RE: VoIP pentest ?

[Mark Teicher <mht3 () earthlink net>]

Jerry,

These are just some of the product for Item #2 discussed in my post.

NetAlly from http://www.violanetworks.com/products.asp
Qovia Central from http://www.qovia.com

Physical Security of the Telecommunications Room (always a good place to start)
Encryption Methodologies (with each option, advantages and disadvantages of performance/security or 
security/performance)
VOIP Configuration Testing
Quality of Service Performance and Security Testing
TFTP exploitation (since most IP phones retrieve their settings via TFTP)
CALEA Compliance 
Most VoIP Equipment have basic protection against DDOS, but during a VOIP Security Assessment, what occurs to the 
equipment when it is being attacked is far more interesting and what are the continuity plans of the organization for 
when the VOIP network is not responding.

-----Original Message-----
From: Jerry Shenk <jshenk () decommunications com>
Sent: Dec 9, 2004 10:56 AM
To: 'Mark Teicher' <mht3 () earthlink net>, pen-test () securityfocus com
Subject: RE: VoIP pentest ?

So, Mark - what are some of the good tools for testing a network for
VOIP readiness?  I've got a local company that is "real hot" on
VOIP....like it's gonna be the end-all to every problem.  I suppose it
can help a few issues but they need a little help giving a little
thought to some of the performance and security issues.

-----Original Message-----
From: Mark Teicher [mailto:mht3 () earthlink net] 
Sent: Monday, December 06, 2004 9:28 PM
To: pen-test () securityfocus com
Subject: Re: VoIP pentest ?


Actually, the question for VOIP pen-testing should be split into two
issues:

1. How many vulnerable is a network with VOIP ?
2. Is the network ready for VOIP?
3. VOIP Attack suite

1. Here is the tricky part,  most saavy security consultants will apply 
normal security methodology techniques in examining a network using
<insert 
your favorite network topology mapping tool> and < insert your favorite 
network scanning tools> to assess the network.  In a previous life, I 
worked with a Phd who didn't want to listen that wrote some a
methodology 
for security assessments, only a minimum of what he wrote applies in 
examining a network with VoIP.

2. Is a network ready for VOIP?  That is an interesting question since
most 
<insert you favorite scanning tool here> will provide an organization or

security consultants very minimal information on whether a network is
ready 
for VOIP.  WARNING: If a security consultant who offers a VOIP readiness

check, inquire what tools they use, if their answer begins with <insert 
your favorite network scanning tool>, be very afraid.

3.  VOIP Attack suite - there are rudimentary scanning tools out there
for 
assessing VOIP products, but does not encompass all the components of a 
VOIP setup.  Here is the issue, running a scan across IP phones will
cause 
users of a particular organization get a little miffed, since most IP 
phones do not have denial of service protection built-in, so that is 
out.  Another issue is that most common intrusion detection systems have

not incorporated VOIP protocol decodes into their products yet, there
are a 
couple of pattern matching signatures out there for Sn0rt but very few,
so 
at most, when running VOIP attacks on a VOIP network, the majority of
noise 
will be from the users and very little information will be gathered
about 
the VOIP products except OS banner collection, and port flapping.

hope this helps

/m


At 08:32 AM 10/28/2004, Volker Tanger wrote:

> Greetings!
>
> On Wed, 27 Oct 2004 11:28:51 +0200 Frederic Charpentier
> <fcharpen () xmcopartners com> wrote:
> > does anyone have experiences or papers on VoIP pentest/assessment ?
> > Expecting classic OS/Network audits and H323/ASN.1 flaws, I can't
find
> > any documentations or papers about flaws in VoIP architecture.
>
> VoIP (SIP and H.323) do media transfer via (unencrypted) RTP/RTCP.
> SIP is a simple, unauthenticated cleartext protocol. H.323 similar
> (binary and more complex, but still unauthenticated).
>
> With ARPspoofing etc. it is simple to listen to voice streams or call
> setup - or change it. So re-routing voice streams or calls should be
> simple.
>
> Quite a high percentage of systems were/are susceptible to buffer
> overflows it seems (forgot the URL - about half a year ago).
>
> For other fun with SIP see e.g.
> http://www.infoanarchy.org/story/2004/9/15/23127/3363
>
> Bye
>
> Volker Tanger
> ITK Security