分类: 网络与安全
2012-07-25 13:33:52
VoIP or voice over IP (Internet protocol) is a transmission mode designed for use in voice and multimedia communications. As IP (Internet protocol)-based networks like the Internet seem to be most successful communications infrastructure, the traditional telephone network is currently being replaced VoIP. Nowadays, its clear improvements and advantages over the old systems make it a popular substitute, with a number of advantages. Among them:
The advantages are many but this is not our main topic of discussion. (Likewise, there are a number of disadvantages, too: VoIP services depend on Internet connection speed; voice quality depends on the performance of your computer, and so forth). So what is our point in discussing this? What we examine here will be the security aspect of VoIP. In this article, we will review:
With so many aforementioned advantages, VoIP is gaining popularity among both organizations and private users alike. But what about the security issues? As should be entirely predictable, any new technology immediately presents opportunities for those seeking to cause mischief. This is confirmed by reports I’m sure you’ve heard about: not just the phone hacking scandal in Britain, but the hacking in which thieves easily steal confidential information from a victim because their network was not secure.
If you are a pen tester or ethical hacker, then you have an idea about the importance of penetration testing in VoIP, because most of the important communications going on today occur on VoIP and securing confidential information is therefore critical. We will do some practical penetration testing on a VoIP-based network, but first of all I will show you how to build it.
Asterisk is an open-source software that can turn your computer into a communications server. There’s an asterisk software for PBX (private branch exchange) that allows you to make calls and transfer your data.
Trixbox is a wonderful software (or PBX: private branch exchange), based on the asterisk project. It was formally known as but in October 2006 it was renamed Trixbox. The difference between trixbox with other PBX is that trixbox is based on IP (Internet protocol) and has been designed for small and medium sized businesses. There are mainly two version of trixbox available: one is Trixbox CE (a free and open source), while the other – called Trixbox Pro – is one that you will need to purchase.
Protocols & PortsYou must have an idea about the protocols and their ports before attempting to launch actual penetration testing on a VoIP network.
SIP (or session initiation protocol) has been defined by Internet Engineering Task Force (IETF) as the protocol for VoIP communication (in other words: a signaling protocol). SIP uses port 5060 and 5061 for both TCP and UDP.
SDP or session description protocol is for multimedia communications, while MGCP (media gateway control protocol) uses port number 2427 and 2727 for UDP.
RTP (real-time transfer protocol) defines the packets to deliver videos and audios on IP based network like VoIP. RTCP (RTP control protocol) is just like RTP, and it is used to structure the packets that are defined by RTP.
IAX (Inter-Asterisk eXchange) is an important protocol used in the asterisk system and is supported by a different soft-phone and PBX. IAX2 is the second version of IAX and works on the UDP port number 4569.
VoIP Penetration TestingThe process of penetration testing on a VoIP network is generally the same as the penetration testing on any other network. All we need to do is to follow the general guidelines, starting with information gathering, as we would with any form of penetration testing. We will do the same on VoIP network.
Let’s consider a simple scenario: you have found an asterisk-based PBX while doing a penetration test on a network, like the nmap result showing below:
It might be some sort of VoIP server, so a smart penetration tester would use the available tools to learn more about this server. Therefore, in this section I will discuss some of the tools and their usage that will be really helpful in VoIP penetration testing.
SMAPSMAP is a wonderful scanner that has the ability to detect SIP-enabled devices (it can find a single IP or a range of IPs, to all the subnets) and can locate any VoIP server within an operating system. So it will help to understand the VoIP network.
1root@bt:/pentest/voip/smap# ./smap 192.168.1.9It shows that this host is a VoIP server. Let’s try to gather more information.
01root@bt:/pentest/voip/smap# ./smap -O 192.168.1.9-l: fingerprint learning mode
. It is a wonderful argument that will give us more information.
It
is just like the SMAP, in that an SIP-scan is also used to detect
SIP-enabled devices. Likewise, it has the ability to scan over the
entire range of IPs.
SIPvicious is a collection of multiple tools (or a tool suite) containing several wonderful implements for VoIP penetration testing purposes. We will discuss the most important – and their usage – in this section.
SvmapThis is a part of the SIPvicious suite. Svmap is a SIP scanner that can scan for SIP-enabled devices within a network. An example to find a VoIP server in a network is shown below.
1root@bt:/pentest/voip/sipvicious# ./svmap.py 192.168.1.1/24Extensions are the devices (may be a phone or desktop computer) that can make calls. Simple extensions are at the end node and connected with the VoIP server to transfer the data. So we need to locate the numbers used to transfer data in order to enumerate on the network further.
SvwarSvwar is part of the SIPvicious tool suite. It’s used to detect the end user (extensions) on a PBX.
Here -e100-700 defines the possible range of extensions.
Now, after doing just a little work, we have a lot of information about this VoIP network. We can now easily develop the network topology (these documents are included in the final report).
Here is the network diagram that I have created, based on the information that we have gathered in the above steps.
The concept of sniffing in VoIP network is the same as a general network sniffing concept. I will use some of the most famous tools to demonstrate the sniffing attack on VoIP network. Let us start with Wireshark, which is able to capture VoIP traffic.
Now let’s suppose the end users (extensions) are busy communicating with each other, and that an attacker is trying to capture some traffic so that he/she will able to get the data (their communication).
Wireshark has captured some traffic. As discussed above on the protocol section, RTP contains the information. The question now is: how do we extract information from these packets? Wireshark provides the option to extract the information with a built-in feature for VoIP. Click on the telephony tab – VoIP calls you. You will then get this window:
Click on the player, then on the decode tab. You are now able to listen in to this communication and all of the data available in the audio file.
The importance of password is not a hidden truth, so in this section I will show you how to crack the password of any extension (user) on VoIP network. This attack is the most dangerous, because if an attacker know your password, then he/she will be able to authenticate on the network by using your identity.
The Wireshark result can be used for authentication cracking. Save the result into name.pcap; we will now use a wonderful tool called SIPcrack. It contains two scripts: one, sipdump, which will allow you to dump the authentication data into hashes; the second, sipcrack, which will help you to crack the VoIP password.
01root@bt:~/Desktop/SIPcrack# ./sipdump pass.txt -p aa.pcapSipcrack needs a wordlist to launch an attack. As a result, it will give you the password.
Another wonderful tool that will help you to crack the SIP password is svcrack. As with the others, it can be find under the tool suite of sipvicious. Svcrack is wonderful for brute force attacks on SIP accounts.
1root@bt:/pentest/voip/sipvicious# ./svcrack.py -u600 -d list.txt 192.168.1.9Denial of server (DOS) attack is a dangerous attack that can cause the VoIP network and devices to crash. Inviteflood is the tool used to launch DOS attacks against any extensions (user) on the VoIP network. Usage:
1./inviteflood interface targetuser targetdomain floodtarget numberofpackets2./inviteflood eth0 600 192.168.1.3 192.168.1.3 200000It seems to be a “ping of death” attack and it will crash the end user operating system, disabling the ability of he/she to make any calls.
Iaxflood is another a good tool that can flood the IAX2 protocol; the usage is very simple:
1root@bt:/pentest/voip/iaxflood# ./iaxflood2usage: ./iaxflood sourcename destinationname numpacketsA simple usage like:
01root@bt:/pentest/voip/iaxflood# ./iaxflood 192.168.1.13 192.168.1.2 10000Metasploit has a different auxiliary module for VoIP network. Here is the list of some best auxiliary modules of metasploit for VoIP hacking:
We can do basic VoIP network penetration testing by using metasploit auxiliary modules for information gathering and enumeration. We can scan an entire network to find the SIP enable devices, plus metasploit auxiliary modules are fast.
01msf > use auxiliary/scanner/sip/optionsSecurity awareness is very important. Before concluding this article, I just want to briefly discuss VoIP phishing. Phishing is not a new attack – it is pretty old school – but it remains a threat because hackers usually use some social engineering technique to trick a user before stealing his/her credential information. You might have heard about email phishing, in which an attacker directs the victim to a fake page, so that they will enter their confidential information. In the same fashion, a hacker can hijack your calls to get your credential information.
Let’s suppose someone received a call or email like this:
“Hi, this is an urgent email (call) that has been generated by the network administrator. We have found something wrong with your account, so please call back at XXXX-XXXX-XXX to verify your account.” “
Typically, an unwary user will call back; the hacker may then ask for some confidential information. You need to understand the risk; educate people around you.