Part III: Exploiting Specific VoIP Platforms

Chapter 7: Cisco Unified CallManager

Chapter 8: AvayaCommunication Manager

Chapter 9: Asterisk

Chapter 10: Emerging Softphone Technologies

Case Study: Shutting Down a Vendor's VoIP System

BigOil is the largest oil and gas company in the United States and is #1 in revenue and profits for 2006. BigOil also has the largest implementation of VoIPTel's (we made up a name so as not to pick on one vendor) VoIP product. BigOil uses VoIPTel's products at all of their facilities, including a very large deployment at the company headquarters. You can find VoIPTel's IP phones just about everywhere you look, including the company's spacious visitors center.

Andy, a part-time hacker, is tired of paying BigOil $150 every time he fills up his poorly tuned Hummer, so he's decided to teach BigOil a lesson. Andy knows from some simple Google searches that BigOil uses VoIPTel's products. He even verified this by walking casually through their visitors center, where there are no less than five fancy IP phones. BigOil's visitors center is so large that no one noticed Andy sitting down and opening up his laptop next to one of the IP phones. There are cameras in the visitors center, but they monitor the security check-in area only.

Andy starts his mischief by forcing the IP phone to reboot by disconnecting and reconnecting its RJ-45 cable. During the bootup process, this poorly protected IP phone offers a chance to enter the administration menu by pressing the * key. Andy does this and now has access to all of the IP phone's configuration. He's interested in a couple of key parameters, including the IP PBX to which the IP phone connects, the IP address of a backup IP PBX, and its DHCP server. There are plenty of other interesting parameters, but this is more than he needs.

When he is sure no one is looking, Andy inserts the IP phone's RJ-45 cable into his laptop. He knows that VoIPTel will use some number of servers to distribute IP phone processing. These IP addresses are normally contiguous, so he builds a list of IP addresses that are likely to be used for the servers. He then uses Nmap to verify that the systems are present and that they are indeed servers used for the IP PBX.

Andy knows from experience that VoIPTel IP PBXs often have telnet enabled by default. Sure enough, he is able to use telnet to connect to each server. He tries several well-known default passwords, but has no luck until, using the last IP address, he finds a password where the default hasn't been changed! Andy can now log in and do all sorts of nasty things, but decides that would be too easy. Plus, he could only affect one server, which won't take down the entire VoIP system.

Andy knows that VoIPTel uses a variant of H.323. He also knows that this protocol is exchanged over ports 1719 and 1720, using UDP and TCP. He then runs several well-known tools udpflood and tcpsynflood , which hammer the IP PBX servers. Andy runs several instances of these tools, so he can impact each of the servers.

For good measure, Andy runs dhcpx and targets the DHCP server used by the IP phones. This command consumes all available dynamically assigned IP addresses. This way, if the IP phones reboot, they won't be able to get IP addresses.

During the attacks, service to all of the IP phones connected to the servers is disrupted. Existing calls stay up, but no one can make new calls. Andy knows that his attack is working, because the security guard can't call visitors. He also checks the various other IP phones in the visitors area and is thrilled to see that all are trying to reconnect with the IP PBX. Andy shuts off the DoS attack, so he won't be pinched. He is pleased to see that none of the IP phones are rebooting properly because they can't get IP addresses. Andy further tests his attack's success by calling a handful of numbers he saved from his Google searches. None of the calls connect. He slips quietly out of the visitors center, confident that he has significantly disrupted BigOil's VoIP system and knowing that it will be a very long day for the VoIP system administrators.