Penetration Testing mailing list archives

Re: Conducting Risk Assessment for VOIP and Thin Client

From: "Jezebel Ali" <jezebel_ali () hush com>
Date: Fri, 23 Jun 2006 18:14:06 +0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good day esteemed brother Chris Hammer,

You may look at assessment in many way.  One: Capture voice traffic
from network and listen in on conversation.  Two: Compromise VoIP
servers.  Three: Bad configure telephones.

On capture voice traffic, usually there are one network reserved
for voice traffic.  Sometime one large organization may have one
network per floor or switch.  It may be possible to hop onto VLAN
by using 802.1q tagging.  Try first and sniff for VLAN traffic on
network using Ethereal.  Usually, also VoIP phones can request IP
address via DHCP.  If this is case, then after you have hopped onto
VLAN, use DHCP.  You will have to use intrusive technique of ARP
poison in order to capture voice traffic after.  I have used tool:
Voipong (http://www.enderunix.org/voipong/) It may difficult for
VLAN hop on MS Window environment, but perhaps your latest NIC
driver has capability.  Of course, if you able, then utilize Cain
(http://www.oxid.it/cain.html)   Perhaps utilize Ettercap for ARP
spoofing also.

On compromise server, it is simply case of perform VA and gain
access.  If you have time, it may be possible to see how server
handle bad packet VoIP signaling protocols.  Perhaps then you may
be able to crash or exploit server soft.  Also think DHCP starving
of server then issue own DHCP address.

On compromise bad phone, check phone device itself.  It may
possible that phone bad configured.  Check for listen-into
conversation capability.  Sometime supervisor has this ability.

It are many ways of playing with VoIP.  Enjoy.  Sorry my bad
english.

Kind regards,
Jez





On Wed, 21 Jun 2006 18:40:04 +0400 Chris Hammer <CHammer () fcbnm com>
wrote:

Good morning,

I have been tasked with conducting a Risk Assessment /
Vulnerability
Assessment on a  VOIP and Thin Client environment. Does anyone
have a
good template to start with, as well as ideas as to where to
start? I am
familiar with both of these technologies and understand how they
work
but I by no means an expert on them. Any help would be
appreciated!

Cheers!
Chris

The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to
this
email by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any


-------------------------------------------------------------------
-----------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications
continue to rise,
you need to proactively protect your applications from hackers.
Cenzic has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to
go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed
service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to
confirm your
results from other product. Contact us at request () cenzic com for
details.
-------------------------------------------------------------------
-----------

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkSb9y4ACgkQC68hZJzwc9h3iwP+PjVYUUeiDdnNG5e9GJp/ohYwqiBc
eMwLiHH+do2BtZlW7z/yh4O036/4BA8OW98eJq5mdsaCGl7Srj/+AmASJZ3nF4EGPFVU
YMIFFAPZLR3JqZft6eMoL8D31s4T1B6ujL8dYdC/Kz8sJOGNo3Bb6kJcHB48hBD5F1K0
n5PccRM=
=YChN
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------

Current thread:

Conducting Risk Assessment for VOIP and Thin Client Chris Hammer (Jun 21)
- Re: Conducting Risk Assessment for VOIP and Thin Client Paul Robertson (Jun 21)
  - Re: Conducting Risk Assessment for VOIP and Thin Client Ivan Arce (Jun 21)
- RE: Conducting Risk Assessment for VOIP and Thin Client Tonie Deen (Jun 21)
- Re: Conducting Risk Assessment for VOIP and Thin Client Rodrigo Blanco (Jun 25)
- <Possible follow-ups>
- Re: Conducting Risk Assessment for VOIP and Thin Client Jezebel Ali (Jun 23)