VoIP Penetration Testing & Security Risk

VoIP or voice over IP (Internet protocol) is a transmission mode designed for use in voice and multimedia communications. As IP (Internet protocol)-based networks like the Internet seem to be most successful communications infrastructure, the traditional telephone network is currently being replaced VoIP. Nowadays, its clear improvements and advantages over the old systems make it a popular substitute, with a number of advantages. Among them:

• The low cost of VoIP as compared to a traditional telephone network. There are any number of services available free of cost (like Skype) that allow you to communicate over distances long or short, PC-to-PC and free of cost.

• VoIP is portable. Portability and mobility is another advantage of VoIP over traditional telephone; you only need an Internet connection for communication.

• VoIP service includes a number of different advanced features not normally available with traditional telephone service, including call forwarding, conference call, caller ID, virtual numbers and more.

The advantages are many but this is not our main topic of discussion. (Likewise, there are a number of disadvantages, too: VoIP services depend on Internet connection speed; voice quality depends on the performance of your computer, and so forth). So what is our point in discussing this? What we examine here will be the security aspect of VoIP. In this article, we will review:

• An overview of VoIP
• What is Asterisk? (and what are the functionalities)
• What is Trixbox?
• VoIP hacking (Penetration testing on an asterisk based network)

With so many aforementioned advantages, VoIP is gaining popularity among both organizations and private users alike. But what about the security issues? As should be entirely predictable, any new technology immediately presents opportunities for those seeking to cause mischief. This is confirmed by reports I’m sure you’ve heard about: not just the phone hacking scandal in Britain, but the hacking in which thieves easily steal confidential information from a victim because their network was not secure.

If you are a pen tester or ethical hacker, then you have an idea about the importance of penetration testing in VoIP, because most of the important communications going on today occur on VoIP and securing confidential information is therefore critical. We will do some practical penetration testing on a VoIP-based network, but first of all I will show you how to build it.

Asterisk is an open-source software that can turn your computer into a communications server. There’s an asterisk software for PBX (private branch exchange) that allows you to make calls and transfer your data.

Trixbox is a wonderful software (or PBX: private branch exchange), based on the asterisk project. It was formally known as Asterisk@Home but in October 2006 it was renamed Trixbox. The difference between trixbox with other PBX is that trixbox is based on IP (Internet protocol) and has been designed for small and medium sized businesses. There are mainly two version of trixbox available: one is Trixbox CE (a free and open source), while the other – called Trixbox Pro – is one that you will need to purchase.

Protocols & Ports

You must have an idea about the protocols and their ports before attempting to launch actual penetration testing on a VoIP network.

SIP (or session initiation protocol) has been defined by Internet Engineering Task Force (IETF) as the protocol for VoIP communication (in other words: a signaling protocol). SIP uses port 5060 and 5061 for both TCP and UDP.

SDP or session description protocol is for multimedia communications, while MGCP (media gateway control protocol) uses port number 2427 and 2727 for UDP.

RTP (real-time transfer protocol) defines the packets to deliver videos and audios on IP based network like VoIP. RTCP (RTP control protocol) is just like RTP, and it is used to structure the packets that are defined by RTP.

IAX (Inter-Asterisk eXchange) is an important protocol used in the asterisk system and is supported by a different soft-phone and PBX. IAX2 is the second version of IAX and works on the UDP port number 4569.

VoIP Penetration Testing

The process of penetration testing on a VoIP network is generally the same as the penetration testing on any other network. All we need to do is to follow the general guidelines, starting with information gathering, as we would with any form of penetration testing. We will do the same on VoIP network.

Let’s consider a simple scenario: you have found an asterisk-based PBX while doing a penetration test on a network, like the nmap result showing below:

It might be some sort of VoIP server, so a smart penetration tester would use the available tools to learn more about this server. Therefore, in this section I will discuss some of the tools and their usage that will be really helpful in VoIP penetration testing.

SMAP

SMAP is a wonderful scanner that has the ability to detect SIP-enabled devices (it can find a single IP or a range of IPs, to all the subnets) and can locate any VoIP server within an operating system. So it will help to understand the VoIP network.

root@bt:/pentest/voip/smap# ./smap 192.168.1.9

smap 0.6.0 http://www.wormulon.net/

192.168.1.9: ICMP reachable, SIP enabled

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

It shows that this host is a VoIP server. Let’s try to gather more information.

root@bt:/pentest/voip/smap# ./smap -O 192.168.1.9

smap 0.6.0 http://www.wormulon.net/

192.168.1.9: ICMP reachable, SIP enabled

best guess (55% sure) fingerprint:

Asterisk PBX (unknown version)

User-Agent: Asterisk PBX 1.6.0.26-FONCORE-r78

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

-l: fingerprint learning mode

It is a wonderful argument that will give us more information.

SIP-Scan

It is just like the SMAP, in that an SIP-scan is also used to detect SIP-enabled devices. Likewise, it has the ability to scan over the entire range of IPs.

root@bt:/pentest/voip/sipscan# ./sip-scan -i eth0 192.168.1.1-254

192.168.1.9: Asterisk PBX 1.6.0.26-FONCORE-r78

root@bt:/pentest/voip/sipscan#

The next article of VoIP hacking series will be publish later, so practice the tools mentioned above and do not forget to share it via your social media profiles.




Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.