Sidestep VoIP Catastrophe the Foolproof Hacking Exposed Way
This book illuminates how remote users can probe, sniff, and modify your phones, phone switches, and networks that offer VoIP services. Most importantly, the authors offer solutions to mitigate the risk of deploying VoIP technologies. --Ron Gula, CTO of Tenable Network Security
Block debilitating VoIP attacks by learning how to look at your network and devices through the eyes of the malicious intruder. Hacking Exposed VoIP shows you, step-by-step, how online criminals perform reconnaissance, gain access, steal data, and penetrate vulnerable systems. All hardware-specific and network-centered security issues are covered alongside detailed countermeasures, in-depth examples, and hands-on implementation techniques. Inside, you ll learn how to defend against the latest DoS, man-in-the-middle, call flooding, eavesdropping, VoIP fuzzing, signaling and audio manipulation, Voice SPAM/SPIT, and voice phishing attacks.
# Find out how hackers footprint, scan, enumerate, and pilfer VoIP networks and hardware
# Fortify Cisco, Avaya, and Asterisk systems
# Prevent DNS poisoning, DHCP exhaustion, and ARP table manipulation
# Thwart number harvesting, call pattern tracking, and conversation eavesdropping
# Measure and maintain VoIP network quality of service and VoIP conversation quality
# Stop DoS and packet flood-based attacks from disrupting SIP proxies and phones
# Counter REGISTER hijacking, INVITE flooding, and BYE call teardown attacks
# Avoid insertion/mixing of malicious audio
# Learn about voice SPAM/SPIT and how to prevent it
# Defend against voice phishing and identity theft scams List of Figures
Chapter 1: Footprinting a VoIP Network
Figure 1-1: The VoIP security pyramid sliced open
Figure 1-2: A few names to get started
Figure 1-3: Use Microsoft’s TerraServer to locate your target, in this case the Spy Museum in Washington DC.
Figure 1-4: Google Local can help locate targets in any town.
Figure 1-5: Here a hacker can figure out where your online voicemail system is installed.
Figure 1-6: A brief overview of Harvard s VoIP offering
Figure 1-7: SecurityFocus catalogs a good collection of vulnerabilities for a variety of products, including the Cisco IP Phone 7960.
Figure 1-8: The network settings for a phone exposed to the Internet, including IP addresses for TFTP servers, the CallManager server, and the router
Figure 1-9: A graphical structure of the Tulane DNS and SMTP servers
Figure 1-10: Some interesting DNS names are attached to this IP address space.
Chapter 2: Scanning a VoIP Network
Figure 2-1: SIP environment network map
Figure 2-2: SuperScan from Foundstone quickly returns our ping sweep results.
Figure 2-3: SolarWinds Ping Sweep tool
Figure 2-4: SuperScan host probing other ICMP options
Figure 2-5: MAC Address Discovery tool from SolarWinds
Figure 2-6: SNMP scanning using SNScan within an organization
Chapter 3: Enumerating a VoIP Network
Figure 3-1: SiVuS helps us find the same information we found manually with the click of a button.
Figure 3-2: The Retina scanner against the Polycom phone
Figure 3-3: The Saint scanner in action against the Polycom phone
Figure 3-4: Selecting the specific Nessus scanning modules to run against the phone
Figure 3-5: Selecting the VoIP exploit plugins to launch
Figure 3-6: SIPSCAN using REGISTER requests against the Asterisk deployment at 192.168.1.103
Figure 3-7: Using SIPSCAN against our Cisco IP Phone 7912 to find its extension
Figure 3-8: SNMPSweep shows that the Avaya IP phone and Zultys Zip2 phone both responded to SNMP probes with the public community string.
Figure 3-9: SolarWind s MIB browser finding the Avaya OID
Chapter 4: VoIP Network Infrastructure Denial of Service (DoS)
Figure 4-1: Cisco Policy Manager 3.2
Figure 4-2: Wireshark raw packet capture
Figure 4-3: RTP Streams overview
Figure 4-4: Graph of jitter over time
Figure 4-5: Empirix Hammer Call Analyzer
Figure 4-6: WildPackets’ EtherPeek VoIP analysis
Chapter 5: VoIP Network Eavesdropping
Figure 5-1: Netstumbler shows which networks are using WEP encryption.
Figure 5-2: Ministumbler is a stripped-down version of Netstumbler that runs on PDAs.
Figure 5-3: Beware of the Snom phone packet capture feature!
Figure 5-4: A Metasploit Framework exploit for Windows
Figure 5-5: Wireshark s VoIP call analyzer
Figure 5-6: Wireshark RTP Streams listing
Figure 5-7: Wireshark RTP Stream Analysis
Figure 5-8: Saving the stream as an audio file
Figure 5-9: Cain and Abel
Figure 5-10: Cain and Abel s VoIP reconstruction
Figure 5-11: DTMF Decoder translating the touch tones for 1-2-3-4
Chapter 6: VoIP Interception and Modification
Figure 6-1: Our SIP test bed
Figure 6-2: Cain s MAC Address Scanner
Figure 6-3: List of newly found hosts
Figure 6-4: New ARP Poison Routing window
Figure 6-5: Selecting the ARP poisoning victims
Figure 6-6: All ready to begin the ARP poisoning
Figure 6-7: Packet interception after our phone call
Figure 6-8: Our captured conversation converted to a WAV file
Figure 6-9: Capturing SIP hashes
Figure 6-10: Listing of all passwords we can try to crack
Figure 6-11: Cracking the phone s password through a brute-force attack
Figure 6-12: ettercap setup
Figure 6-13: ettercap is now ready to start scanning for hosts.
Figure 6-14: Our targets are now selected.
Figure 6-15: Our active VoIP connection
Figure 6-16: Dialog box showing a possible man-in-the-middle attack as it s occurring
Figure 6-17: Rogue SIP B2BUA
Figure 6-18: Rogue SIP proxy
Figure 6-19: SIP test bed
Figure 6-20: Using a rogue SIP B2BUA to tap a call
Chapter 7: Cisco Unified CallManager
Figure 7-1: The SCCP call setup
Figure 7-2: The media setup
Figure 7-3: The session teardown
Figure 7-4: Loading the traffic capture of Skinny communications in Wireshark
Figure 7-5: Single site Cisco VoIP deployment
Figure 7-6: Centralized multisite VoIP deployment
Figure 7-7: Finding the phones in order to disable the web browser
Figure 7-8: CDP dump in Wireshark of a Cisco SIP 7960 phone
Figure 7-9: SNMP browsing of a Cisco CallManager
Figure 7-10: SNMP Service Properties window editing the Public string
Figure 7-11: Metasploit Framework with the infamous LSASS vulnerability
Figure 7-12: Cisco Voice Technology Group Subscription Tool
Figure 7-13: Cisco Product Alert Tool
Figure 7-14: Disabling features on a Cisco hard phone
Chapter 8: Avaya Communication Manager
Figure 8-1: Avaya media servers
Figure 8-2: Avaya media gateways
Figure 8-3: Avaya systems and number of supported stations
Figure 8-4: Selected Avaya IP phones
Figure 8-5: Avaya Standard Management Solution main screen
Figure 8-6: Example System Access Terminal (SAT) screen
Figure 8-7: Management systems and systems using APIs
Figure 8-8: Small site configuration
Figure 8-9: Large site configuration containing several small sites
Figure 8-10: Avaya test bed
Figure 8-11: IP phone signaling and audio ports
Figure 8-12: IP phone initialization and address resolution ports
Figure 8-13: IP phone application resolution ports
Figure 8-14: Service Access control screen
Figure 8-15: Firewall control screen
Chapter 9: Asterisk
Figure 9-1: Asterisk as a PBX gateway
Figure 9-2: Asterisk test configuration
Chapter 10: Emerging Softphone Technologies
Figure 10-1: Making a call with Skype
Figure 10-2: SkypeKiller lets you uninstall Skype.
Figure 10-3: Making a call with Gizmo
Figure 10-4: Setting preferences in Gizmo
Figure 10-5: VoIP and Google Talk
Figure 10-6: VoIP and AOL Triton
Figure 10-7: VoIP and Windows Live Messenger
Figure 10-8: VoIP and Yahoo Messenger with Voice
Figure 10-9: A traditional click-to-call dialog box
Chapter 11: VoIP Fuzzing
Figure 11-1: TCPView running on the softphone host
Figure 11-2: The Pingtel SIP Softphone
Figure 11-3: The Pingtel crash error message
Figure 11-4: The Codenomicon SIP test tool
Chapter 12: Flood-based Disruption of Service
Figure 12-1: Flood-based disruption of service
Figure 12-2: SIP test bed
Figure 12-3: Basic setup for fl ood-based attacks
Figure 12-4: SIP phone with over 12,000 missed calls
Figure 12-5: Targeting a SIP proxy with a nonexistent SIP phone
Figure 12-6: Targeting a SIP proxy with an invalid IP domain address
Figure 12-7: Targeting a SIP proxy with an invalid domain name
Figure 12-8: Targeting a SIP proxy with an invalid SIP phone in another domain
Figure 12-9: Targeting a SIP proxy with a valid SIP phone in another domain
Figure 12-10: Targeting a SIP proxy for a valid SIP phone
Figure 12-11: Targeting a SIP proxy when authentication is enabled
Figure 12-12: Using SiVuS to target a SIP proxy with an invalid SIP phone
Figure 12-13: Using SiVuS to target a SIP proxy with a valid SIP phone
Figure 12-14: Targeting SIP phones with INVITE fl oods using SiVuS
Figure 12-15: Operating a media gateway in a SIP network
Chapter 13: Signaling and Media Manipulation
Figure 13-1: Registration removal with SiVuS
Figure 13-2: Registration addition with SiVuS
Figure 13-3: Registration hijacking
Figure 13-4: MITM registration hijacking
Figure 13-5: Registration hijacker attack approach
Figure 13-6: SIP phone reboot with SiVuS
Figure 13-7: RTP insertion/mixing
Chapter 14: SPAM over Internet Telephony (SPIT)
Figure 14-1: SPIT call product examples
Figure 14-2: SPIT test bed
Chapter 15: Voice Phishing
Figure 15-1: A traditional phishing campaign
Figure 15-2: The PayPal voice phishing email
Figure 15-3: Getting an 800 number through a VoIP provider is easy.
Figure 15-4: The Trixbox administrative web console
Figure 15-5: Voice phishing hits the mainstream.