ebook img

Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions by David Endler and Mark ... PDF

496 Pages·2008·17.06 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions by David Endler and Mark ...

. .Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions by David Endler and Mark Collier McGraw-Hill/Osborne © 2007 (574 pages) ISBN:9780072263640 Showing you how online criminals perform reconnaissance, gain access, steal data, and penetrate vulnerable systems, this book covers all hardware-specific and network-centered security issues as well as countermeasures and implementation techniques. Table of Contents Hacking Exposed VoIP?Voice Over IP Security Secrets & Solutions Introduction Part I - Casing the Establishment Case Study - My VOIP Gear is Secure From Outsiders, Right? Probing and Enumerating Our Way to Success Chapter 1 - Footprinting a VoIP Network Chapter 2 - Scanning a VoIP Network Chapter 3 - Enumerating a VoIP Network Part II - Exploiting the VoIP Network Case Study - Who's Listening in? Chapter 4 - VoIP Network Infrastructure Denial of Service (DoS) Chapter 5 - VoIP Network Eavesdropping Chapter 6 - VoIP Interception and Modification Part III - Exploiting Specific VoIP Platforms Case Study - Shutting Down a Vendor's VoIP System Chapter 7 - Cisco Unified CallManager Chapter 8 - Avaya Communication Manager Chapter 9 - Asterisk Chapter 10 - Emerging Softphone Technologies Part IV - VoIP Session and Application Hacking Case Study - John Smith Gets Even Chapter 11 - VoIP Fuzzing Chapter 12 - Flood-based Disruption of Service Chapter 13 - Signaling and Media Manipulation Part V - Social Threats Case Study - Tom N. Jerry Sets Up A Spit Generator Chapter 14 - SPAM over Internet Telephony (SPIT) Chapter 15 - Voice Phishing Index List of Figures List of Tables List of Sidebars This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks. . .Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions by David Endler and Mark Collier McGraw-Hill/Osborne © 2007 (574 pages) ISBN:9780072263640 Showing you how online criminals perform reconnaissance, gain access, steal data, and penetrate vulnerable systems, this book covers all hardware-specific and network-centered security issues as well as countermeasures and implementation techniques. Back Cover Block debilitating VoIP attacks by learning how to look at your network and devices through the eyes of the malicious intruder. Hacking Exposed VoIP shows you, step-by-step, how online criminals perform reconnaissance, gain access, steal data, and penetrate vulnerable systems. All hardware-specific and network-centered security issues are covered alongside detailed countermeasures, in-depth examples, and hands-on implementation techniques. Inside, you'll learn how to defend against the latest DoS, man-in-the-middle, call flooding, eavesdropping, VoIP fuzzing, signaling and audio manipulation, Voice SPAM/SPIT, and voice phishing attacks. Find out how hackers footprint, scan, enumerate, and pilfer VoIP networks and hardware Fortify Cisco, Avaya, and Asterisk systems Prevent DNS poisoning, DHCP exhaustion, and ARP table manipulation Thwart number harvesting, call pattern tracking, and conversation eavesdropping Measure and maintain VoIP network quality of service and VoIP conversation quality Stop DoS and packet flood-based attacks from disrupting SIP proxies and phones Counter REGISTER hijacking, INVITE flooding, and BYE call teardown attacks Avoid insertion/mixing of malicious audio Learn about voice SPAM/SPIT and how to prevent it Defend against voice phishing and identity theft scams About the Authors David Endler is the director of security research for 3Com's security division, TippingPoint, where he oversees product security testing, the VoIP security research center, and their vulnerability research team. While at TippingPoint, David founded an industry-wide group called the Voice over IP Security Alliance (VoIPSA) in 2005. VoIPSA's mission is to help VoIP adoption by promoting the current state of VoIP security research, testing methodologies, best practices, and tools. David is currently the chairman of VoIPSA, which boasts over 100 members from the VoIP vendor, carrier, and security space. Prior to TippingPoint, David was the technical director at a security services startup, iDefense, Inc., which was acquired by VeriSign. iDefense specializes in cybersecurity intelligence, tracking the activities of cybercriminals and hackers, in addition to researching the latest vulnerabilities, worms, and viruses. Prior to iDefense, David spent many years in cutting-edge security research roles with Xerox Corporation, the National Security Agency, and the Massachusetts Institute of Technology. As an internationally recognized security expert, David is a frequent speaker at major industry conferences and has been quoted and featured in many top publications and media programs, including the Wall Street Journal, USA Today, BusinessWeek, Wired Magazine, the Washington Post, CNET, Tech TV, and CNN. David has authored numerous articles and papers on computer security and was named one of the Top 100 Voices in IP Communications by IP Telephony Magazine. David graduated summa cum laude from Tulane University where he earned a bachelor's and master's degree in computer science. Mark Collier is the chief technology officer at SecureLogix corporation, where he directs the company's VoIP security research and development. Mark also defines and conducts VoIP security assessments for SecureLogix's enterprise customers. Mark is actively performing research for the U.S. Department of Defense, with a focus on developing SIP This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . vulnerability assessment tools. Prior to SecureLogix, Mark was with Southwest Research Institute (SwRI), where he directed a group performing research and development in the areas of computer security and information warfare. Mark is a frequent speaker at major VoIP and security conferences. He has authored numerous articles and papers on VoIP security and is also a founding member of the Voice over IP Security Alliance (VoIPSA). Mark graduated magna cum laude from St. Mary's University, where he earned a bachelor's degree in computer science. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . Hacking Exposed VoIP—Voice Over IP Security Secrets & Solutions David Endler Mark Collier McGraw-Hill books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. For more information, please write to the Director of Special Sales, Professional Publishing, McGraw-Hill, Two Penn Plaza, New York, NY 10121-2298. Or contact your local bookstore. Hacking Exposed™ VoIP: Voice over IP Security Secrets and Solutions Copyright © 2007 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1234567890 DOC DOC 0198765 ISBN-13: 978-0-07-226364-0 ISBN-10: 0-07-226364-4 Sponsoring Editor Jane K. Brownlow Editorial Supervisor Janet Walden Project Editor LeeAnn Pickrell Acquisitions Coordinator Jennifer Housh Technical Editor Ofir Arkin Copy Editor LeeAnn Pickrell Proofreader Paul S. Tyler Indexer Karin Arrigoni Production Supervisor Jean Bodeaux Composition EuroDesign-Peter F. Hancik Illustration Lyssa Wald Series Design Peter F. Hancik, Lyssa Wald Art Director, Cover Jeff Weeks Cover Design Dodie Shoemaker Cover Designer Pattie Lee Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. For Mom, Dad, Sally, and Sarah. —Dave For my wife Gerri, and two daughters, Kristen and Kerri. —Mark This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . About the Authors David Endler David Endler is the director of security research for 3Com's security division, TippingPoint, where he oversees product security testing, the VoIP security research center, and their vulnerability research team. While at TippingPoint, David founded an industry-wide group called the Voice over IP Security Alliance (VoIPSA) in 2005. VoIPSA's mission is to help VoIP adoption by promoting the current state of VoIP security research, testing methodologies, best practices, and tools. David is currently the chairman of VoIPSA, which boasts over 100 members from the VoIP vendor, carrier, and security space (http://www.voipsa.org). Prior to TippingPoint, David was the technical director at a security services startup, iDefense, Inc., which was acquired by VeriSign. iDefense specializes in cybersecurity intelligence, tracking the activities of cybercriminals and hackers, in addition to researching the latest vulnerabilities, worms, and viruses. Prior to iDefense, David spent many years in cutting-edge security research roles with Xerox Corporation, the National Security Agency, and the Massachusetts Institute of Technology. As an internationally recognized security expert, David is a frequent speaker at major industry conferences and has been quoted and featured in many top publications and media programs, including the Wall Street Journal, USA Today, BusinessWeek, Wired Magazine, the Washington Post, CNET, Tech TV, and CNN. David has authored numerous articles and papers on computer security and was named one of the Top 100 Voices in IP Communications by IP Telephony Magazine. David graduated summa cum laude from Tulane University where he earned a bachelor's and master's degree in computer science. Mark Collier This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . Mark Collier is the chief technology officer at SecureLogix corporation, where he directs the company's VoIP security research and development. Mark also defines and conducts VoIP security assessments for SecureLogix's enterprise customers. Mark is actively performing research for the U.S. Department of Defense, with a focus on developing SIP vulnerability assessment tools. Prior to SecureLogix, Mark was with Southwest Research Institute (SwRI), where he directed a group performing research and development in the areas of computer security and information warfare. Mark is a frequent speaker at major VoIP and security conferences. He has authored numerous articles and papers on VoIP security and is also a founding member of the Voice over IP Security Alliance (VoIPSA). Mark graduated magna cum laude from St. Mary's University, where he earned a bachelor's degree in computer science. About the Technical Editor Ofir Arkin is the CTO of Insightix, leading the development of the next generation of IT infrastructure discovery and monitoring systems for enterprise networks. He has more than ten years of experience in data security research and management. Prior to cofounding Insightix, he served as the CISO of a leading Israeli international telephone carrier. In addition, Ofir has consulted and worked for multinational companies in the financial, pharmaceutical, and telecommunication sectors. Ofir is the author of a number of influential papers on information warfare, VoIP security, and network discovery, and lectures regularly at security conferences. He is chair of the security research committee of the Voice over IP Security Alliance (VoIPSA) and the founder of the Sys-Security Group (http://www.sys-security.com), a computer security research group. Acknowledgments First, we would like to thank our families for supporting us through this writing and research effort. Next, we would especially like to acknowledge our respective work colleagues at TippingPoint and SecureLogix for their input, suggestions, and guidance through this process. A special thanks to Mark O'Brien with SecureLogix for his research and assistance with attack tool development. Thanks also to the great discussions by the growing VoIP security industry reflected on the VoIPSEC mailing list (http://www.voipsa.org/VOIPSEC/) and also through Dan York and Jonathan Zar's Blue Box Podcast (http://www.blueboxpodcast.com). A word of thanks also to the security and VoIP teams at Skype, Avaya, Cisco, and Asterisk for working with us on this book in the sections where we targeted their products. Finally, we're especially grateful to the McGraw-Hill team who helped make this book a reality, including Jane Brownlow, Jenni Housh, LeeAnn Pickrell, Peter Hancik, and Lyssa Wald. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . Introduction Voice over IP (VoIP) has finally come of age and is being rapidly embraced across most markets as an alternative to the traditional public-switched telephone network (PSTN). VoIP is a broad term, describing many different types of applications (hard phones, softphones, proxy servers, Instant Messaging clients, peer-to-peer clients, and so on), installed on a wide variety of platforms (Linux, Windows, VxWorks, mobile devices, PCs, and so on), and using a wide variety of both proprietary and open protocols (SIP, RTP, H.323, MGCP, SCCP, Unistim, SRTP, ZRTP, and so on) that depend heavily on your preexisting data network's infrastructure and services (routers, switches, DNS, TFTP, DHCP, VPNs, VLANs and so on). Correspondingly, VoIP security is just as broad a subject thanks to the heterogeneous nature of these environments found in the consumer, enterprise, carrier, and small/medium–sized business markets. In order to narrow the focus, we decided to cater mainly to the enterprise IT audience and include some of the more popular deployments in our target list. Because VoIP packetizes phone calls through the same routes used by traditional enterprise data networks today, it is consequently prone to the very same cyber threats that plague those same networks. These include denial-of service attacks, worms, viruses, and general hacker exploitation. For instance, if your enterprise is under attack from a distributed denial of service (DDoS) attack, internal users' web browsing might be slower than normal. A DDoS attack on a VoIP-enabled network can completely cripple your VoIP applications, at least to the point where conversations are unintelligible. In addition to these traditional network security and availability concerns, there are also a plethora of new VoIP protocol implementations that have yet to undergo detailed security analysis and scrutiny. Most major enterprise VoIP vendors are integrating the up-and-coming Session Initiation Protocol (SIP) into their products. As a result, SIP-specific attacks such as registration hijacking, BYE call teardown, and INVITE flooding are also likely to emerge—not to mention the plethora of financially motivated nuisances such as Spam over Internet Telephony (SPIT) and the voice phishing attacks that are just beginning to bleed into the VoIP realm. There is no one silver bullet to solving current and emerging VoIP security problems. Rather, a well-planned defense-in-depth approach that extends your current security policy is your best bet to mitigate the current and emerging threats to VoIP. All the Power of Hacking Exposed and More This book is written in the best tradition of the Hacking Exposed series. The topic of VoIP-related hacking isn't exactly the most researched topic. Many potential security threats and attack algorithms described here are little-known or new and were discovered during the process of writing this book. To do this, we assembled a tiny testing and research VoIP network, consisting of two Linux servers each running a SIP-based software PBX, one running Asterisk and the other running SIP EXpress Router. We connected to both PBX's as many different SIP-based hard phones that we could get our hands on, including Cisco, Sipura, D-link, Avaya, Polycom, and others. A diagram of our SIP test bed is illustrated in Chapter 2 and throughout the book. For the vendor-specific Chapters 7–10, we also installed a Cisco and Avaya environment as well. We made every effort to test all the presented methods and techniques on these test beds. In addition, some of the published data is, of course, based on our hands-on experience as penetration testers, network security administrators, and VoIP architects. The Companion Web Site Companion Web Site We have created a separate online resource specifically for the book at http://www.hackingvoip.com. It contains the collection of new tools and resources mentioned in the book and not available anywhere else. As to the remaining utilities covered in the book, each one of them has an annotated URL directing you to its home site. In case future support of the utility is stopped by the maintainer, we will make the latest copy available at http://www.hackingvoip.com, so you won't encounter a description of a nonexisting tool in the book. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . We also plan to post any relevant future observations and ideas at this website and accompanying blog. Easy to Navigate A standard tested and tried Hacking Exposed format is used throughout this book: Attack – This is an attack icon. This icon identifies specific penetration testing techniques and tools. The icon is followed by the technique or attack name and a traditional Hacking Exposed risk rating table: Popularity: The frequency with which we estimate the attack takes place in the wild. Directly correlates with the Simplicity field: 1 is the most rare, 10 is used a lot. Simplicity: The degree of skill necessary to execute the attack: 10 is using a widespread point-and-click tool or an equivalent; 1 is writing a new exploit yourself. Values around 5 are likely to indicate a difficult-to-use available command-line tool that requires knowledge of the target system or protocol by the attacker. Impact: The potential damage caused by successful attack execution. Varies from 1 to 10: 1 is disclosing some trivial information about the device or network; 10 is getting full access on the target or being able to redirect, sniff, and modify network traffic. Risk Rating: This value is obtained by averaging the three previous value. We have also used these visually enhanced icons to highlight specific details and suggestions, where we deem it necessary: Note _________________________________________________________________ Tip __________________________________________________________________ Caution ______________________________________________________________ Countermeasurs – This is a countermeasure icon. Where appropriate, we have tried to provide different types of attack countermeasures for various VoIP platforms. Such countermeasures can be full (upgrading the vulnerable software or using a more secure network protocol) or temporary (reconfiguring the device to shut down the vulnerable service, option, or protocol). We always recommend that you follow the full countermeasure solution; however, we do recognize that due to some restrictions, this may not be possible every time. In such a situation, both temporary and incomplete countermeasures are better than nothing. An incomplete countermeasure is a safeguard that only slows down the attacker and can be bypassed—for example, a standard access list can be bypassed via IP spoofing, man-in-the-middle, and session hijacking attacks. TinyURL You'll notice that most of the longer website references throughout the book are written in two ways. First as the entire URL and then followed by a tinyurl. TinyURL is a service that rewrites any link into a shorter, easier to type form than its longer original format. For instance, going to TinyURL.com and typing the following link in the submission form, http://maps.google.com/ ?ie=UTF8&hl=en&q=10+market+st,+san+francisco&f=q&z=16&om=1&iwloc=addr returns http://tinyurl.com/yywp3z So now we can easily type http://tinyurl.com/yywp3z instead of the more cumbersome original link, and it brings us to the exact same page! This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . How the Book is Organized This book is split into five completely different parts. Each part can be read without even touching the remaining four—so if the reader is interested only in the issues described in the selected part, he or she may consult only that part. Part I. "Casing the Establishment" The first part is introductory and describes how an attacker would first scan the whole network and then pick up specific targets and enumerate them with great precision in order to proceed with further advanced attacks through or from the hacked VoIP devices. Chapter 1. "Footprinting a VoIP Network" We begin the book by describing how a hacker first profiles the target organization by performing passive reconnaissance using tools such as Google, DNS, and WHOIS records, as well as the target's own website. Chapter 2. "Scanning a VoIP Network" A logical continuation of the previous chapter, this chapter provides a review of various remote scanning techniques in order to identify potentially active VoIP devices on the network. We cover the traditional UDP, TCP, SNMP, and ICMP scanning techniques as applied to VoIP devices. Chapter 3. "Enumerating a VoIP Network" Here, we show active methods of enumeration of various standalone VoIP devices, from softphones, hard phones, proxies, and other general SIP-enabled devices. Plenty of examples are provided, along with a demonstration of SIPScan, a SIP directory scanning tool we wrote. Part II. "'Exploiting the VoIP Network" This part of the book is focused on exploiting the supporting network infrastructure on which your VoIP applications depend. We begin with typical network denial-of-service attacks and eventually lead up to VoIP conversation eavesdropping. While many of the demonstrated techniques originate from the traditional data security world, we applied them against VoIP devices and supporting network services. Chapter 4. "VoIP Network Infrastructure Denial of Service (DoS)" In this chapter, we introduce quality of service and how to objectively measure the quality of a VoIP conversation on the network using various free and commercial tools. Next, we discuss various flooding and denial of service attacks on VoIP devices and supporting services such as DNS and DHCP. Chapter 5. "VoIP Network Eavesdropping" This section is very much focused on the types of VoIP privacy attacks an attacker can perform with the appropriate network access to sniff traffic. Techniques such as number harvesting, call pattern tracking, TFTP file snooping, and actual conversation eavesdropping are demonstrated. Chapter 6. "VoIP Interception and Modification" The methods described in this chapter detail how to perform man-in-the-middle attacks in order to intercept and alter an active VoIP session and conversation. We demonstrate some man-in-the-middle methods of ARP poisoning and present a new tool called sip_rogue that can sit in between two calling parties and monitor or alter their session and This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . conversation. Part III. "Exploiting Specific VoIP Platforms" In this part of the book, we shift our attention to attacking specific vendor platforms where each has unique security weaknesses and countermeasures. We demonstrate some of the attacks covered in the last few chapters in order to detail the vendor-specific best practices for mitigating them. Chapter 7. "Cisco Unified CallManager" We installed Cisco CallManager 4.x with Cisco hard phones in a fully homogenous Cisco-switched environment in order to perform many of the attacks we've already detailed. We also cover the various best practices to apply to the Cisco switching gear to mitigate most of the network attacks covered in Part II. Chapter 8. "Avaya Communication Manager" Similarly, we installed a full Avaya Communication Manager along with Avaya hard phones to detail some of the specific attacks we covered in Part I and Part II. Chapter 9. "Asterisk" We targeted our SIP test bed running Asterisk with the similar attacks detailed in Part I and Part II. We also performed some basic platform testing on a subset of the SIP phones in our test bed. Chapter 10. "Emerging Softphone Technologies" In this chapter, we discuss some security issues with the emerging softphone services, such as Skype, Gizmo, and others. While these services have not yet dominantly emerged into the enterprise space, they are poised to do so through some interesting partnerships under way. Part IV. "VoIP Session and Application Hacking" In this part of the book, we shift our attention from attacking the network and device to attacking the protocol. The fine art of protocol exploitation can hand intruders full control over the VoIP application traffic without any direct access and reconfiguration of the hosts or phones deployed. Chapter 11. "Fuzzing VoIP" The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol. In this chapter, we demonstrate some tools and techniques for fuzzing your VoIP applications. Chapter 12. "Flood-Based Disruption of Service" In this chapter, we cover additional attacks that disrupt SIP proxies and phones by flooding them with various types of VoIP protocol and session-specific messages. These types of attacks partially or totally disrupt service for a SIP proxy or phone while the attack is under way. Some of the attacks actually cause the target to go out of service, requiring a restart. Chapter 13. "Signaling and Media Manipulation" In this chapter, we cover other attacks in which an attacker manipulates SIP signaling or RTP media to hijack, terminate, or otherwise manipulate calls. We introduce no less than ten new tools to demonstrate these attacks. As with other attacks we have covered, these attacks are simple to execute and quite lethal. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . Part V. "Social Threats" In the same way that the traditional email realm has been inundated with spam and phishing, so too are we starting to see the evolution of these social nuisances into the VoIP world. This chapter focuses on how advertisers and scam artists will likely target VoIP users and how to help counter their advance. Chapter 14. "SPAM over Internet Telephony (SPIT)" Voice SPAM or SPAM over Internet Telephony (SPIT) is a similar problem that will affect VoIP. SPIT, in this context, refers to bulk, automatically generated, unsolicited calls. SPIT is like telemarketing on steroids. You can expect SPIT to occur with a frequency similar to email SPAM. This chapter describes how you can use the Asterisk IP PBX and a new tool called spitter to generate your own SPIT. This chapter also details how you can detect and mitigate SPIT. Chapter 15. "Voice Phishing" Voice phishing relies on the effective gullibility of a victim trusting a phone number much more than an email link. Also, for a fraction of the cost, an attacker can set up an interactive voice response system through a VoIP provider that is harder to trace than a compromised web server. Also, the nature of VoIP makes this type of attack even more feasible because most VoIP services grant their customers an unlimited number of calls for a monthly fee. This chapter details how these attacks are performed and how to detect them at their various stages. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . A Final Message to our Readers The challenges of VoIP security are not new. History has shown us that many other advances and new applications in IP communications (for example, TCP/IP, wireless 802.11, web services, and so on) typically outpace the corresponding realistic security requirements that are often tackled only after these technologies have been widely deployed. We've seen this story time and time again in the security industry, and hope that this book allows you stay ahead of the VoIP exploitation curve by helping you plan, budget, architect, and deploy your protection measures appropriately. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . Part I: Casing the Establishment Chapter List Chapter 1: Footprinting a VoIP Network Chapter 2: Scanning a VoIP Network Chapter 3: Enumerating a VoIP Network Case Study: My VOIP Gear is Secure From Outsiders, Right? Many of VoIP's security issues are similar to those of Internet applications installed in your enterprise. This similarity is mostly due to the fact that VoIP devices inherit so many of the traditional security vulnerabilities of the supporting services and infrastructure around them. Another reason is that VoIP phones and servers tend to support a wide range of features including HTTP, telnet, SNMP, TFTP, and the list goes on. Because VoIP components typically support a variety of administrative protocols, this simplifies an attacker's efforts to perform basic network reconnaissance. Believe it or not, simply using Google can lead to a treasure trove of information about your VoIP network. Lock and Load with Google When performing reconnaissance on a potential target, there are a variety of ways a attacker can leverage search engines simply using the advanced features of a service such as Google. First, an attacker scours your company's job listings to see if any juicy details can be unearthed; lo and behold, he comes up with a job listing for "Cisco VoIP Engineer." Leveraging this bit of information, he then dusts off his Google hacking skills to determine if any of your Cisco VoIP phones are exposed to the Internet. Because Google will index anything with a web service, it turns out that many VoIP phones are inadvertently advertised on the Internet because of their built-in web servers. The attacker types the following into a Google search: inurl:"NetworkConfiguration" cisco site:yourcompany.com He comes up with three hits: Results 1–3 of 3 for "NetworkConfiguration" cisco site:yourcompany.com (0.10 seconds). The hacker has just found the administrative web interface to three of your Cisco IP phones that were mistakenly left exposed to the Internet. As it turns out, without even needing a password, simply clicking any of these hits gives the hacker a wealth of information: DHCP Server 193.22.8.11 BOOTP Server No MAC Address 001120017EA3 Host Name gk002020036ea3 Domain Name IP Address 193.15.8.11 Default Router 193.15.8.1 Subnet Mask 255.255.255.0 TFTP Server 1 196.45.34.1 NTP Server 1 NTP Server 2 This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks . DNS Server 1 196.45.144.2 DNS Server 2 Alt NTP Server 1 0.0.0.0 Alt NTP Server 2 0.0.0.0 Probing and Enumerating Our Way to Success Most VoIP phones check and download their configuration files after each reboot from a central TFTP server. Now that the attacker knows an IP address of a TFTP server from his Google hacking of the Cisco phones, he can check to see if that server is also accessible from the Internet: C:\>ping 196.45.34.1 Pinging tftpserver.yourcompany.com [196.45.34.1] with 32 bytes of data: Reply from 196.45.34.1: bytes=32 time=20ms TTL=54 Reply from 196.45.34.1: bytes=32 time=21ms TTL=54 Reply from 196.45.34.1: bytes=32 time=22ms TTL=55 Reply from 196.45.34.1: bytes=32 time=21ms TTL=54 Ping statistics for 196.45.34.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 20ms, Maximum = 22ms, Average = 21ms Good news for the attacker, he can reach the TFTP server remotely without having to gain further access to your network. Next, to ensure the actual TFTP port is accessible, he fires up his copy of Nmap with a simple UDP scan: Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-20 05:26 EST Interesting ports on tftpserver.yourcompany.com (196.45.34.1): (The 1473 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 67/udp open dhcpserver 69/udp open tftp 111/udp open rpcbind 123/udp open ntp 784/udp open unknown 5060/udp open sip 32768/udp open omad Sure enough, UDP port 69 (TFTP) is wide open for the attacker to start running queries against. The attacker is looking specifically for configuration files that he knows the exact names of; otherwise, he won't be able to retrieve them. Thanks to his previous Google hacking exercise, the attacker uses the MAC address of the Cisco phone to predict the configuration filename to download: [

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.