Penetration Testing mailing list archives

Re: Auditing asterisk servers?

From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 11 Feb 2009 13:52:34 -0600

On Tue, 10 Feb 2009, publists () enablesecurity com wrote:

My answer would be "a bit of both". An Asterisk box is yet another network server that is vulnerable to typical 
network attacks (DoS, vulnerable web config etc). However there are concerns that are more VoIP specific, such as 
toll fraud and phone tapping concerns.

Resources:

There are special tools for VoIP. Voipsa has a good list [1], and check out SIPVicious [2] as well! 

If you have a copy of CANVAS then VOIPPACK [3] (for which I am an author) is a great option. I just added 2 new tools 
that target Asterisk boxes [4] ;-)

[1] http://www.voipsa.org/Resources/tools.php
[2] http://sipvicious.org/
[3] http://www.vimeo.com/2524735
[4] http://www.vimeo.com/3162761

Cheers

Sandro Gauci


I think too many people overlook VoIP as an attack or
pentesting vector. The fun you could have with curl
post and a little creativity. So a potential fragmented
attack scenario would go as follows...

Location 1 (one state)
Location 2 (another state)

Using curl to post to VoIP phones, it could be so easy
to create a callfile in Asterisk telling someone to reset
their voicemail password. If you have to ask why, then
perhaps you need to be more creative in your pentesting
engagements.

Callfile (CID of sysadmin@Location1) --> recording --> user @ Location2
"Please call after hours and state your desired password
for email" or something along those lines. Sort of
relevant to any IP PBX's which is why it's best to
separate data and voice (VLAN's, etc.)

Anyhow, VoIP is no different from email from an
attack/testing perspective. It's data nothing
more nothing less:

User@Location2 calls Sysadmin@Location1:

User: "You want me to change my password!"
Sysadmin: "Someone must be messing with you"
User: "You don't say"
Sysadmin: "Well to be on the safe side, your
password is now blah blah blah"

Via an IP call. Guess what, still sniffable and
replayable with Wireshark. Anyway ;) Don't count
VoIP out of your equation

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

Current thread:

Auditing asterisk servers? Camilo Olea (Feb 10)
- Re: Auditing asterisk servers? Adriel T. Desautels (Feb 10)
- <Possible follow-ups>
- Re: Auditing asterisk servers? publists (Feb 11)
  - Re: Auditing asterisk servers? J. Oquendo (Feb 11)