Re: Pentesting a SONUS / SIP Network

[Mihai Amarandei <mihai () xmcopartners com>]

From my knowledge, up to now, no such real standards exists. 
VOIPSA(VoIP Security Alliance – www.voipsa.org) is in the process of 
developing a standard taxonomy that would be a base for defining VoIP 
pen-test guidelines. But until then, pen-test in this domain is pretty 
much left at the creativity of the pen-tester.
Several methodologies are possible , depending on the extent of your tests :

If you have to verify the entire VoIP infrastructure, you could try a 
layered approach :

* physical layer(actually, i think you can skip this one, but I’d rather 
mention it) : play with the wires and see what you can listen to

* network config/network devices layer(try the ARP/DNS poisoning, DHCP 
insertion, etc)

* VoIP signaling protocols(SIP and SIP attacks) – testing attack 
scenarios (SIP-Bye, SIP-Cancel, ID-Spoofing, etc)

* VoIP transport protocols(RTP) – here you can try mostly injection attacks

* application/os layer(search the applications/os evolved for known vulns)



This isn’t by all mean the only way to carry a SIP pen-test.

By the way, if anyone out there has others ideas on conducting such 
tests, I’d love to hear more.

Mihai
Blog : http://secinternship.blogspot.com

Luis H. Gomez-Danes Mejia wrote:

> Hello,
>
> Does any body has any name of a standar to do a pen-tes to SIP/Network, Most
> of this network is on Unix flavor so I have a very good idea of what to do,
> I want to know if any of you knows any document or the name of the document
> to stablish a base line to carry out this task
>
> Thanks in advace. 
>
>
> Luis H. Gomez-Danes Mejia
> GDM2000 Consulting
> Tel.  818 1159321
> Mob.  818 2800432
> lgomez () gdm2000 com mx
>
> The information in this e-mail and attachment is confidential. It is
> intended only for the use of the individual or entity to which it is
> addressed and may contain information that is non-public, proprietary and
> may be legally privileged. If you have received this e-mail in error or are
> not the intended recipient, please immediately notify the sender by return
> e-mail and delete this message from your computer. Any use, distribution, or
> copying of this e-mail other than by the intended recipient is strictly
> prohibited.
>
>
> La información contenida en este correo electrónico y anexos es
> confidencial. Esta dirigida únicamente para el uso del individuo o entidad a
> la que fue dirigida y puede contener información propietaria que no es del
> dominio público. Si has recibido este correo por error o no eres el
> destinatario al que fue enviado, por favor notifica al remitente de
> inmediato y borra este mensaje de tu computadora. Cualquier uso,
> distribución o reproducción de este correo que no sea por el destinatario de
> intención queda prohibido.
>
> -----Original Message-----
> From: Sebastian Muñiz [mailto:smuniz () elinpar com] 
> Sent: Sunday, June 12, 2005 4:43 PM
> To: J. K.; pen-test () securityfocus com
> Subject: RE: Pentesting a HP-UX with SMSC
>
> That's OK J.K... you had work to do ;)
> About SMSs, what you could try is to reset the TCP connection of the ESME to
> the SMSC so when it tries to reconnect, in the first data packet you will
> see the username/password in plain text.
> Good luck !!!!
>
> -----Mensaje original-----
> De: J. K. [mailto:pentest_ml () yahoo com]
> Enviado el: Domingo, 12 de Junio de 2005 06:07 p.m.
> Para: pen-test () securityfocus com
> Asunto: RE: Pentesting a HP-UX with SMSC
>
>
> Hello Sebastian,
>
> yes, I am pretty sure that I am dealing with a SMSC server. Beside the CIMD2
> banner that it provides, I found some hints in the machine I am connecting
> from (a DMZ host I previously took over) that suggest that we are talking
> about SMS traffic (even if it seems to be a testing environment: I see no
> SMSs when sniffing the network).
>
> I tried to fingerprint the server to figure out exactly what app is running
> there, but with no success.
>
> Anyway, I found an established connection between the client and this
> mysterious server app; my next step will be to attach gdb to the process
> owning that
> connection: my hope is that username and password are still somewhere in its
> memory space ;)
>
> Cheers
>
> j.k.
>
> P.s.: sorry for the late reply: in the last 3-4 days I focused on another
> part of the target network ;)
>
> --- Sebastian Muñiz <smuniz () elinpar com> wrote:
>  
>
> > This apps Do install default user/password but depends on the one that 
> > you found....
> > You should try to indentify this one but thought SMSC has no tcp port 
> > specially assigned to it, it won't help you unless this software 
> > version is in the default port (and identifying the version of every 
> > SMSC arround should be a very hard work)...
> >
> > If you want to connect to it, you should get an ESME (which is the 
> > client that connects to a SMSC in this kind of Client-Server 
> > architecture) but the protocol SMPP they use (Short Message Peer To 
> > Peer) uses username and password (the password could be blank is the 
> > SMSC admin wanted so).
> > Here I sent you a link to a page where you can find the SMPP protocol 
> > specification and a ESME client made in java to test against this 
> > server of yours.
> >
> >    
> http://opensmpp.logica.com/CommonPart/Download/download2.html
>  
>
> > You could allways try to get the source code for this inplementation 
> > (if this is available) and try to find bugs in it but it is a subject 
> > for another post ;-)
> >
> > ohh... and i am not aware of any exploit arround for any 
> > implementation of this protocol!!! :( But if you get one, let me know 
> > :)
> >
> > anyway..... Are you sure it is an SMSC server that you found????
> >
> >   Cheers, Sebastian
> >
> > -----Mensaje original-----
> > De: J. K. [mailto:pentest_ml () yahoo com] Enviado el: Miércoles, 08 de 
> > Junio de 2005 11:05 a.m.
> > Para: pen-test () securityfocus com
> > Asunto: Pentesting a HP-UX with SMSC
> >
> >
> > Hello fellow pen-testers,
> >
> > in my current engagement I bumped into a HP-UX
> > (B.11.11) server protected by a firewall (not an internet facing 
> > firewall, tho).
> > The only open ports I can connect to are telnet and 9971.
> >
> > Connecting to 9971 I get the following:
> >
> > # telnet x.x.x.x 9971
> > Trying x.x.x.x...
> > Connected to x.x.x.x.
> > Escape character is '^]'.
> > CIMD2-A ConnectionInfo: SessionId = 32551 PortId = 4 Time = 
> > 050608153449 AccessType = TCPIP_SOCKET PIN =
> > 630777
> >
> > Googling around, I found that this daemon should be a SMSC (Short 
> > Message Service Center). I also found that on HP-UX there are a few 
> > SMSC apps available (Locus,
> > FEELingK,...)
> >
> > My questions are:
> > 1. Do you know of any vulnerability or attack avenue on this 
> > protocol/service ?
> > 2. Do you know if these SMSC apps install some default user whose 
> > password I can try to guess ?
> > 3. Any other idea ?
> >
> > Of course I could just fire off Hydra against the telnet server, but I 
> > would like to find something less noisy ;)
> >
> > Thanks
> >
> > j.k. 
> >
> >
> >                 
> > __________________________________
> > Discover Yahoo! 
> > Have fun online with music videos, cool games, IM and more. Check it 
> > out!
> > http://discover.yahoo.com/online.html
> >
> >    
>
>
>
>                 
> __________________________________ 
> Yahoo! Mail 
> Stay connected, organized, and protected. Take the tour: 
> http://tour.mail.yahoo.com/mailtour.html 
>
>
>
>
>  


--
Mihai Amarandei-Stavila - Xmco Partners
Consultant Sécurité / Test d'intrusion

tel  : 33 1 47 34 68 61
web  : http://www.xmcopartners.com
Villa Gabrielle 75015 PARIS