Re: Seeking Information regarding VoIP security Assessment

["Ivan ." <ivanhec () gmail com>]

some dude posted this a while back - haven't tried it myself yet.....

++++++++++++++++++++++++++++++++++++++++++++++++++++++
I am pretty new to the list and just wanted to let everyone know that
I have developed a VoIP security live distribution called VAST. The
distro includes VoIP security assessment tools such as UCsniff,
VoipHopper, Videojak, videosnarf, ACE, Warvox, and a number of other
useful tools along with traditional security assessment tools like
Metasploit, Nmap, Netcat, Hydra, Hping2 and others. The link for the
distro is http://vipervast.sourceforge.net. The distro is still in a
very beta stage and suggestions are welcome.

Cheers,
Mike Jones
C|EH E|CSA ACSA GCIH GHTQ GHD
6e6f7468696e67206973206173206974207365656d73
++++++++++++++++++++++++++++++++++++++++++++++++++++++


On Thu, Oct 15, 2009 at 5:14 AM, J. Oquendo <cisa () e-fensive net> wrote:
> Abhishek Kumar wrote:
> > Really very helpful suggestions and resources.
> >
> > Actually I have been given a task to write 2-3 page writeup on VoIP
> > Security and how we can do VoIP
> > security assessment.
> >
> > regards
> > abhi
>
> Depends on what your goal(s) is/are. For example, snooping
> (eavesdropping) is accomplished by sniffing the wire and recompiling the
> audio (RTP or other protocol used
> http://www.ietf.org/rfc/rfc3550.txt?number=3550) which would affect
> confidentiality. With any kind of packet injection tool and knowledge of
> SIP (if SIP is targeted) you could do some interesting things. Because
> most VoIP equipment are using a client server set-up and almost ALL VoIP
> based phones have a web interface, they're DoSable, prone to the same
> attacks as any other HTTP server.
>
> Imagine the following: Using curl being able to reset variables. Not a
> big deal at first glimpse, however imagine this:
>
> Scenario1: You change your caller ID as that of an employee. Call IT and
> tell them "reset my X (voicemail, email, etc.) password" Because the IT
> guy wants to validate you he uses caller ID and does so.
> Scenario2: You change your caller ID as that of an employee. Call IT and
> tell them "reset my X (voicemail, email, etc.) password" Because the IT
> guy wants to validate you he refuses to use caller ID and tells you he
> will call you right back. At this point if you DoS'd the phone it
> wouldn't receive calls hence them going into voicemail. In comes perl,
> curl or whatever packet builder you prefer... Perform a POST to the
> phone or server, depending on your craftiness and time, reset the
> voicemail PIN. Go into the user's voicemail, instant pentesting
> gratification.
>
> There are plenty of ways to abuse VoIP - the facts are facts though -
> it's just data. From a sniffing/PITA perspective, you could snoop calls,
> splice together audio and create your own soundboard WITH that person's
> voice - perhaps bypassing voice recognition. Sky's the limit when you
> have a focus on what it is you want to do. So ask yourself that first...
> What is it you want to do... Capture data, manipulate data, etc.
>
> I know quite a few revisions of firmware on certain phone vendors that I
> can re-write POSTS and reset phones, passwords, change names, insert a
> call forward argument. It all boils down to what is it you're trying to
> accomplish. In the case of an assessment, the approach for me would be
> to start at the ground up. Test the security of the phone application
> itself (HTTP scanner), test if any ports are open and why - which means
> you'd have to have literature from the manufacturer, test the
> tamperability of the connection (can you sniff the wire, any vlans (VLAN
> hopping), can you perform posts/injections, etc). Follow the same steps
> you would for any client server.
>
> --
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
>
> "It takes 20 years to build a reputation and five minutes to
> ruin it. If you think about that, you'll do things
> differently." - Warren Buffett
>
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------