Penetration Testing mailing list archives
Re: Auditing asterisk servers?
From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 11 Feb 2009 13:52:34 -0600
On Tue, 10 Feb 2009, publists () enablesecurity com wrote:
My answer would be "a bit of both". An Asterisk box is yet another network server that is vulnerable to typical network attacks (DoS, vulnerable web config etc). However there are concerns that are more VoIP specific, such as toll fraud and phone tapping concerns. Resources: There are special tools for VoIP. Voipsa has a good list [1], and check out SIPVicious [2] as well! If you have a copy of CANVAS then VOIPPACK [3] (for which I am an author) is a great option. I just added 2 new tools that target Asterisk boxes [4] ;-) [1] http://www.voipsa.org/Resources/tools.php [2] http://sipvicious.org/ [3] http://www.vimeo.com/2524735 [4] http://www.vimeo.com/3162761 Cheers Sandro Gauci
I think too many people overlook VoIP as an attack or pentesting vector. The fun you could have with curl post and a little creativity. So a potential fragmented attack scenario would go as follows... Location 1 (one state) Location 2 (another state) Using curl to post to VoIP phones, it could be so easy to create a callfile in Asterisk telling someone to reset their voicemail password. If you have to ask why, then perhaps you need to be more creative in your pentesting engagements. Callfile (CID of sysadmin@Location1) --> recording --> user @ Location2 "Please call after hours and state your desired password for email" or something along those lines. Sort of relevant to any IP PBX's which is why it's best to separate data and voice (VLAN's, etc.) Anyhow, VoIP is no different from email from an attack/testing perspective. It's data nothing more nothing less: User@Location2 calls Sysadmin@Location1: User: "You want me to change my password!" Sysadmin: "Someone must be messing with you" User: "You don't say" Sysadmin: "Well to be on the safe side, your password is now blah blah blah" Via an IP call. Guess what, still sniffable and replayable with Wireshark. Anyway ;) Don't count VoIP out of your equation =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Current thread:
- Auditing asterisk servers? Camilo Olea (Feb 10)
- Re: Auditing asterisk servers? Adriel T. Desautels (Feb 10)
- <Possible follow-ups>
- Re: Auditing asterisk servers? publists (Feb 11)
- Re: Auditing asterisk servers? J. Oquendo (Feb 11)