VoIP Penetration Testing & Security Risk

VoIP or voice over IP (Internet protocol) is a transmission mode
designed for use in voice and multimedia communications. As IP (Internet
protocol)-based networks like the Internet seem to be most successful
communications infrastructure, the traditional telephone network is
currently being replaced VoIP. Nowadays, its clear improvements and
advantages over the old systems make it a popular substitute, with a
number of advantages. Among them:

  • The low cost of VoIP as
    compared to a traditional telephone network. There are any number of
    services available free of cost (like Skype) that allow you to
    communicate over distances long or short, PC-to-PC and free of cost.
  • VoIP
    is portable. Portability and mobility is another advantage of VoIP over
    traditional telephone; you only need an Internet connection for
    communication.
  • VoIP service includes a number of
    different advanced features not normally available with traditional
    telephone service, including call forwarding, conference call, caller
    ID, virtual numbers and more.
The advantages are many but
this is not our main topic of discussion. (Likewise, there are a number
of disadvantages, too: VoIP services depend on Internet connection
speed; voice quality depends on the performance of your computer, and so
forth). So what is our point in discussing this? What we examine here
will be the security aspect of VoIP. In this article, we will review:
  • An overview of VoIP
  • What is Asterisk? (and what are the functionalities)
  • What is Trixbox?
  • VoIP hacking (Penetration testing on an asterisk based network)
With
so many aforementioned advantages, VoIP is gaining popularity among
both organizations and private users alike. But what about the security
issues? As should be entirely predictable, any new technology
immediately presents opportunities for those seeking to cause mischief.
This is confirmed by reports I’m sure you’ve heard about: not just the
phone hacking scandal in Britain, but the hacking in which thieves
easily steal confidential information from a victim because their
network was not secure.

If you are a pen tester or ethical hacker,
then you have an idea about the importance of penetration testing in VoIP, because most of the important communications going on today occur
on VoIP and securing confidential information is therefore critical. We
will do some practical penetration testing on a VoIP-based network, but
first of all I will show you how to build it.

Asterisk is an
open-source software that can turn your computer into a communications
server. There’s an asterisk software for PBX (private branch exchange)
that allows you to make calls and transfer your data.
Trixbox is a wonderful software (or PBX: private branch exchange), based on the asterisk project. It was formally known as [email protected]
but in October 2006 it was renamed Trixbox. The difference between
trixbox with other PBX is that trixbox is based on IP (Internet
protocol) and has been designed for small and medium sized businesses.
There are mainly two version of trixbox available: one is Trixbox CE (a
free and open source), while the other – called Trixbox Pro – is one
that you will need to purchase.

Protocols & Ports

You
must have an idea about the protocols and their ports before attempting
to launch actual penetration testing on a VoIP network.
SIP (or
session initiation protocol) has been defined by Internet Engineering
Task Force (IETF) as the protocol for VoIP communication (in other
words: a signaling protocol). SIP uses port 5060 and 5061 for both TCP
and UDP.

SDP or session description protocol is for multimedia
communications, while MGCP (media gateway control protocol) uses port
number 2427 and 2727 for UDP.

RTP (real-time transfer protocol)
defines the packets to deliver videos and audios on IP based network
like VoIP. RTCP (RTP control protocol) is just like RTP, and it is used
to structure the packets that are defined by RTP.

IAX
(Inter-Asterisk eXchange) is an important protocol used in the asterisk
system and is supported by a different soft-phone and PBX. IAX2 is the
second version of IAX and works on the UDP port number 4569.

VoIP Penetration Testing

The
process of penetration testing on a VoIP network is generally the same
as the penetration testing on any other network. All we need to do is to
follow the general guidelines, starting with information gathering, as
we would with any form of penetration testing. We will do the same on
VoIP network.

Let’s consider a
simple scenario: you have found an asterisk-based PBX while doing a
penetration test on a network, like the nmap result showing below:



It
might be some sort of VoIP server, so a smart penetration tester would
use the available tools to learn more about this server. Therefore, in
this section I will discuss some of the tools and their usage that will
be really helpful in VoIP penetration testing.

SMAP

SMAP
is a wonderful scanner that has the ability to detect SIP-enabled
devices (it can find a single IP or a range of IPs, to all the subnets)
and can locate any VoIP server within an operating system. So it will
help to understand the VoIP network.

[email protected]:/pentest/voip/smap# ./smap 192.168.1.9

smap 0.6.0 <[email protected]> http://www.wormulon.net/

192.168.1.9: ICMP reachable, SIP enabled

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

It shows that this host is a VoIP server. Let’s try to gather more information.
[email protected]:/pentest/voip/smap# ./smap -O 192.168.1.9

smap 0.6.0 <[email protected]> http://www.wormulon.net/

192.168.1.9: ICMP reachable, SIP enabled

best guess (55% sure) fingerprint:

Asterisk PBX (unknown version)

User-Agent: Asterisk PBX 1.6.0.26-FONCORE-r78

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

-l: fingerprint learning mode
It is a wonderful argument that will give us more information.


SIP-Scan

It
is just like the SMAP, in that an SIP-scan is also used to detect
SIP-enabled devices. Likewise, it has the ability to scan over the
entire range of IPs.

[email protected]:/pentest/voip/sipscan# ./sip-scan -i eth0 192.168.1.1-254

192.168.1.9: Asterisk PBX 1.6.0.26-FONCORE-r78

[email protected]:/pentest/voip/sipscan#


The next article of VoIP hacking series will be publish later, so practice the tools mentioned above and do not forget to share it via your social media profiles.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

The Complete OSINT Tutorial to Find Personal Information About Anyone

This article mainly focuses on how to discover a person's digital footprint and gather personal data by using open-source intelligence (OSINT). So, in its...

How to find the password of hacked email addresses using OSINT

Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy...

How to Identify Company’s Hacked Email Addresses Using Maltego & HaveIbeenPawned

This article is part of the Maltego OSINT tutorial, where you will learn to identify the already hacked account, and it’s password using the...

5 Key Vulnerabilities in Global Payroll

The cyber threat against payroll is growing in sophistication and frequency, according to the latest FBI cybercrime report. Many of these attacks exploit fixable...