Re: pentesting voip network-please help

[YGN Ethical Hacker Group <lists () yehg net>]

http://www.tacticalvoip.com/tools.html


YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net



On Tue, Feb 2, 2010 at 9:54 PM, McGhee, Eddie <Eddie.McGhee () ncr com> wrote:
> Hi Marco,
>
> There is usually two tftps configured for the 7941 phone, I would check in settings and try to connect to the second 
> tftp if available. These are available off these Settings -> Network configuration -> options 8 and 9 on 7941 I have 
> on my desk here.
>
> Next I would look at where the busiest/most interesting RTP packets are coming from and choose which hosts to poison, 
> if it is possible, get the IP's of staff high in the organization and arp poison these clients then sniff away.
>
> Last piece of advice may be relevant or not but backtrack is fully loaded with great tools for pentesting VOIP, is 
> this what you are using?
>
> Regards
>
>  phed
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of mzcohen2682 () aim com
> Sent: 29 January 2010 18:16
> To: pen-test () securityfocus com
> Subject: pentesting voip network-please help
>
>
>
>
>
>  hi all !!
>
> im doing an internal (lan) pentest for a voip network. the network has
> 6 cisco call manager version 6.1.3 as a cluster. they have cisco phones
> 7911 and 7941. they use a seperate vlan por the voip network.
>
> I started by trying to download the images files for the phones from the tftp server by doing a brute force attack 
> for the names of the files.
>
> I have access to one of the 7941 phones so I checked that the verion of the image is 4.0/8.0 (9.0) in not sure what 
> should be the names for the file images that the phones reload after boot but according to cisco documentation there 
> must be SIPdefault.cnf and OS79xx.txt on the root directory of the tftp server. but I tried and there are not..
>
> so what are the nemes of the files? I read a documents that said that if im am able to download those files I will 
> find lots of interseting information like phone passwords etc..
>
> after that... I tried to capture some RTP conversations but without any success. I am connected to the voip vlan and 
> used wireshark but It doesnt detect any calles ! shoud I do some arp spoofing attack? but to which mac's?
>
> any other ideas how to continue with this pentest?
>
> what I see is that although the client didnt implement encryption or any other security control just the vlan isnt 
> not so eaxy to pentest a voip network..
>
> thanks
>
> marco
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------