Penetration Testing mailing list archives
VoIP pentest ?
From: Mark Teicher <mht3 () earthlink net>
Date: Thu, 9 Dec 2004 12:36:27 -0500 (GMT-05:00)
There are several ways to provide some information to your question. As in my previous response, there are some commercial products available to assist in VOIP Network readiness <QOS, Jitter, etc>. The other is conducting the audit itself. 1. Physical Access - A sledge hammer or unplugging the pbx can do more damage than finding a X-Windows exploit. <good to insert into any report, "We found X running on port 6000, and the janitor has the ability to unplug the PBX to plug in their heavy-duty floor buffer"> <Which would be given more weight in this case??"> 2. System Configuration - a majority of TDM PBX's that have the ability to support a MEDIA/IP Card usually have a support modem attached to it <for vendor/customer support>, most network scanners will not pick the support modems up, a majority if times, an organization often forgets the number or forgets it is even there. Better, the vendor providing support can't provide logs for when they log in. 3. Log Analysis - not very useful especially when examining legacy PBX network equipment, good luck looking for source and dest ip, correlating SMDR output to the Call Detail Recording System in place, another item to look is at the maintenance support companies. <How many times did you see calls over the PSTN to the PBX manufacturer more than x number of minutes, due to Cesar the support tech got caught up in a conference call and forget to close the PBX Remote Console ringing up minutes of your long distance?> <Again, not covered by your <insert traditional network security scanning tool> 4. Disaster Recovery Plan - does the organization have a backup plan?? How much money is lost when a network outage occurs, how much money does it cost when the telecommunication network goes out, multiply that by number of dollars to migrate to VOIP and then include traditional network outage costs into the new figure. -----Original Message----- From: Jerry Shenk [mailto:pen-test () securityfocus com] Sent: Thursday, December 09, 2004 10:57 AM To: 'Mark Teicher'; pen-test () securityfocus com Subject: RE: VoIP pentest ? So, Mark - what are some of the good tools for testing a network for VOIP readiness? I've got a local company that is "real hot" on VOIP....like it's gonna be the end-all to every problem. I suppose it can help a few issues but they need a little help giving a little thought to some of the performance and security issues. -----Original Message----- From: Mark Teicher [mailto:mht3 () earthlink net] Sent: Monday, December 06, 2004 9:28 PM To: pen-test () securityfocus com Subject: Re: VoIP pentest ? Actually, the question for VOIP pen-testing should be split into two issues: 1. How many vulnerable is a network with VOIP ? 2. Is the network ready for VOIP? 3. VOIP Attack suite 1. Here is the tricky part, most saavy security consultants will apply normal security methodology techniques in examining a network using <insert your favorite network topology mapping tool> and < insert your favorite network scanning tools> to assess the network. In a previous life, I worked with a Phd who didn't want to listen that wrote some a methodology for security assessments, only a minimum of what he wrote applies in examining a network with VoIP. 2. Is a network ready for VOIP? That is an interesting question since most <insert you favorite scanning tool here> will provide an organization or security consultants very minimal information on whether a network is ready for VOIP. WARNING: If a security consultant who offers a VOIP readiness check, inquire what tools they use, if their answer begins with <insert your favorite network scanning tool>, be very afraid. 3. VOIP Attack suite - there are rudimentary scanning tools out there for assessing VOIP products, but does not encompass all the components of a VOIP setup. Here is the issue, running a scan across IP phones will cause users of a particular organization get a little miffed, since most IP phones do not have denial of service protection built-in, so that is out. Another issue is that most common intrusion detection systems have not incorporated VOIP protocol decodes into their products yet, there are a couple of pattern matching signatures out there for Sn0rt but very few, so at most, when running VOIP attacks on a VOIP network, the majority of noise will be from the users and very little information will be gathered about the VOIP products except OS banner collection, and port flapping. hope this helps /m At 08:32 AM 10/28/2004, Volker Tanger wrote:
Greetings! On Wed, 27 Oct 2004 11:28:51 +0200 Frederic Charpentier <fcharpen () xmcopartners com> wrote:does anyone have experiences or papers on VoIP pentest/assessment ? Expecting classic OS/Network audits and H323/ASN.1 flaws, I can't
find
any documentations or papers about flaws in VoIP architecture.VoIP (SIP and H.323) do media transfer via (unencrypted) RTP/RTCP. SIP is a simple, unauthenticated cleartext protocol. H.323 similar (binary and more complex, but still unauthenticated). With ARPspoofing etc. it is simple to listen to voice streams or call setup - or change it. So re-routing voice streams or calls should be simple. Quite a high percentage of systems were/are susceptible to buffer overflows it seems (forgot the URL - about half a year ago). For other fun with SIP see e.g. http://www.infoanarchy.org/story/2004/9/15/23127/3363 Bye Volker Tanger ITK Security
Current thread:
- Re: VoIP pentest ? Mark Teicher (Dec 09)
- RE: VoIP pentest ? Jerry Shenk (Dec 09)
- <Possible follow-ups>
- RE: VoIP pentest ? Mark Teicher (Dec 09)
- RE: VoIP pentest ? Sérgio Yoshioka (Dec 10)
- VoIP pentest ? Mark Teicher (Dec 09)
- Re: VoIP pentest ? - testing Alvin Oga (Dec 09)
- RE: VoIP pentest ? Brewis, Mark (Dec 09)