RE: pentesting voip network-please help

[김무성 <kimms () infosec co kr>]

Hello.

Try to check this

000000000000.cfg
000000000000-directory~.xml
323tosip1_1.bin
4601_02_readme_R2_3.txt
4601dbte1_82.bin
4602_02SWSIPreadme_R1_1.txt
4602dbte1_82.bin
4602sbte1_82.bin
4610_20_readme_R2_3.txt
4610_20_readme_SIP_R2_2.txt
4624_12_06readme_1_8_3.txt
4625_readme_2_5.txt
4690_010707.bin
4690_readme_1_7_7.txt
46xxreadme_111405.txt
46xxsettings.txt
46xxupgrade.scr
a01d01b2_3.bin
a02d01b2_3.bin
a10d01b2_3.bin
a20d01a2_3.bin
a20d01b2_3.bin
a25d01a2_5.bin
b01d01b2_3.bin
b02d01b2_3.bin
b10d01b2_3.bin
b20d01a2_3.bin
b20d01b2_3.bin
b25d01a2_5.bin
bbla0_83.bin
bootrom.ld
cisco_util
CP7912010301SIP050608A.sbin
cvt01_2_3.bin
cvt02_2_3.bin
cvt02sw_2_3.bin
def06r1_8_3.bin
def24r1_8_3.bin
dialplan.xml
gkdefault.cfg
infrared.txt
merlin2.pcm
OS79XX.TXT
P003-07-5-00.bin
P003-07-5-00.sbn
P0S3-07-5-00.bin
P0S3-07-5-00.loads
P0S3-07-5-00.sb2
phbook00e011010455.txt
phone1.cfg
release.xml
RINGLIST.DAT
s10d01b2_2.bin
s20d01b2_2.bin
SEP000F34118045.cnf
SEP001562EA69E8.cnf
SEPDefault.cnf
SIP000F34118045.cnf
SIPinsertMAChere.cnf
SIP000F34118045.cnf
SIPinsertMAChere.cnf
SIPinsertMAChere.cnf
sip_4602ap1_1.ebin
sip_4602bt1_1.ebin
sip_4602D01A.txt
sip_4602D02A.txt
sip.cfg
SIPDefault.cnf
sip.ld
sipto323_1_1.ebin
sip.ver
SoundPointIPLocalization
SoundPointIPWelcome.wav
syncinfo.xml
test
test.txt
uip200_463enc.pac
uniden00e011030397.txt
unidencom.txt
XMLDefault.cnf.xml

For call sniifing, you have to arp spoof or make hub network
arp spoof between Gateway and your computer.

Try~!


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of mzcohen2682 () aim com
Sent: Saturday, January 30, 2010 3:16 AM
To: pen-test () securityfocus com
Subject: pentesting voip network-please help





 hi all !!

im doing an internal (lan) pentest for a voip network. the network has 
6 cisco call manager version 6.1.3 as a cluster. they have cisco phones 
7911 and 7941. they use a seperate vlan por the voip network.

I started by trying to download the images files for the phones from 
the tftp server by doing a brute force attack for the names of the 
files.

I have access to one of the 7941 phones so I checked that the verion of 
the image is 4.0/8.0 (9.0)
in not sure what should be the names for the file images that the 
phones reload after boot but according to cisco documentation there 
must be SIPdefault.cnf and OS79xx.txt on the root directory of the tftp 
server. but I tried and there are not..

so what are the nemes of the files? I read a documents that said that 
if im am able to download those files I will find lots of interseting 
information like phone passwords etc..

after that... I tried to capture some RTP conversations but without any 
success. I am connected to the voip vlan and used wireshark but It 
doesnt detect any calles ! shoud I do some arp spoofing attack? but to 
which mac's?

any other ideas how to continue with this pentest?

what I see is that although the client didnt implement encryption or 
any other security control just the vlan isnt not so eaxy to pentest a 
voip network..

thanks

marco





  

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------