Date post: | 08-Nov-2014 |
Category: |
Documents |
Upload: | mahmoud-eladawi |
View: | 86 times |
Download: | 8 times |
ECSA/LPT
EC Council Module XXXIEC-Council odu e
VoIP Penetration TestingTesting
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’dPhysical S i
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
Vulnerability Assessment
When testing for vulnerability in VoIP networks, it is not necessary totest every IP phone.
It has the potential to generate enough network traffic that voicequality is negatively affectedquality is negatively affected.
In most VoIP environments, it is possible to identify IP phones bytheir SNMP signature.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration and Vulnerability Testing
Penetration tests usually refer to tests against perimeter defenses Penetration tests usually refer to tests against perimeter defenses, while vulnerability testing refers to tests against specific systems (host, applications, or networks).
It determines the current security posture of an organizationIt determines the current security posture of an organization.
The results reflects the security status during the testing period.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIP Risks and Vulnerabilities
Reconnaissance attacks:
• This attack gathers the information about network vulnerabilities, behavior of network devices and users, and services available for disruption.
P l f i
• This method tests the software systems for bugs and see what its reaction will be.
Protocol fuzzing:
• This attack takes place when the user deliberately sends very large number f t ti f ith i l l ti f lti l
Denial of Service (DoS) attack:
of unsystematic messages from either a single location or from multiple locations to a single or many VoIP endpoints.
Call hijacking and redirection:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Call intended to one user is redirected to a different user.
VoIP Risks and Vulnerabilities (cont’d)(cont d)
VoIP spam:
• Voluntary or unwanted bulk of messages are broadcasted through VoIP to an organization network’s end-user.
p
• Deliberately inserts the false data into the source IP address-field portion of the packet to hide the actual source of the call.
Spoofing:
• It is the unauthorized interception of Real Time Protocol (RTP) media
Eavesdropping:
s e u au o ed e cep o o ea e o oco ( ) ed astreams or voice packets and the decoding of signaling messages.
Session anomalies:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Messages arrive in improper order where the server cannot handle the call.
VoIP Security Threat
Attacks against the fundamental VoIP devices:
• Devices like proxy servers, gateways, and IP phones inherits the vulnerability same as that of operating system or firmware they run on.
• Many VoIP devices is directly connected to the open TCP and UDP
Configuration faults in VoIP devices:
• Many VoIP devices is directly connected to the open TCP and UDP ports because of their default configuration and default services which runs on that ports may be vulnerable to weak password, buffer overflow and DoS attack.
• VoIP services is directly depends on the IP infrastructure any attack
IP infrastructure attacks:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• VoIP services is directly depends on the IP infrastructure, any attack may impact all VoIP communications.
VoIP Penetration Testing Steps
Step 1: Test for eavesdropping
Step 2: Test for flooding and logic attacks
Step 3: Test for Denial of Service (DoS) attack
Step 4: Test for call hijacking and redirection attack
Step 5: Test for ICMP ping sweeps
S 6 T f ARP iStep 6: Test for ARP pings
Step 7: Test for TCP ping scans
St 8 T t f SNMP Step 8: Test for SNMP sweeps
Step 9: Test for port scanning and service discovery
• Step 9.1: TCP SYN Scan
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Step 9.2: UDP Scan
Step 10: Test for host/device identification
VoIP Penetration Testing Steps (cont’d)
Step 11: Test for banner grabbing
(cont d)
Step 12: Test for SIP user/extension enumeration
Ste 13 T t f t t d OPTIONS i ith i k Step 13: Test for automated OPTIONS scanning with sipsak
Step 14: Test for automated REGISTER, INVITE and OPTIONS scanning with SIPSCAN against the SIP server
Step 15: Test for enumerating TFTP servers
Step 16: Test for SNMP enumerationStep 16: Test for SNMP enumeration
Step 17: Test for sniffing TFTP configuration file transfers
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 18: Test for number harvesting and call pattern tracking
Step 1: Test for Eavesdropping
Decode the signaling messages in Real Time Protocol (RTP) media streams or voice packets.
Use VoIP hacking tools:
• VOMIT• VoiPong
Use VoIP hacking tools:
• Ethereal
Along with sniffer:
• pcapsipdump
Tool for capturing VoIP packets:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
pcapsipdump
Step 2: Test for Flooding and Logic AttacksLogic Attacks
A TCP synchronization flood exploits the working of the TCP connection process.
S f d IP dd d t t Spoofed IP addresses do not return any acknowledgement packets, therefore the requests sent stay in the queue.
Use the flooding techniques like Session Initiation Protocol (SIP) INVITE or REGISTER packets to overload the devices with VoIP protocol packets.p p
Use tools such as InviteFlood and IAXFlood to
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
overload the devices with VoIP protocol packets.
Step 3: Test for Denial of Service (DoS) Attack(DoS) Attack
Send large number of unsystematic messages from either a single l i f l i l l i i l V IP d ilocation or from multiple locations to a single or many VoIP endpoints.
Use IxChariot software for a Denial of Service attack.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Test for Call Hijacking & Redirection AttackRedirection Attack
Thi tt k ll th t t ll th ll f th This attack allows the user to get all the calls of the victims.
Manipulate the registration related to the victim Session Initiation Protocol (SIP) URI.
Check for the 3xx responses codes classes to di h i i ’ llredirect the victim’s call.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Test for ICMP Ping Sweeps
An easy way to identify active hosts is by sending ICMP ECHO REQUEST k t packets.
Send ICMP ECHO REPLAY packets if ICMP is unblocked by firewalls.Se d C C O pac ets C s u b oc ed by ewa s.
l f
• fpingNmap
Tools for ICMP ping sweeps:
• Nmap• super scan• Nessus • Ping and port sweep utility
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Test for ARP Pings
An ARP ping requests MAC address through a large range of IP p g q g g gaddresses.
It identifies live hosts on the network.
Tools:
• Arping• MAC address discovery tool
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Test for TCP Ping Scans
Sends TCP SYN or ACK flagged packets to TCP port on the target host
RST packet that comes as a response indicates that a host is alive
• Nmap
Tools:
• hping2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Test for SNMP Sweeps
Scan to return sensitive information because of the default “public” it t i i l d community string is always used.
Tools:
SNS Scan
snmpwalksnmpwalk
Nomad
Cheops
snmpenum
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
snmp-audit
Step 9: Test for Port Scanning and Service DiscoveryService Discovery
Technique of connecting TCP and UDP ports on target to search for i iactive services
Determines the vulnerabilities present on the target host or devices Determines the vulnerabilities present on the target host or devices
Method to scan active services:
• TCP Scan• UDP scan
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9.1: TCP SYN Scan
Sends a TCP SYN packet to a specific port to establish a TCP connection port to establish a TCP connection
A returned SYN/ACK-flagged TCP packet A returned SYN/ACK flagged TCP packet indicates the port is open
RTP packet indicates a closed packet
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9.2: UDP Scan
A UDP scan sends an empty UDP header to each UDP port on hthe target.
If it responds it indicates that an active service is listeningIf it responds, it indicates that an active service is listening.
If it is unused if you will receive an ICMP port unreachable If it is unused, if you will receive an ICMP port unreachable error.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 10: Test for Host/Device IdentificationIdentification
Determines the type of devices and hosts by OS and firmware typesDetermines the type of devices and hosts by OS and firmware types
Method to identify the host/device:
• Stack fingerprinting:• A technique for further identifying the innards of a target host or
device
y /
device
Tools used to identify host or devices:
• Nmap • Xprobe2• Arkin• Queso
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Queso • Snacktime
Step 11: Test for Banner Grabbing
Banner grabbing is a method where a port is connected to remote target Banner grabbing is a method where a port is connected to remote target to gather information of associated services running on it.
Types of banner grabbing:
• Manual banner grabbing: • It can be accomplished easily using command-line tool NETCAT
• Automated banner grabbing:• In this type, fingerprinting tool SMAP analyzes SIP message response to determine
device it is probing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 12: Test for SIP User/Extension EnumerationUser/Extension Enumeration
Provides some valid username or extensions of SIP phones
Easy way to glean user registration
Methods of enumeration:
• REGISTER Username Enumeration• INVITE Username Enumeration• OPTIONS Username Enumeration• Automated OPTIONS Scanning with sipsak• Automated REGISTER, INVITE and OPTIONS Scanning with
SIPSCAN Against SIP server
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIPSCAN Against SIP server• Automated OPTIONS Scanning Using SIPSCAN Against SIP Phones
Step 13: Test for Automated OPTIONS Scanning with sipsakOPTIONS Scanning with sipsak
For OPTIONS scanning, command-li t l i k i d line tool sipsak is used
(http://sipsak.org)
It is useful in stress testing and It is useful in stress testing and diagnosing SIP service issues
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 14: Test for Automated REGISTER, INVITE, and OPTIONS Scanning with SIPSCAN against
SIP SSIP Server
Use SIPSCAN (www.hackingvoip.com)
It returns the live SIP extensions/users (www.hackingvoip.com) extensions/users
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 15: Test for Enumerating TFTP ServersTFTP Servers
Locate the server within the networkLocate the server within the network
It can be done by reading the TFTP server IP address from web-It can be done by reading the TFTP server IP address from web-based configuration
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 16: Test for SNMP EnumerationEnumeration
SNMP listens on UDP port 162SNMP listens on UDP port 162
Use Nmap to find the any devices that supports it:Use Nmap to find the any devices that supports it:
•root@domain2 ] # nmap –sU
Provides configuring information, such as:
Vendor type used • Vendor type used. • Operating system.• MAC address. • Ports of UDP services.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Test for Sniffing TFTP Configuration File TransfersConfiguration File Transfers
Sniffing for TFTP configuration files traveling across the network is as g g geasy as simply watching for any and all traffic on UDP port 69.
Use Tcpdump or Ethereal tool.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 18: Test for Number Harvesting and Call Pattern Trackingand Call Pattern Tracking
The easiest is to simply sniff all SIP traffic on UDP and TCP port The easiest is to simply sniff all SIP traffic on UDP and TCP port 5060 and analyze the From: and To: header fields.
Use tools such as ethereal and VoIPong.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIP Security Tools
VoIP sniffing tools:
• AuthTool
VoIP sniffing tools:
• VoIPong• Vomit• PSIPDump• PSIPDump• Netdude• Oreka• Wireshark
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIP Security Tools (cont’d)
VoIP scanning and enumeration VoIP scanning and enumeration tools:
• SNScan• Netcat• Smap• Smap• SIPScan• SIPcrack• VoIPaudit• iWAR
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIP Security Tools (cont’d)
VoIP packet creation and
• Sipsak
flooding tools:
p• SIPp• SIPNess Messenger
Si B b• SipBomber• Spitter• Sip Send FunSip Send Fun
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIP Sniffing Toolsg
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AuthTool
Authentication Tool used to determine the password for each fuser of SIP messages.
This tool inputs a file of SIP messages and
• REGISTER.
This tool inputs a file of SIP messages and scans for these SIP header lines:
• INVITE.• OPTIONS.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIPong
VoIPong detects all Voice over IP (VoIP) calls on a pipeline.VoIPong detects all Voice over IP (VoIP) calls on a pipeline.
It supports SIP, H323, Cisco's Skinny Client Protocol, RTP, and RTCP.
VoIPong detects all VoIP gateways and VoIP callsVoIPong detects all VoIP gateways and VoIP calls.
It also produces real .Wav files for direct audio hearing.
The algorithm doesn't depend on signaling, but on RTP/RTCP.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIPong: Features
Simple, optimized, extendable fast codeSimple, optimized, extendable fast code
Detailed logginggg g
Powerful management console interfaceg
Easy installation and administration
Easy debugging
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIPong: Screenshot 1
Capture screenefe:[voipong]# voipong -d4 -f EnderUNIX VOIPONG Voice Over IPefe:[voipong]# voipong -d4 -f EnderUNIX VOIPONG Voice Over IP Sniffer starting... Release 2.0-DEVEL, running on efe.dev.enderunix.org [FreeBSD 4.10-STABLE FreeBSD 4.10-STABLE #0: Thu Dec i386] (c) Murat Balaban http://www.enderunix.org/ 19/11/04 13:32:10: EnderUNIX VOIPONG Voice Over IP Sniffer starting13:32:10: EnderUNIX VOIPONG Voice Over IP Sniffer starting... 19/11/04 13:32:10: Release 2.0-DEVEL running on efe.dev.enderunix.org [FreeBSD 4.10-STABLE FreeBSD 4.10-STABLE #0: Thu Dec i386]. (c) Murat Balaban http://www.enderunix.org/ [pid: 71647] 19/11/04 13:32:10: fxp0 has been opened in promisc mode71647] 19/11/04 13:32:10: fxp0 has been opened in promisc mode, data link: 14 (192.168.0.0/255.255.255.248) 19/11/04 13:32:10: [8434] VoIP call detected. 19/11/04 13:32:10: [8434] 10.0.0.49:49606 <--> 10.0.0.90:49604 19/11/04 13:32:10: [8434] Encoding: 0-PCMU-8KHz 19/11/04 13:38:37: [8434] maximum waitingEncoding: 0 PCMU 8KHz 19/11/04 13:38:37: [8434] maximum waiting time [10 sn] elapsed for this call, call might have been ended. 19/11/04 13:38:37: .WAV file [output/20041119/session-enc0-PCMU-8KHz-10.0.0.49,49606-10.0.0.90,49604.wav] has been created successfully
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
successfully.
VoIPong: Screenshot 2
Management Consoleefe@~/X/voipong# ./voipctl Connected to VoIPong Management Console System: efe.enderunix.org [FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06efe.enderunix.org [FreeBSD 5.4 RELEASE FreeBSD 5.4 RELEASE #0: Sun May 8 10:21:06 UTC 2005 [email protected]:/usr/obj/usr/src/sys/GENERIC i386] voipong> help Commands: help : this one quit : quit management console uptime : Server uptime logrotate : rotate server's logs shutdown : shutdown server rusage : CPU usage statistics for the server loadnets : Reload voipongnets file info : General server information shcall : Show currently monitored calls shrtcp : Showserver information shcall : Show currently monitored calls shrtcp : Show currently RTCP cache killcall [id] : end monitoring session with [id] voipong> info General Server Info: --------------------------: Server version : Release 2.0-DEVEL System : efe.enderunix.org [FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow cse buffalo edu:/usr/obj/usr/src/sys/GENERIC i386] Current [email protected]:/usr/obj/usr/src/sys/GENERIC i386] Current work. direct. : /root/X/voipong Log level : 4 Process ID (PID) : 1683 User : root [Charlie &] Group : 0 voipong> rusage Current CPU usage stats: ---------------------------------------- Total "user" time : 0 seconds Total used "system" time : 0 seconds Shared Memory Size : 440 KB Integral Memory Size : 2232 KB Integral stack Size : 1280 KB Page requests : 305 Page errors : 0 Block input operations : 0Size : 1280 KB Page requests : 305 Page errors : 0 Block input operations : 0 Block output operations : 4 Messages sent : 123 Messages received : 122 Signals : 6 Voluntary "context switch"s : 2951 Involuntary "context switch"s : 196 voipong> voipong> uptime Server uptime: 35 minutes 47 seconds voipong> shcall ID NODE1 PORT1 NODE2 PORT2 STIME DURATION ----- ---------------- ----- ---------------- ----- ----------------- ------------ 01746 192 168 8 178 08010 10 240 1 8 10136
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
--- ----------------- ------------ 01746 192.168.8.178 08010 10.240.1.8 10136 22/10/05 14:01:21 1 seconds Total listed: 1 voipong> voipong> quit Bye! efe@~/X/voipong#
Vomit
Vomit converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players.
It requires a tcpdump output file.
ordinary sound players.
It requires libevent a library for asynchronous event notification and libdnet or libnet
q p p p
It requires libevent a library for asynchronous event notification and libdnet or libnet.
Errors works only for G.711.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Command: $ vomit -r phone.dump | waveplay -S8000 -B16 -C1
PSIPDump
PSIPD mp is a tool sed for d mping SIPPSIPDump is a tool used for dumping SIPsessions to disk in a fashion similar to "tcpdump–w”, but one file per sip session.w , but one file per sip session.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netdude
Netdude is a GUI application that allows you to perform trace file editing inspection and analysis to a degree formerly only possible by editing, inspection and analysis to a degree formerly only possible by writing code.
It provides a hex editor that allows you to edit unsupported protocol It provides a hex editor that allows you to edit unsupported protocol headers and also the packet payloads in both ASCII and hex mode.
It is a front-end to the libnetdude packet manipulation library.
• Protocol plug-ins• Functionality plug-ins
It supports the following plug-ins:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Functionality plug ins• Filter plug-ins
Netdude: Features
Filter packets by using filter plug-insp y g p g
Inspect and edit raw packet content using Netdude's payload editor in i h h ASCII deither hex or ASCII mode
Move packets around duplicate them remove them from tracesMove packets around, duplicate them, remove them from traces
See the tcpdump output updating instantly according to the p p p p g y gmodifications
Conveniently use the clipboard to select lines from the tcpdump output
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
y p p p pfor situations when requires tcpdump output only
Netdude: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Oreka
Oreka is a modular and cross-platform system for Oreka is a modular and cross platform system for recording and retrieval of audio streams.
It supports VoIP and sound device-based captures.
Oreka services include:
• OrkAudio.• OrkTrack.
O kW b
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• OrkWeb.
Oreka (cont’d)
Features:
• Recording and storage:• Capture from multiple network devices in parallel
f f l• Capture from pcap trace files• Voice activity detection
• User interface:Ti t • Timestamp
• Recording duration• Compatibility:
• Avaya S8500 • Avaya S8500 • Siemens HiPath
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark
Wireshark is the network protocol analyzer, and is the standard din many industries.
It performs network troubleshooting and protocol development.
• Live capture and offline analysis are supportedS d d h k b
Features:
• Standard three-pane packet browser• Captures files compressed with gzip can be decompressed
on the fly• Supports many protocols
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Supports many protocols
Wireshark: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
rtpBreak
The tool rtpbreak detects, reconstructs, and analyzes any RTP session.
It does not require the presence of RTCP packets and works independently from the used signaling protocol (SIP, H.323, SCCP, etc.).)
It supports wireless (AP DLT IEEE802 11) networks as wellIt supports wireless (AP_DLT_IEEE802_11) networks as well.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
rtpBreak: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIP Scanning & E ti T lEnumeration Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SNScan
SNScan is a Windows-based SNMP detection utility that can quickly and accurately identify SNMP enabled devices on a network.
It indicates devices that are potentially vulnerable to SNMP related security threats.
It allows for the scanning of SNMP specific ports.
It is a fast and reliable utility for information gathering.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SNScan: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netcat
Netcat is a featured networking utility that reads and writes data across network connection by using TCP/IP protocolconnection by using TCP/IP protocol.
It is designed as a reliable "back-end" tool.
It can create almost any kind of connection and it has several interesting built-in capabilities.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netcat Features
Outbound and inbound connections, TCP or UDP, to or from any ports, , y p
Tunneling mode allows special tunneling such as UDP to TCPg p g
Built-in port-scanning capabilities with randomizer
Advanced usage options such as buffered send-mode and hexdump
Optional RFC854 telnet codes parser and responder
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Smap
Smap is a combination of the nmap and sipsakSmap is a combination of the nmap and sipsaktools.
• Locating devices
Features:
g• Fingerprinting remote SIP devices
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example: Locating Devices
$ ./smap 89.53.17.16/29
smap 0.4.0-cvs <[email protected]> http://www.wormulon.net/
Host 89.53.17.16:5060: (ICMP OK) SIP enabledHost 89.53.17.17:5060: (ICMP OK) SIP timeoutHost 89.53.17.18:5060: (ICMP timeout) SIP enabledH t 89 53 17 19 5060 (ICMP OK) SIP ti tHost 89.53.17.19:5060: (ICMP OK) SIP timeoutHost 89.53.17.20:5060: (ICMP OK) SIP timeoutHost 89.53.17.21:5060: (ICMP OK) SIP enabledHost 89.53.17.22:5060: (ICMP timeout) SIP timeout( )Host 89.53.17.23:5060: (ICMP OK) SIP enabled
8 hosts scanned, 6 ICMP reachable, 4 SIP enabled$
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
$
Example: Fingerprinting Devices
$ ./smap -o 89.53.17.208/29
smap 0 4 0 c s <hschol @raisdorf net> http // orm lon net/smap 0.4.0-cvs <[email protected]> http://www.wormulon.net/
Host 89.53.17.208:5060: (ICMP OK) SIP timeoutHost 89.53.17.209:5060: (ICMP OK) SIP enabledAVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)AVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)Host 89.53.17.210:5060: (ICMP timeout) SIP timeoutHost 89.53.17.211:5060: (ICMP OK) SIP enabledAVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)Host 89.53.17.212:5060: (ICMP OK) SIP enabledAVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)Host 89.53.17.213:5060: (ICMP timeout) SIP enabledSiemens SX541 (firmware 1.67)Host 89.53.17.214:5060: (ICMP OK) SIP enabled
! i fi 14 03 (89|90) ( 28 2005)AVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)Host 89.53.17.215:5060: (ICMP OK) SIP enabledAVM FRITZ!Box Fon ata 11.03.45
8 hosts scanned 6 ICMP reachable 6 SIP enabled
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8 hosts scanned, 6 ICMP reachable, 6 SIP enabled$
Example: Learning Mode
$ ./smap -l 89.53.17.214
smap 0 4 0-cvs <hscholz@raisdorf net> http://www wormulon net/smap 0.4.0 cvs <[email protected]> http://www.wormulon.net/
NOTICE: test_allow: "Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, UPDATE, PRACK, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE"Host 89.53.17.214:5060: (ICMP OK) SIP enabledbest guess (71% sure) fingerprint:g g pAVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)
FINGERPRINT information:newmethod=405allow_class=2
t d l isupported_class=ignorehoe_class=ignoreoptions=NRbrokenfromto=NRprack=405ping=NRping=NRinvite=406headers found:User-Agent: AVM FRITZ!Box Fon WLAN 7050 14.03.89 (3.01.03 tested by accredited T-Com test lab) (Oct 28 2005)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1 host scanned, 1 ICMP reachable, 1 SIP enabled$
SIPScan
SIPScan is a SIP username enumerator that uses the following SIPScan is a SIP username enumerator that uses the following methods:
• Eliminates invalid extensions. INVITE:
• Sends requests to as many extensions to eliminate invalid extensions.REGISTER:
• Determines the exact extension(s) they use to login to the SIP proxy or
i tOPTIONS:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
registrar.
Example: Scanning SIP Servers
Sent to 192.168.1.104:REGISTER sip:192.168.1.104 SIP/2.0Via: SIP/2.0/UDP 192.168.1.120:5060;rport;branch=z9hG4bK9AE42E04481647949E19C9C281BD7CDC/ / ; p ;From:506<sip:[email protected]>;tag=120975822To: 506 <sip:[email protected]>Contact: "506" <sip:[email protected]:5060>Call-ID: [email protected]: 54512 REGISTERExpires: 1800Expires: 1800Max-Forwards: 70User-Agent: X-Lite release 1105xContent-Length: 0
Recevied from the PBX 192.168.1.104:SIP/2 0 401 UnauthorizedSIP/2.0 401 UnauthorizedVia:SIP/2.0/UDP192.168.1.120:5060;rport=5060;branch=z9hG4bK9AE42E04481647949E19C9C281BD7CDCFrom:506<sip:[email protected]>;tag=120975822To:506<sip:[email protected]>;tag=b27e1a1d33761e85846fc98f5f3a7e58.bdc9Call-ID: [email protected]: 54512 REGISTERWWW A th ti t Di t l "d i 2" "440b b 24670d5d0448fd78 4b672 3 29d 346"WWW-Authenticate: Digest realm="domain2", nonce="440bcbe24670d5d0448fd78ec4b672a3c29de346"Server: Sip EXpress router (0.9.6 (i386/linux))Content-Length: 0Warning: 392 192.168.1.104:5060 "Noisy feedback tells: pid=29785 req_src_ip=192.168.1.120 req_src_port=5060 in_uri=sip:192.168.1.104 out_uri=sip:192.168.1.104 via_cnt==1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning SIP Phones
SIPScan at our Cisco 7912 phone at 192 168 1 23SIPScan at our Cisco 7912 phone at 192.168.1.23
SIPScan results:
Scan started Mon Mar 6 02:21:58 2006
Target SIP Server: 192.168.1.23:5060 UDP
Domain: 192.168.1.10
1>>Found a live extension/user at 203@192 168 1 1031>>Found a live extension/user at [email protected] with SIP response code(s): OPTIONS:200
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIPScan: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIPcrack
SIPcrack is a SIP login sniffer/cracker that
• sipdump to capture the digest authentication.
contains two programs:
• sipcrack to bruteforce the hash using a wordlist or standard input.
Commands:
• sipdump: • sipdump -i eth0 logins.dump
• sipcrack:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• sipcrack -w mywordlist.txt logins.dump
SIPcrack (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIPaudit
VoIPaudit is a first line of defense to secure VoIP and ensures VoIPaudit is a first line of defense to secure VoIP and ensures organizations have peace of mind that VoIP networks are protected.
• Identify holes, gaps, and problems in the network that leave the
Features:
Identify holes, gaps, and problems in the network that leave the organization open to attack
• Figure out the specifics on security issues and the possible outcome of leaving them unsecuredQ i kl d i fi f bl d k i • Quickly determine fixes for problems and take actions to proactively remediate vulnerabilities
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
iWAR
iW i di l itt l t l i C f U i iWar is a war dialer written completely in C for Unix.
F
• Remote system identificationM lti l d t
Features:
• Multiple modem support• Dials randomly or sequentially• Records remote system banners on connection for later
reviewreview• Full control over the modem• Used to attack PBXs, voicemail systems, and so on
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIP Packet Creation and VoIP Packet Creation and Flooding Toolsg
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sipsak
Sipsak is a small command line tool of Session Initiation Protocol (SIP)li i d f i l li i d d i
Features:
applications used for some simple tests on SIP applications and devices.
• Random character trashed test • Interpret and react on response
Features:
p p• Authentication with qop supported (MD5 and SHA1) • Short notation supported for receiving• Unlimited string replacements in files and requests • Supports DNS SRV through c ares or libruli • Supports DNS SRV through c-ares or libruli • Supports UDP and TCP transport
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIPp
SIPp is a free open source test tool or traffic generator for the SIP SIPp is a free open source test tool or traffic generator for the SIP protocol.
It includes a few basic Sip Stone user agent scenarios (UAC and UAS) and establishes and releases multiple calls with the INVITE and BYE methods.
It can also reads custom XML scenario files describing from very simple to complex call flows.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIPp (cont’d)
SIPp features:
• The dynamic display of statistics about running tests (call rate round trip delay and message statistics)
SIPp features:
rate, round trip delay, and message statistics)• Periodic CSV statistics dumps• Dynamically adjustable call rates• Support of IPV6,TLS, SIP authenticationpp , ,• Conditional scenarios• UDP retransmissions• Call specific variable• Field injection from external CSV file to emulate live users
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIPp: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIPNess Messenger
The SIPNess Messenger is a basic tool for learning how SIP sessions are performed, and for initial testing and debugging of SIP terminals.
It id f th t t t d d SIP It provides an easy way for the user to construct and send proper SIP messages to a remote SIP terminal.
It receives and monitors incoming SIP messages from remote SIP terminals at the same time.
The displayed SIP messages are formatted and displayed, including the SDP.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIPNess Messenger (cont’d)
• Sending an INVITE
SIPNess Messenger operations:
Sending an INVITE• Receiving a SIP message• Saving SIP session LOG file• Sending special SIP messageg p g
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIPNess Messenger: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SipBomber
Si B b i i t l t ti t l f LiSipBomber is a sip-protocol testing tool for Linux.
P i l d
• Sip server.
Parameters include:
• udp port.• tcp port.• Reparse rand param.• n-send.• n-resend.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SipBomber: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Spitter
Spitter is a tool to use the Asterisk IP PBX as a platform from which to launch SPIT callsfrom which to launch SPIT calls.
It was tested in concert with a v1.2.10 Asterisk IP PBX and t t d Li R d H t F d C 4 l tfwas tested on a Linux Red Hat Fedora Core 4 platform.
The input file of SPIT targets contains one or more Asterisk ASCII call records.
When all call operations related to the call file are pcompleted, Asterisk removes the call file.
To Spitter each call record is simply a series of non-blank
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
To Spitter, each call record is simply a series of non blank lines.
Sip Send Fun
Sip Send Fun is a tiny command-line based script that Sip Send Fun is a tiny command line based script that exploits vulnerabilities.
Si S d F d h diff SIP l d Sip Send Fun uses netcat to send the different SIP-payloads to the tested device.
• php • php-cli • netcat
Prerequisites: • netcat
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Functions of Sip Send Fun
Functions implemented in Sip Send Fun i l d
• Payload:• New Message
include:
• New-Message• No-New-Message• INVITETesting of a single device or a Class C Scan• Testing of a single device or a Class-C Scan.
• Source-IP spoofing.• Sending a payload to a single port or portscan.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIP Fuzzing Tools
Asteroid
Codenomicon VoIP Fuzzers
Fuzzy Packety
Interstate Fuzzer
ohrwurm
PROTOS H.323 Fuzzer
PROTOS SIP Fuzzer
SIP Forum Test Framework (SFTF)SIP Forum Test Framework (SFTF)
Sip-Proxy
Spirent ThreatEx
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VoIP Signaling Manipulation ToolsTools
BYE Teardown Registration Hijacker
Check Sync Phone Rebooter
H225regregject
SIP-Kill
H225regregject
IAXAuthJack
SIP-Proxy-Kill
SIP-RedirectRTPIAXHangup
RedirectPoisonSipRogue
Registration Adder
Registration Eraser
vnak - VoIP Network Attack Toolkit
VoIPHopper
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registration Eraser VoIPHopper
VoIP Media Manipulation Tools
RTP InsertSound
RTP MixSoundRTP MixSound
RTPInject
RTPProxy
SteganRTPg
Vo²IP
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Penetration tests usually refer to tests against perimeter defenses.
Vulnerability testing refers to tests against specific systems.
VoIPong detects all VoIP calls on a pipeline.
Sip Send Fun is a tiny command-line based script that exploits vulnerabilities.
Spitter is a tool to use the Asterisk IP PBX as a platform from which to launch SPIT calls.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netdude is a front-end to the libnetdude packet manipulation library.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited