I’ve had a number of recent opportunities to conduct VoIP-focused penetration tests. Prior to my first, I noticed that the number of tutorials, blogs and training write ups are pretty scarce. So, I figured it might be helpful to have all of it in one place. In this short blog series, I’ll cover the goals, methodology, and tools needed to conduct a successful VoIP penetration test.
Before we get started, we should probably cover what VoIP is and how it works. Voice Over Internet Protocol (VoIP) is a technology used for telecommunications utilizing a company’s network topology. It can provide several features beyond a normal phone line: multiple extensions, caller id, recording capabilities, and logging. The difficulties of VoIP penetration testing stem from the fragmentation of VoIP vendors (ie: CISCO and ASTERISK). Each configuration is different and there aren’t a lot of commonalities between vendors.
How it works:
VoIP can either be self-hosted or handled by a third party. If the client chooses to host their VoIP services, a PBX is installed on-site and connected to an ISP and VoIP traffic flows through a dedicated VLAN. If hosted by a third party, each device is connected to a switch which goes out to the third party over the internet.
SIP (Session Initiation Protocol) is used for controlling multimedia communication sessions such as voice and video calls over a network. SIP protocol defines the establishment, termination as well as other elements of a call. SIP can be used for voice calls, video conferencing, streaming multimedia, instant messaging, and other multimedia communications. SIP usually uses ports 5060 for unencrypted traffic, or 5061 for encrypted transportation using TLS.
Here’s how a SIP initiates a call between two devices:
• Invite is sent from sender
• Receiving device sends a response of 100 or trying
• Receiving devices starts ringing and sends back a 180 status
• When the caller picks up, a response of 200 is sent for OK
• The sender sends an ACK response
• After call is completed, the phones hang up, a BYE request is sent
• the originating phone responds with a 200 or OK request
And here’s what the invite request looks like:
INVITE sip:email@example.com:5060 SIP/2.0
Via: SIP/2.0/TCP 192.168.1.111:5060
From: “I’m_Batman” ;tag=eihgg
CSeq: 102 INVITE
Now, all of that being said, what are we looking to do when conducting a VoIP Penetration Test? The goals are not dissimilar to that of a traditional network penetration test:
• Information gathering and footprinting
• Eavesdropping and capturing traffic
• VLAN hopping
• Spoofing Caller ID
• Identification of Denial of Service (DoS) vulnerabilities
• Authentication Attacks
In order to achieve these goals, I found that having a semi-formalized, VoIP-focused methodology is extremely helpful so that these types of assessments can be both repeatable and consistent over the course of time. Again, the methodology I used is similar to that of a traditional penetration test:
Phase 1: Gather Information – What types of phones are in use? Who makes them? Model? Where is the SIP Server? What’s the software in use? Are they using TCP or UDP for traffic? Are they sending it through secure means? What are their IPs and what other ports are open on these devices? These are all questions that need to be answered during the initial phase of the pentest.
Phase 2: Enumeration – In this phase we concentrate on finding extensions and usernames/passwords for users across the VoIP network. The main focus of this phase is to find your way(s) in. Utilizing who and how someone uses the VoIP is key when trying to get in.
Phase 3: Exploit – This is the phase where the magic happens. In this phase, the aforementioned goals are tested. One tries to grab whatever information they can from calls in progress, send requests, and test the entire VoIP network through traditional means by logging into web management portals, network segmentation, VLAN hopping and so on.
Over the course of this blog series, I’ll cover each goal and phase in more detail including what tools can be used and examples of each.