our best to help. You can also send me an email
off-list directly to jostrom at viperlab.net with any specific data, pcap
traces, or SEP cnf xml files, and I will help.
[1] UCSniff Video / VoIP Sniffer:
http://ucsniff.sf.net
[2] VOIPSA Tools list:
http://www.voipsa.org/Resources/tools.php
[3] VoIP Hacking Exposed tools
http://www.hackingvoip.com/
[4] VIPER VAST Linux Distro
http://vipervast.sf.net
mzcohen2682 at aim.com wrote:
> hi all !!
>
> im doing an internal (lan) pentest for a voip network. the network has 6 cisco call manager version 6.1.3 as a cluster. they have cisco phones 7911 and 7941. they use a seperate vlan por the voip network.
>
> I started by trying to download the images files for the phones from the tftp server by doing a brute force attack for the names of the files.
>
> I have access to one of the 7941 phones so I checked that the verion of the image is 4.0/8.0 (9.0)
> in not sure what should be the names for the file images that the phones reload after boot but according to cisco documentation there must be SIPdefault.cnf and OS79xx.txt on the root directory of the tftp server. but I tried and there are not..
>
> so what are the nemes of the files? I read a documents that said that if im am able to download those files I will find lots of interseting information like phone passwords etc..
>
> after that... I tried to capture some RTP conversations but without any success. I am connected to the voip vlan and used wireshark but It doesnt detect any calles ! shoud I do some arp spoofing attack? but to which mac's?
>
> any other ideas how to continue with this pentest?
>
> what I see is that although the client didnt implement encryption or any other security control just the vlan isnt not so eaxy to pentest a voip network..
>
> thanks
>
> marco
>
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
More information about the Voipsec
mailing list