lptv4 module 31 voip penetration testing_norestriction

ECSA/LPT

EC Council Module XXXIEC-Council odu e

VoIP Penetration TestingTesting

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

Vulnerability Assessment

When testing for vulnerability in VoIP networks, it is not necessary totest every IP phone.

It has the potential to generate enough network traffic that voicequality is negatively affectedquality is negatively affected.

In most VoIP environments, it is possible to identify IP phones bytheir SNMP signature.



Penetration and Vulnerability Testing

Penetration tests usually refer to tests against perimeter defenses Penetration tests usually refer to tests against perimeter defenses, while vulnerability testing refers to tests against specific systems (host, applications, or networks).

It determines the current security posture of an organizationIt determines the current security posture of an organization.

The results reflects the security status during the testing period.



VoIP Risks and Vulnerabilities

Reconnaissance attacks:

• This attack gathers the information about network vulnerabilities, behavior of network devices and users, and services available for disruption.

P l f i

• This method tests the software systems for bugs and see what its reaction will be.

Protocol fuzzing:

• This attack takes place when the user deliberately sends very large number f t ti f ith i l l ti f lti l

Denial of Service (DoS) attack:

of unsystematic messages from either a single location or from multiple locations to a single or many VoIP endpoints.

Call hijacking and redirection:



• Call intended to one user is redirected to a different user.

VoIP Risks and Vulnerabilities (cont’d)(cont d)

VoIP spam:

• Voluntary or unwanted bulk of messages are broadcasted through VoIP to an organization network’s end-user.

p

• Deliberately inserts the false data into the source IP address-field portion of the packet to hide the actual source of the call.

Spoofing:

• It is the unauthorized interception of Real Time Protocol (RTP) media

Eavesdropping:

s e u au o ed e cep o o ea e o oco ( ) ed astreams or voice packets and the decoding of signaling messages.

Session anomalies:



• Messages arrive in improper order where the server cannot handle the call.

VoIP Security Threat

Attacks against the fundamental VoIP devices:

• Devices like proxy servers, gateways, and IP phones inherits the vulnerability same as that of operating system or firmware they run on.

• Many VoIP devices is directly connected to the open TCP and UDP

Configuration faults in VoIP devices:

• Many VoIP devices is directly connected to the open TCP and UDP ports because of their default configuration and default services which runs on that ports may be vulnerable to weak password, buffer overflow and DoS attack.

• VoIP services is directly depends on the IP infrastructure any attack

IP infrastructure attacks:



• VoIP services is directly depends on the IP infrastructure, any attack may impact all VoIP communications.

VoIP Penetration Testing Steps

Step 1: Test for eavesdropping

Step 2: Test for flooding and logic attacks

Step 3: Test for Denial of Service (DoS) attack

Step 4: Test for call hijacking and redirection attack

Step 5: Test for ICMP ping sweeps

S 6 T f ARP iStep 6: Test for ARP pings

Step 7: Test for TCP ping scans

St 8 T t f SNMP Step 8: Test for SNMP sweeps

Step 9: Test for port scanning and service discovery

• Step 9.1: TCP SYN Scan



• Step 9.2: UDP Scan

Step 10: Test for host/device identification

VoIP Penetration Testing Steps (cont’d)

Step 11: Test for banner grabbing

(cont d)

Step 12: Test for SIP user/extension enumeration

Ste 13 T t f t t d OPTIONS i ith i k Step 13: Test for automated OPTIONS scanning with sipsak

Step 14: Test for automated REGISTER, INVITE and OPTIONS scanning with SIPSCAN against the SIP server

Step 15: Test for enumerating TFTP servers

Step 16: Test for SNMP enumerationStep 16: Test for SNMP enumeration

Step 17: Test for sniffing TFTP configuration file transfers



Step 18: Test for number harvesting and call pattern tracking

Step 1: Test for Eavesdropping

Decode the signaling messages in Real Time Protocol (RTP) media streams or voice packets.

Use VoIP hacking tools:

• VOMIT• VoiPong

Use VoIP hacking tools:

• Ethereal

Along with sniffer:

• pcapsipdump

Tool for capturing VoIP packets:



pcapsipdump

Step 2: Test for Flooding and Logic AttacksLogic Attacks

A TCP synchronization flood exploits the working of the TCP connection process.

S f d IP dd d t t Spoofed IP addresses do not return any acknowledgement packets, therefore the requests sent stay in the queue.

Use the flooding techniques like Session Initiation Protocol (SIP) INVITE or REGISTER packets to overload the devices with VoIP protocol packets.p p

Use tools such as InviteFlood and IAXFlood to



overload the devices with VoIP protocol packets.

Step 3: Test for Denial of Service (DoS) Attack(DoS) Attack

Send large number of unsystematic messages from either a single l i f l i l l i i l V IP d ilocation or from multiple locations to a single or many VoIP endpoints.

Use IxChariot software for a Denial of Service attack.



Step 4: Test for Call Hijacking & Redirection AttackRedirection Attack

Thi tt k ll th t t ll th ll f th This attack allows the user to get all the calls of the victims.

Manipulate the registration related to the victim Session Initiation Protocol (SIP) URI.

Check for the 3xx responses codes classes to di h i i ’ llredirect the victim’s call.



Step 5: Test for ICMP Ping Sweeps

An easy way to identify active hosts is by sending ICMP ECHO REQUEST k t packets.

Send ICMP ECHO REPLAY packets if ICMP is unblocked by firewalls.Se d C C O pac ets C s u b oc ed by ewa s.

l f

• fpingNmap

Tools for ICMP ping sweeps:

• Nmap• super scan• Nessus • Ping and port sweep utility



Step 6: Test for ARP Pings

An ARP ping requests MAC address through a large range of IP p g q g g gaddresses.

It identifies live hosts on the network.

Tools:

• Arping• MAC address discovery tool



Step 7: Test for TCP Ping Scans

Sends TCP SYN or ACK flagged packets to TCP port on the target host

RST packet that comes as a response indicates that a host is alive

• Nmap

Tools:

• hping2



Step 8: Test for SNMP Sweeps

Scan to return sensitive information because of the default “public” it t i i l d community string is always used.

Tools:

SNS Scan

snmpwalksnmpwalk

Nomad

Cheops

snmpenum



snmp-audit

Step 9: Test for Port Scanning and Service DiscoveryService Discovery

Technique of connecting TCP and UDP ports on target to search for i iactive services

Determines the vulnerabilities present on the target host or devices Determines the vulnerabilities present on the target host or devices

Method to scan active services:

• TCP Scan• UDP scan



Step 9.1: TCP SYN Scan

Sends a TCP SYN packet to a specific port to establish a TCP connection port to establish a TCP connection

A returned SYN/ACK-flagged TCP packet A returned SYN/ACK flagged TCP packet indicates the port is open

RTP packet indicates a closed packet



Step 9.2: UDP Scan

A UDP scan sends an empty UDP header to each UDP port on hthe target.

If it responds it indicates that an active service is listeningIf it responds, it indicates that an active service is listening.

If it is unused if you will receive an ICMP port unreachable If it is unused, if you will receive an ICMP port unreachable error.



Step 10: Test for Host/Device IdentificationIdentification

Determines the type of devices and hosts by OS and firmware typesDetermines the type of devices and hosts by OS and firmware types

Method to identify the host/device:

• Stack fingerprinting:• A technique for further identifying the innards of a target host or

device

y /

device

Tools used to identify host or devices:

• Nmap • Xprobe2• Arkin• Queso



• Queso • Snacktime

Step 11: Test for Banner Grabbing

Banner grabbing is a method where a port is connected to remote target Banner grabbing is a method where a port is connected to remote target to gather information of associated services running on it.

Types of banner grabbing:

• Manual banner grabbing: • It can be accomplished easily using command-line tool NETCAT

• Automated banner grabbing:• In this type, fingerprinting tool SMAP analyzes SIP message response to determine

device it is probing



Step 12: Test for SIP User/Extension EnumerationUser/Extension Enumeration

Provides some valid username or extensions of SIP phones

Easy way to glean user registration

Methods of enumeration:

• REGISTER Username Enumeration• INVITE Username Enumeration• OPTIONS Username Enumeration• Automated OPTIONS Scanning with sipsak• Automated REGISTER, INVITE and OPTIONS Scanning with

SIPSCAN Against SIP server



SIPSCAN Against SIP server• Automated OPTIONS Scanning Using SIPSCAN Against SIP Phones

Step 13: Test for Automated OPTIONS Scanning with sipsakOPTIONS Scanning with sipsak

For OPTIONS scanning, command-li t l i k i d line tool sipsak is used

(http://sipsak.org)

It is useful in stress testing and It is useful in stress testing and diagnosing SIP service issues



Step 14: Test for Automated REGISTER, INVITE, and OPTIONS Scanning with SIPSCAN against

SIP SSIP Server

Use SIPSCAN (www.hackingvoip.com)

It returns the live SIP extensions/users (www.hackingvoip.com) extensions/users



Step 15: Test for Enumerating TFTP ServersTFTP Servers

Locate the server within the networkLocate the server within the network

It can be done by reading the TFTP server IP address from web-It can be done by reading the TFTP server IP address from web-based configuration



Step 16: Test for SNMP EnumerationEnumeration

SNMP listens on UDP port 162SNMP listens on UDP port 162

Use Nmap to find the any devices that supports it:Use Nmap to find the any devices that supports it:

•root@domain2 ] # nmap –sU

Provides configuring information, such as:

Vendor type used • Vendor type used. • Operating system.• MAC address. • Ports of UDP services.



Step 17: Test for Sniffing TFTP Configuration File TransfersConfiguration File Transfers

Sniffing for TFTP configuration files traveling across the network is as g g geasy as simply watching for any and all traffic on UDP port 69.

Use Tcpdump or Ethereal tool.



Step 18: Test for Number Harvesting and Call Pattern Trackingand Call Pattern Tracking

The easiest is to simply sniff all SIP traffic on UDP and TCP port The easiest is to simply sniff all SIP traffic on UDP and TCP port 5060 and analyze the From: and To: header fields.

Use tools such as ethereal and VoIPong.



VoIP Security Tools

VoIP sniffing tools:

• AuthTool

VoIP sniffing tools:

• VoIPong• Vomit• PSIPDump• PSIPDump• Netdude• Oreka• Wireshark



VoIP Security Tools (cont’d)

VoIP scanning and enumeration VoIP scanning and enumeration tools:

• SNScan• Netcat• Smap• Smap• SIPScan• SIPcrack• VoIPaudit• iWAR



VoIP Security Tools (cont’d)

VoIP packet creation and

• Sipsak

flooding tools:

p• SIPp• SIPNess Messenger

Si B b• SipBomber• Spitter• Sip Send FunSip Send Fun



VoIP Sniffing Toolsg



AuthTool

Authentication Tool used to determine the password for each fuser of SIP messages.

This tool inputs a file of SIP messages and

• REGISTER.

This tool inputs a file of SIP messages and scans for these SIP header lines:

• INVITE.• OPTIONS.



VoIPong

VoIPong detects all Voice over IP (VoIP) calls on a pipeline.VoIPong detects all Voice over IP (VoIP) calls on a pipeline.

It supports SIP, H323, Cisco's Skinny Client Protocol, RTP, and RTCP.

VoIPong detects all VoIP gateways and VoIP callsVoIPong detects all VoIP gateways and VoIP calls.

It also produces real .Wav files for direct audio hearing.

The algorithm doesn't depend on signaling, but on RTP/RTCP.



VoIPong: Features

Simple, optimized, extendable fast codeSimple, optimized, extendable fast code

Detailed logginggg g

Powerful management console interfaceg

Easy installation and administration

Easy debugging



VoIPong: Screenshot 1

Capture screenefe:[voipong]# voipong -d4 -f EnderUNIX VOIPONG Voice Over IPefe:[voipong]# voipong -d4 -f EnderUNIX VOIPONG Voice Over IP Sniffer starting... Release 2.0-DEVEL, running on efe.dev.enderunix.org [FreeBSD 4.10-STABLE FreeBSD 4.10-STABLE #0: Thu Dec i386] (c) Murat Balaban http://www.enderunix.org/ 19/11/04 13:32:10: EnderUNIX VOIPONG Voice Over IP Sniffer starting13:32:10: EnderUNIX VOIPONG Voice Over IP Sniffer starting... 19/11/04 13:32:10: Release 2.0-DEVEL running on efe.dev.enderunix.org [FreeBSD 4.10-STABLE FreeBSD 4.10-STABLE #0: Thu Dec i386]. (c) Murat Balaban http://www.enderunix.org/ [pid: 71647] 19/11/04 13:32:10: fxp0 has been opened in promisc mode71647] 19/11/04 13:32:10: fxp0 has been opened in promisc mode, data link: 14 (192.168.0.0/255.255.255.248) 19/11/04 13:32:10: [8434] VoIP call detected. 19/11/04 13:32:10: [8434] 10.0.0.49:49606 <--> 10.0.0.90:49604 19/11/04 13:32:10: [8434] Encoding: 0-PCMU-8KHz 19/11/04 13:38:37: [8434] maximum waitingEncoding: 0 PCMU 8KHz 19/11/04 13:38:37: [8434] maximum waiting time [10 sn] elapsed for this call, call might have been ended. 19/11/04 13:38:37: .WAV file [output/20041119/session-enc0-PCMU-8KHz-10.0.0.49,49606-10.0.0.90,49604.wav] has been created successfully



successfully.

VoIPong: Screenshot 2

Management Consoleefe@~/X/voipong# ./voipctl Connected to VoIPong Management Console System: efe.enderunix.org [FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06efe.enderunix.org [FreeBSD 5.4 RELEASE FreeBSD 5.4 RELEASE #0: Sun May 8 10:21:06 UTC 2005 [email protected]:/usr/obj/usr/src/sys/GENERIC i386] voipong> help Commands: help : this one quit : quit management console uptime : Server uptime logrotate : rotate server's logs shutdown : shutdown server rusage : CPU usage statistics for the server loadnets : Reload voipongnets file info : General server information shcall : Show currently monitored calls shrtcp : Showserver information shcall : Show currently monitored calls shrtcp : Show currently RTCP cache killcall [id] : end monitoring session with [id] voipong> info General Server Info: --------------------------: Server version : Release 2.0-DEVEL System : efe.enderunix.org [FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow cse buffalo edu:/usr/obj/usr/src/sys/GENERIC i386] Current [email protected]:/usr/obj/usr/src/sys/GENERIC i386] Current work. direct. : /root/X/voipong Log level : 4 Process ID (PID) : 1683 User : root [Charlie &] Group : 0 voipong> rusage Current CPU usage stats: ---------------------------------------- Total "user" time : 0 seconds Total used "system" time : 0 seconds Shared Memory Size : 440 KB Integral Memory Size : 2232 KB Integral stack Size : 1280 KB Page requests : 305 Page errors : 0 Block input operations : 0Size : 1280 KB Page requests : 305 Page errors : 0 Block input operations : 0 Block output operations : 4 Messages sent : 123 Messages received : 122 Signals : 6 Voluntary "context switch"s : 2951 Involuntary "context switch"s : 196 voipong> voipong> uptime Server uptime: 35 minutes 47 seconds voipong> shcall ID NODE1 PORT1 NODE2 PORT2 STIME DURATION ----- ---------------- ----- ---------------- ----- ----------------- ------------ 01746 192 168 8 178 08010 10 240 1 8 10136



--- ----------------- ------------ 01746 192.168.8.178 08010 10.240.1.8 10136 22/10/05 14:01:21 1 seconds Total listed: 1 voipong> voipong> quit Bye! efe@~/X/voipong#

Vomit

Vomit converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players.

It requires a tcpdump output file.

ordinary sound players.

It requires libevent a library for asynchronous event notification and libdnet or libnet

q p p p

It requires libevent a library for asynchronous event notification and libdnet or libnet.

Errors works only for G.711.



Command: $ vomit -r phone.dump | waveplay -S8000 -B16 -C1

PSIPDump

PSIPD mp is a tool sed for d mping SIPPSIPDump is a tool used for dumping SIPsessions to disk in a fashion similar to "tcpdump–w”, but one file per sip session.w , but one file per sip session.



Netdude

Netdude is a GUI application that allows you to perform trace file editing inspection and analysis to a degree formerly only possible by editing, inspection and analysis to a degree formerly only possible by writing code.

It provides a hex editor that allows you to edit unsupported protocol It provides a hex editor that allows you to edit unsupported protocol headers and also the packet payloads in both ASCII and hex mode.

It is a front-end to the libnetdude packet manipulation library.

• Protocol plug-ins• Functionality plug-ins

It supports the following plug-ins:



Functionality plug ins• Filter plug-ins

Netdude: Features

Filter packets by using filter plug-insp y g p g

Inspect and edit raw packet content using Netdude's payload editor in i h h ASCII deither hex or ASCII mode

Move packets around duplicate them remove them from tracesMove packets around, duplicate them, remove them from traces

See the tcpdump output updating instantly according to the p p p p g y gmodifications

Conveniently use the clipboard to select lines from the tcpdump output



y p p p pfor situations when requires tcpdump output only

Netdude: Screenshot



Oreka

Oreka is a modular and cross-platform system for Oreka is a modular and cross platform system for recording and retrieval of audio streams.

It supports VoIP and sound device-based captures.

Oreka services include:

• OrkAudio.• OrkTrack.

O kW b



• OrkWeb.

Oreka (cont’d)

Features:

• Recording and storage:• Capture from multiple network devices in parallel

f f l• Capture from pcap trace files• Voice activity detection

• User interface:Ti t • Timestamp

• Recording duration• Compatibility:

• Avaya S8500 • Avaya S8500 • Siemens HiPath



Wireshark

Wireshark is the network protocol analyzer, and is the standard din many industries.

It performs network troubleshooting and protocol development.

• Live capture and offline analysis are supportedS d d h k b

Features:

• Standard three-pane packet browser• Captures files compressed with gzip can be decompressed

on the fly• Supports many protocols



• Supports many protocols

Wireshark: Screenshot



rtpBreak

The tool rtpbreak detects, reconstructs, and analyzes any RTP session.

It does not require the presence of RTCP packets and works independently from the used signaling protocol (SIP, H.323, SCCP, etc.).)

It supports wireless (AP DLT IEEE802 11) networks as wellIt supports wireless (AP_DLT_IEEE802_11) networks as well.



rtpBreak: Screenshot



VoIP Scanning & E ti T lEnumeration Tools



SNScan

SNScan is a Windows-based SNMP detection utility that can quickly and accurately identify SNMP enabled devices on a network.

It indicates devices that are potentially vulnerable to SNMP related security threats.

It allows for the scanning of SNMP specific ports.

It is a fast and reliable utility for information gathering.



SNScan: Screenshot



Netcat

Netcat is a featured networking utility that reads and writes data across network connection by using TCP/IP protocolconnection by using TCP/IP protocol.

It is designed as a reliable "back-end" tool.

It can create almost any kind of connection and it has several interesting built-in capabilities.



Netcat Features

Outbound and inbound connections, TCP or UDP, to or from any ports, , y p

Tunneling mode allows special tunneling such as UDP to TCPg p g

Built-in port-scanning capabilities with randomizer

Advanced usage options such as buffered send-mode and hexdump

Optional RFC854 telnet codes parser and responder



Smap

Smap is a combination of the nmap and sipsakSmap is a combination of the nmap and sipsaktools.

• Locating devices

Features:

g• Fingerprinting remote SIP devices



Example: Locating Devices

$ ./smap 89.53.17.16/29

smap 0.4.0-cvs <[email protected]> http://www.wormulon.net/

Host 89.53.17.16:5060: (ICMP OK) SIP enabledHost 89.53.17.17:5060: (ICMP OK) SIP timeoutHost 89.53.17.18:5060: (ICMP timeout) SIP enabledH t 89 53 17 19 5060 (ICMP OK) SIP ti tHost 89.53.17.19:5060: (ICMP OK) SIP timeoutHost 89.53.17.20:5060: (ICMP OK) SIP timeoutHost 89.53.17.21:5060: (ICMP OK) SIP enabledHost 89.53.17.22:5060: (ICMP timeout) SIP timeout( )Host 89.53.17.23:5060: (ICMP OK) SIP enabled

8 hosts scanned, 6 ICMP reachable, 4 SIP enabled$



$

Example: Fingerprinting Devices

$ ./smap -o 89.53.17.208/29

smap 0 4 0 c s <hschol @raisdorf net> http // orm lon net/smap 0.4.0-cvs <[email protected]> http://www.wormulon.net/

Host 89.53.17.208:5060: (ICMP OK) SIP timeoutHost 89.53.17.209:5060: (ICMP OK) SIP enabledAVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)AVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)Host 89.53.17.210:5060: (ICMP timeout) SIP timeoutHost 89.53.17.211:5060: (ICMP OK) SIP enabledAVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)Host 89.53.17.212:5060: (ICMP OK) SIP enabledAVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)Host 89.53.17.213:5060: (ICMP timeout) SIP enabledSiemens SX541 (firmware 1.67)Host 89.53.17.214:5060: (ICMP OK) SIP enabled

! i fi 14 03 (89|90) ( 28 2005)AVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)Host 89.53.17.215:5060: (ICMP OK) SIP enabledAVM FRITZ!Box Fon ata 11.03.45

8 hosts scanned 6 ICMP reachable 6 SIP enabled



8 hosts scanned, 6 ICMP reachable, 6 SIP enabled$

Example: Learning Mode

$ ./smap -l 89.53.17.214

smap 0 4 0-cvs <hscholz@raisdorf net> http://www wormulon net/smap 0.4.0 cvs <[email protected]> http://www.wormulon.net/

NOTICE: test_allow: "Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, UPDATE, PRACK, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE"Host 89.53.17.214:5060: (ICMP OK) SIP enabledbest guess (71% sure) fingerprint:g g pAVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)

FINGERPRINT information:newmethod=405allow_class=2

t d l isupported_class=ignorehoe_class=ignoreoptions=NRbrokenfromto=NRprack=405ping=NRping=NRinvite=406headers found:User-Agent: AVM FRITZ!Box Fon WLAN 7050 14.03.89 (3.01.03 tested by accredited T-Com test lab) (Oct 28 2005)



1 host scanned, 1 ICMP reachable, 1 SIP enabled$

SIPScan

SIPScan is a SIP username enumerator that uses the following SIPScan is a SIP username enumerator that uses the following methods:

• Eliminates invalid extensions. INVITE:

• Sends requests to as many extensions to eliminate invalid extensions.REGISTER:

• Determines the exact extension(s) they use to login to the SIP proxy or

i tOPTIONS:



registrar.

Example: Scanning SIP Servers

Sent to 192.168.1.104:REGISTER sip:192.168.1.104 SIP/2.0Via: SIP/2.0/UDP 192.168.1.120:5060;rport;branch=z9hG4bK9AE42E04481647949E19C9C281BD7CDC/ / ; p ;From:506<sip:[email protected]>;tag=120975822To: 506 <sip:[email protected]>Contact: "506" <sip:[email protected]:5060>Call-ID: [email protected]: 54512 REGISTERExpires: 1800Expires: 1800Max-Forwards: 70User-Agent: X-Lite release 1105xContent-Length: 0

Recevied from the PBX 192.168.1.104:SIP/2 0 401 UnauthorizedSIP/2.0 401 UnauthorizedVia:SIP/2.0/UDP192.168.1.120:5060;rport=5060;branch=z9hG4bK9AE42E04481647949E19C9C281BD7CDCFrom:506<sip:[email protected]>;tag=120975822To:506<sip:[email protected]>;tag=b27e1a1d33761e85846fc98f5f3a7e58.bdc9Call-ID: [email protected]: 54512 REGISTERWWW A th ti t Di t l "d i 2" "440b b 24670d5d0448fd78 4b672 3 29d 346"WWW-Authenticate: Digest realm="domain2", nonce="440bcbe24670d5d0448fd78ec4b672a3c29de346"Server: Sip EXpress router (0.9.6 (i386/linux))Content-Length: 0Warning: 392 192.168.1.104:5060 "Noisy feedback tells: pid=29785 req_src_ip=192.168.1.120 req_src_port=5060 in_uri=sip:192.168.1.104 out_uri=sip:192.168.1.104 via_cnt==1



Scanning SIP Phones

SIPScan at our Cisco 7912 phone at 192 168 1 23SIPScan at our Cisco 7912 phone at 192.168.1.23

SIPScan results:

Scan started Mon Mar 6 02:21:58 2006

Target SIP Server: 192.168.1.23:5060 UDP

Domain: 192.168.1.10

1>>Found a live extension/user at 203@192 168 1 1031>>Found a live extension/user at [email protected] with SIP response code(s): OPTIONS:200



SIPScan: Screenshot



SIPcrack

SIPcrack is a SIP login sniffer/cracker that

• sipdump to capture the digest authentication.

contains two programs:

• sipcrack to bruteforce the hash using a wordlist or standard input.

Commands:

• sipdump: • sipdump -i eth0 logins.dump

• sipcrack:



• sipcrack -w mywordlist.txt logins.dump

SIPcrack (cont’d)



VoIPaudit

VoIPaudit is a first line of defense to secure VoIP and ensures VoIPaudit is a first line of defense to secure VoIP and ensures organizations have peace of mind that VoIP networks are protected.

• Identify holes, gaps, and problems in the network that leave the

Features:

Identify holes, gaps, and problems in the network that leave the organization open to attack

• Figure out the specifics on security issues and the possible outcome of leaving them unsecuredQ i kl d i fi f bl d k i • Quickly determine fixes for problems and take actions to proactively remediate vulnerabilities



iWAR

iW i di l itt l t l i C f U i iWar is a war dialer written completely in C for Unix.

F

• Remote system identificationM lti l d t

Features:

• Multiple modem support• Dials randomly or sequentially• Records remote system banners on connection for later

reviewreview• Full control over the modem• Used to attack PBXs, voicemail systems, and so on



VoIP Packet Creation and VoIP Packet Creation and Flooding Toolsg



Sipsak

Sipsak is a small command line tool of Session Initiation Protocol (SIP)li i d f i l li i d d i

Features:

applications used for some simple tests on SIP applications and devices.

• Random character trashed test • Interpret and react on response

Features:

p p• Authentication with qop supported (MD5 and SHA1) • Short notation supported for receiving• Unlimited string replacements in files and requests • Supports DNS SRV through c ares or libruli • Supports DNS SRV through c-ares or libruli • Supports UDP and TCP transport



SIPp

SIPp is a free open source test tool or traffic generator for the SIP SIPp is a free open source test tool or traffic generator for the SIP protocol.

It includes a few basic Sip Stone user agent scenarios (UAC and UAS) and establishes and releases multiple calls with the INVITE and BYE methods.

It can also reads custom XML scenario files describing from very simple to complex call flows.



SIPp (cont’d)

SIPp features:

• The dynamic display of statistics about running tests (call rate round trip delay and message statistics)

SIPp features:

rate, round trip delay, and message statistics)• Periodic CSV statistics dumps• Dynamically adjustable call rates• Support of IPV6,TLS, SIP authenticationpp , ,• Conditional scenarios• UDP retransmissions• Call specific variable• Field injection from external CSV file to emulate live users



SIPp: Screenshot



SIPNess Messenger

The SIPNess Messenger is a basic tool for learning how SIP sessions are performed, and for initial testing and debugging of SIP terminals.

It id f th t t t d d SIP It provides an easy way for the user to construct and send proper SIP messages to a remote SIP terminal.

It receives and monitors incoming SIP messages from remote SIP terminals at the same time.

The displayed SIP messages are formatted and displayed, including the SDP.



SIPNess Messenger (cont’d)

• Sending an INVITE

SIPNess Messenger operations:

Sending an INVITE• Receiving a SIP message• Saving SIP session LOG file• Sending special SIP messageg p g



SIPNess Messenger: Screenshot



SipBomber

Si B b i i t l t ti t l f LiSipBomber is a sip-protocol testing tool for Linux.

P i l d

• Sip server.

Parameters include:

• udp port.• tcp port.• Reparse rand param.• n-send.• n-resend.



SipBomber: Screenshot



Spitter

Spitter is a tool to use the Asterisk IP PBX as a platform from which to launch SPIT callsfrom which to launch SPIT calls.

It was tested in concert with a v1.2.10 Asterisk IP PBX and t t d Li R d H t F d C 4 l tfwas tested on a Linux Red Hat Fedora Core 4 platform.

The input file of SPIT targets contains one or more Asterisk ASCII call records.

When all call operations related to the call file are pcompleted, Asterisk removes the call file.

To Spitter each call record is simply a series of non-blank



To Spitter, each call record is simply a series of non blank lines.

Sip Send Fun

Sip Send Fun is a tiny command-line based script that Sip Send Fun is a tiny command line based script that exploits vulnerabilities.

Si S d F d h diff SIP l d Sip Send Fun uses netcat to send the different SIP-payloads to the tested device.

• php • php-cli • netcat

Prerequisites: • netcat



Functions of Sip Send Fun

Functions implemented in Sip Send Fun i l d

• Payload:• New Message

include:

• New-Message• No-New-Message• INVITETesting of a single device or a Class C Scan• Testing of a single device or a Class-C Scan.

• Source-IP spoofing.• Sending a payload to a single port or portscan.



VoIP Fuzzing Tools

Asteroid

Codenomicon VoIP Fuzzers

Fuzzy Packety

Interstate Fuzzer

ohrwurm

PROTOS H.323 Fuzzer

PROTOS SIP Fuzzer

SIP Forum Test Framework (SFTF)SIP Forum Test Framework (SFTF)

Sip-Proxy

Spirent ThreatEx



VoIP Signaling Manipulation ToolsTools

BYE Teardown Registration Hijacker

Check Sync Phone Rebooter

H225regregject

SIP-Kill

H225regregject

IAXAuthJack

SIP-Proxy-Kill

SIP-RedirectRTPIAXHangup

RedirectPoisonSipRogue

Registration Adder

Registration Eraser

vnak - VoIP Network Attack Toolkit

VoIPHopper



Registration Eraser VoIPHopper

VoIP Media Manipulation Tools

RTP InsertSound

RTP MixSoundRTP MixSound

RTPInject

RTPProxy

SteganRTPg

Vo²IP



Summary

Penetration tests usually refer to tests against perimeter defenses.

Vulnerability testing refers to tests against specific systems.

VoIPong detects all VoIP calls on a pipeline.

Sip Send Fun is a tiny command-line based script that exploits vulnerabilities.

Spitter is a tool to use the Asterisk IP PBX as a platform from which to launch SPIT calls.



Netdude is a front-end to the libnetdude packet manipulation library.

lptv4 module 31 voip penetration testing_norestriction

Documents

thu dec i386

murat balaban http

launch spit calls

asterisk ip pbx

vulnerability testing refers

session initiation protocol

voip packet creation

sip send fun