Part II: Exploiting the VoIP Network

Chapter 4: VoIP Network Infrastructure Denial of Service (DoS)

Chapter 5: VoIP Network Eavesdropping

Chapter 6: VoIP Interception and Modification

Case Study: Who's Listening in?

Obviously, VoIP is no different than any other network application in its susceptibility to eavesdropping. Because VoIP packetizes audio over the network, one of the more enticing targets for our attacker is to see if she can listen in on any conversations taking place. Because VoIP eavesdropping typically requires some level of inside access to the network, the attacker first drives to your corporate headquarters to see if she can find any unsecured wireless access points (also called war driving ).

Safely punching away at her laptop in your company parking lot, she successfully finds an open wireless network that the sales department has set up on the second floor. Using this as an entry point, she connects and starts scanning for active VoIP phones. Even though your VoIP network is in a switched environment, the attacker is also easily able to find the IP address of your SIP proxy through the scanning techniques we covered in the last part of the book.

Because your company does not have separate VLANs for voice and data, the attacker is now better positioned to perform her eavesdropping attack. Firing up her copy of Cain and Abel, she starts to discover the MAC addresses of all valid VoIP phones using the built-in scanner. After enumerating a large number of VoIP phones and their corresponding MAC addresses, the attacker is now ready to launch an ARP poisoning attack.

Knowing the IP address of your company's local gateway and the MAC addresses of several VoIP phones, the attacker begins by launching the built-in ARP poisoning tool of Cain and Abel. Through ARP poisoning, she is now spoofing her laptop as the default gateway to all VoIP phones on the local segment, otherwise known as a man-in-the-middle attack. The attacker has not only inserted herself in the middle of all VoIP conversations, but all data traffic as well.

Clicking the Sniffer tab, the attacker leaves her laptop capturing all VoIP conversations and walks across the street to grab lunch and wait. A couple of hours later, after being suitably filled up on pizza and Diet Coke, the attacker comes back to the car and sees that she's captured 112 voice conversations through Cain and Abel's automatic audio reconstruction. Driving away, she then goes home to replay all of the conversations to see if she can glean any interesting tidbits.

Replaying one of the audio streams yields your company's CEO introducing himself on a conference call. This correspondingly tells her the IP address of the CEO's phone, which will come in handy for further targeted attacks against the CEO, as shown in later chapters. By replaying more of the CEO's conversations, the attacker hears the CEO typing in his voicemail password. Using a fairly standard DTMF decoder, the attacker is now able to reconstruct the CEO's voicemail password. She dials into the automated voicemail system, punches in his PIN numbers , and listens to his voicemail messages. One of them includes a message from the CFO that your company's revenue this quarter exceeded Wall Street's expectations. The attacker finally goes to her eTrade account and buys large quantities of your company's stock, as well as a plane ticket to the Cayman Islands.