Simple Network Reconnaissance

This section covers discovery, scanning, and enumeration steps you can take to locate and identify Avaya components .

Attack Google Hacking Avaya Devices

Popularity:

8

Simplicity:

9

Impact:

6

Risk Rating:

8

 Companion Web Site   As you saw in Chapter 1, it is fairly easy to use search engines such as Google to find exposed VoIP devices with web interfaces. We maintain a fairly up-to-date VoIP Google Hacking Database on our website at http://www.hackingvoip.com. Removing the site:yourcompany.com from the query will reveal all exposed devices on the Internet that Google has archived.

For Google Hacking Avaya Communication Manager, type the following in Google:

 Inurl:"enter_pwd" avaya 

Countermeasurs Google Hacking Countermeasures

Obviously, the easiest way to ensure that your VoIP devices don't show up in a Google hacking web query is to disable the web management interface on most of those devices. There's honestly no good reason why any of your phones should be exposed externally to the Internet.

Scanning and Enumeration

We tested a Communication Managerbased system, consisting of a G350 Media Gateway with an integral S8300 Media Server. The system included several IP phones, including models 4602SW, 4610, and 9630. For the purposes of this section, we consider the S8300 Media Server and the G350 Media Gateway to comprise the IP PBX. This section describes vulnerabilities associated with these components. Figure 8-10 illustrates the test bed we used for this section.

image from book
Figure 8-10: Avaya test bed

Attack UDP/TCP Port Scanning

Popularity:

10

Simplicity:

8

Impact:

4

Risk Rating:

7

A first step in exploiting a VoIP system is to determine which IP addresses and ports are open to support basic voice services and applications. Table 8-1 from Appendix B, "Access List" of the Avaya Application Solutions: IP Telephony Deployment Guide lists ports used by C-LAN, MedPro, and other devices.

Table 8-1: Open Ports/Services for Basic Communications

Action

From

TCP/UDP Port or Protocol

To

TCP/UDP Port or Protocol

Notes

Permit

Any C-LAN

UDP 1719

Any endpoint

UDP any

The C-LAN uses UDP port 1719 for endpoint registration (RAS).

Permit

Any endpoint

UDP any

Any C-LAN

UDP 1719

 

Permit

Any C-LAN

TCP 1720

Any endpoint

TCP any

The C-LAN uses TCP port 1720 for H.225 call signaling.

Permit

Any endpoint

TCP any

Any C-LAN

TCP 1720

 

Permit

Near-end C-LAN

TCP 1720

Far-end C-LAN

TCP 1720

Facilitates IP trunking between two Avaya call servers, and it must be done for each IP trunk.

Permit

Far-end C-LAN

TCP 1720

Near-end C-LAN

TCP 1720

 

Permit

Any MedPro

UDP port range on IP Network Region form

Any endpoint

UDP any

A way to facilitate audio streams between MedPros and endpoints.

Permit

Any endpoint

UDP any

Any MedPro

UDP port range on IP Network Region form

 

Permit

Any MedPro

UDP port range on IP Network Region form

Any endpoint

UDP any

Another way to facilitate RTP/ RTCP audio streams between MedPros and endpoints.

Permit

Any endpoint

UDP any

Any endpoint

UDP any

Facilitates RTP/RTCP audio streams between direct IP-IP (shuffl ed) endpoints.

Permit

Any IP telephone (hardphone)

UDP any

DNS server(s)

UDP 53 (DNS)

These are all services used by the IP telephone. TFTP is difficult to isolate to a port range. The GET and PUT requests from the client go to UDP port 69 on the server, but all other messages go between random ports.

Permit Permit

DNS servers Any IP telephone (hardphone)

UDP 53 (DNS) UDP 68 (bootpc)

Any IP telephone (hardphone) DHCP server(s)

UDP any UDP 67 (bootps)

 

Permit

DHCP servers

UDP 67 (bootps)

Any IP telephone (hardphone)

UDP 68 (bootpc)

 

Permit

Any IP telephone (hardphone)

TFTP

TFTP server(s)

 

Permit

TFTP servers

TFTP

Any IP telephone (hardphone)

 

Permit

SNMP management stations

UDP any

Any IP telephone (hardphone)

UDP 161 (SNMP)

 

Permit

Any IP telephone (hardphone)

UDP 161 (SNMP)

SNMP management stations

UDP any

 

Permit

Any Avaya device

ICMP Echo

Any

Avaya devices ping other devices for various reasons. For example, C-LANs ping endpoints for management purposes; MedPros ping C-LANs to gauge network performance across an IP trunk; and IP telephones ping TFTP servers for verification purposes.

Permit

Any

ICMP Echo Reply

Any Avaya device

 

Table 8-2 includes additional IP addresses and ports used to connect to the Avaya S8300, S8400, S8500, and S8700 media servers.

Table 8-2: Open Ports/Services for Media Server Communications

Action

From

TCP/UDP Port or Protocol

To

TCP/UDP Port or Protocol

Notes

Permit

S8700 Enterprise Interface

TCP any

S8300 LSP

TCP 514

Both S8700 and LSP running pre-CM2.x: This allows the S8700 to synchronize translations with the S8300 Local Survivable Processor (LSP). A TCP session is initiated from the S8700 to the S8300 TCP port 514. A second session is then initiated from the S8300 to the S8700 TCP port range 5121023. Network ports TCP 5121023 must be open.

Permit

S8300 LSP

TCP 514

S8700 Enterprise Interface

TCP any

 

Permit

S8300 LSP

TCP any

S8700 Enterprise Interface

TCP 5121023

 

Permit

S8700 Enterprise Interface

TCP 5121023

S8300 LSP

TCP any

 

Permit

Avaya Site Administration Workstation

TCP any

S8300, S8500, or S8700 Enterprise Interface

TCP 5023

Allows an administrator to log in through the Avaya Site Administration to a call server.

Permit

S8300, S8500, or S8700 Enterprise Interface

TCP 5023

Avaya Site Administration Workstation

TCP any

 

Permit

Web Admin Station

TCP any

S8300, S8500, or S8700 Enterprise Interface

TCP 80

Allows secure and unsecure web access to a call server. The call server redirects unsecure sessions to HTTPS.

Permit

S8300, S8500, or S8700 Enterprise Interface

TCP 80

Web Admin Stations

TCP any

 

Permit

Web Admin Station

TCP any

S8300, S8500, or S8700 Enterprise Interface

TCP 443

 

Permit

S8300, S8500, or S8700 Enterprise Interface

TCP 443

Web Admin Station(s)

TCP any

 

Permit

S8300, S8500, or S8700 Enterprise Interface

UDP any

DNS server(s)

UDP 53 (DNS)

Optional services used by S8300, S8500, and S8700.

Permit

DNS server(s)

UDP 53 (DNS)

S8300, S8500, or S8700 Enterprise Interface

UDP any

 

Permit

S8300, S8500, or S8700 Enterprise Interface

UDP any

NTP server(s)

UDP 123 (NTP)

 

Permit

NTP server(s)

UDP 123 (NTP)

S8300, S8500, or S8700 Enterprise Interface

UDP any

 

Permit

G700 or G350

TCP any

S8300 or other call server

TCP 2945

Unencrypted: H.248 signaling between G700 or G350 Media Gateway and S8300 or other call server. G700/G350 initiates the session.

Permit

S8300 or other call server

TCP 2945

G700 or G350

TCP any

 

Permit

G700 or G350

TCP any

S8300 or other call server

TCP 1039

Encrypted: H.248 signaling between G700 or G350 Media Gateway and S8300 or other call server. G700/ G350 initiates the session.

Permit

S8300 or other call server

TCP 1039

G700 or G350

TCP any

 

Permit

Call server

IP any

IPSI board

IP any

There are too many system control messages and services between the call server and IPSI board to filter each individually.

Permit

IPSI board

IP any

Call server

IP any

 

Finally, Table 8-3 includes additional IP addresses and ports used for file synchronization.

Table 8-3: Open Ports/Services for File Synchronization
 

Primary Firewall Port

Customer Network Port(s)

LSP Firewall Port

Both primary and LSP running pre-CM2.x

TCP 514

TCP 5121023

TCP 514

Both primary and LSP running CM2.x

TCP 21873 (opens automatically; TCP 514 no longer needed)

TCP 21873

TCP 21873 (opens automatically; TCP 514 no longer needed)

Both primary and LSP running CM3.x

TCP 21874 (opens automatically)

TCP 21874

TCP 21874 (opens automatically)

Backward compatibility (CM1.3 primary; CM2.x LSP)

TCP 514

TCP 5121023

TCP 21873 (opens automatically)

Backward compatibility (CM2.x primary; CM3.x LSP)

TCP 21873 (opens automatically)

TCP 21873

TCP 21874 (opens automatically)

We used Nmap version 4.01 to scan a S8300 Media Server and a G350 Media Gateway. The TCP and UDP ports/services results that follow were produced by Nmap executing on a host in a foreign subnet relative to the target devices.

The G350 Media Gateway contained the S8300 Media Server module and an MM710 T1/E1 ISDN PRI module. The G350 was connected to a subnet switch through its ETH LAN port. The media server module's Communication Manager applications and the G350's Media Gateway applications are addressed independently (in other words, each application suite has its own IP address).

The S8300 Media Server software version is

 Operating system:   Linux 2.6.11-AV15 i686 i686 Built:              Jan 26 00:11 2006 Contains:           01.0.628.6 Reports As:         R013x.01.0.628.6 Release String:     S8300-30 22:00:10 License Installed:  2006-05-04 16:24:23 Messaging:          --N3.1-26.0------------- 

The ports open depend heavily on the Communication Manager version and configuration. For example, the S8300, using Processor Ethernet, has several ports open that an S8400, S8500, and S87 xx would not have open. Processor Ethernet causes certain services and ports to be used by the S8300 directly, whereas other configurations have these services and ports open on C-LAN, MedPro, or IPSI cards. The S8300 Media Server Nmap TCP port scan yielded the following result:

 (The 65521 ports scanned but not shown below are in state: filtered) PORT      STATE SERVICE      VERSION 22/tcp    open ssh           OpenSSH 3.9p1 (protocol 2.0) 23/tcp    open telnet        Linux telnetd 80/tcp    open http          Apache httpd 81/tcp    open http          Apache httpd 411/tcp   open ssl           Nessus security scanner 443/tcp   open ssl           OpenSSL 1039/tcp  open unknown 1720/tcp  open H.323/Q.931? 2222/tcp  open ssh           OpenSSH 3.9p1 (protocol 2.0) 2945/tcp  open unknown 5022/tcp  open ssh           OpenSSH 3.9p1 (protocol 2.0) 5023/tcp  open unknown 8009/tcp  open ajp13? 21873/tcp open tcpwrapped 21874/tcp open tcpwrapped 1 service unrecognized despite returning data. 

Following are some comments on the open ports:

  • 23: telnet   This and other administration ports can be blocked by the firewall running on the media server. In Communication Manager 3.1 and later, telnet can be disabled completely. Telnet is disabled by default in Communication Manager 4.0, due out in Spring 2007.

  • 80: http   A web administration port that redirects to port 443 after the user continues from the Welcome and Warning screens.

  • 411: ssl   IP phone HTTP/HTTPS firmware download port.

  • 1039: unknown   Encrypted H.248 signaling port.

  • 2222: ssh   High priority (HP) SSH port that can be blocked with the media server firewall or, in Communication Manager 3.1 and later, disabled completely.

  • 2945: unknown   Unencrypted H.248 signaling port.

  • 5022: unknown   SAT port using SSH. Can be blocked with the media server firewall or, in Communication Manager 3.1 and later, disabled completely.

  • 5023: unknown   SAT port using telnet. Can be blocked with the media server firewall or, in Communication Manager 3.1 and later, disabled completely.

  • 8009: ajp13   Avaya states that this port was never needed externally and is being disabled with a security patch.

  • 21873/21874: tcpwrapped   File synchronization through SSL. Both ports are open to allow the S8300 to interoperate with older versions of Communication Manager.

The S8300 Nmap UDP port scan yielded the following result:

 All 65536 scanned ports on 10.1.14.100 are: openfiltered PORT     STATE         SERVICE 

The G350 Media Gateway Processor (MGP) version information follows . Note that the MGP can have different software installed for the MGP itself, embedded web application, and analog firmware. The latest version is 25.28.0.

 Firmware Version: 25.23.0 Software Version: 25.23.0 

The G350 Nmap TCP port scan yielded the following result:

 (The 65533 ports scanned but not shown below are in state: closed) PORT   STATE SERVICE VERSION 22/tcp open  ssh     OpenSSH 3.5p1 (protocol 2.0) 23/tcp open  telnet? 80/tcp open  http? 2 services unrecognized despite returning data. 

Following is a comment on the open port:

  • 23: telnet   Since version v24.17.0, you can disable telnet.

The G350 Nmap UDP port scan yielded the following result:

 (The 65464 ports scanned but not shown below are in state: closed) PORT      STATE         SERVICE 161/udp   openfiltered snmp 2050/udp  openfiltered unknown 2051/udp  openfiltered unknown 2052/udp  openfiltered unknown 2053/udp  openfiltered unknown 2054/udp  openfiltered unknown 2055/udp  openfiltered unknown 65106/udp openfiltered unknown 65107/udp openfiltered unknown 65108/udp openfiltered unknown 65109/udp openfiltered unknown 65110/udp openfiltered unknown 65111/udp openfiltered unknown 65112/udp openfiltered unknown 65113/udp openfiltered unknown 65114/udp openfiltered unknown 65115/udp openfiltered unknown 65116/udp openfiltered unknown 65117/udp openfiltered unknown 65118/udp openfiltered unknown 65119/udp openfiltered unknown 65120/udp openfiltered unknown 65121/udp openfiltered unknown 65122/udp openfiltered unknown 65240/udp openfiltered unknown 65241/udp openfiltered unknown 65242/udp openfiltered unknown 65243/udp openfiltered unknown 65244/udp openfiltered unknown 65245/udp openfiltered unknown 65246/udp openfiltered unknown 65247/udp openfiltered unknown 65248/udp openfiltered unknown 65249/udp openfiltered unknown 65250/udp openfiltered unknown 65251/udp openfiltered unknown 65252/udp openfiltered unknown 65253/udp openfiltered unknown 65254/udp openfiltered unknown 65255/udp openfiltered unknown 65372/udp openfiltered unknown 65373/udp openfiltered unknown 65374/udp openfiltered unknown 65375/udp openfiltered unknown 65376/udp openfiltered unknown 65377/udp openfiltered unknown 65378/udp openfiltered unknown 65379/udp openfiltered unknown 65380/udp openfiltered unknown 65381/udp openfiltered unknown 65382/udp openfiltered unknown 65383/udp openfiltered unknown 65384/udp openfiltered unknown 65385/udp openfiltered unknown 65386/udp openfiltered unknown 65387/udp openfiltered unknown 65504/udp openfiltered unknown 65505/udp openfiltered unknown 65506/udp openfiltered unknown 65507/udp openfiltered unknown 65508/udp openfiltered unknown 65509/udp openfiltered unknown 65510/udp openfiltered unknown 65511/udp openfiltered unknown 65512/udp openfiltered unknown 65513/udp openfiltered unknown 65514/udp openfiltered unknown 65515/udp openfiltered unknown 65516/udp openfiltered unknown 65517/udp openfiltered unknown 65518/udp openfiltered unknown 65519/udp openfiltered unknown 

Following are some comments on the open ports:

  • 161: snmp   Avaya uses SNMP V1 by default, but SNMP V3 is available as an option.

  • xxx   Many of the high-numbered UDP ports are dynamic, so they will vary by scan.

The definitions of the reported port states are documented in Chapter 2.

We also tested the Avaya 4602, 4610, and 9630 IP phones along with the S8300 Media Server and G350 Media Gateway. As with the Communication Manager itself, Avaya documents the open port/services used by their IP phones. Figure 8-11 from the Avaya Application Solutions: IP Telephony Deployment Guide shows the ports used for signaling, audio, and management (note that the SIP ports are not used when H.323 is used).

image from book
Figure 8-11: IP phone signaling and audio ports

Figure 8-12 shows the ports used for initialization and address resolution and Figure 8-13 shows the ports used for applications. (Both figures are from the Avaya Application Solutions: IP Telephony Deployment Guide .)

image from book
Figure 8-12: IP phone initialization and address resolution ports
image from book
Figure 8-13: IP phone application resolution ports

Nmap scans of each Avaya IP phone with H.323 loads were implemented. The TCP and UDP ports/services results were produced by Nmap executing on a host in a foreign subnet compared to the target devices. The version of the Nmap scanner we used was 4.01.

Pressing <MUTE> 8439# (in other words, <MUTE> VIEW ) on the 4602SW IP phone at x211/10.1.14.10 yielded the following information:

 Model=4602D02A Market=0 Phone SN=06GM01006310 PWB version=003040202 MAC address=00:09:6E:0F:18:5B 4602sape1_82.bin                 <--- note: this is the application load 4602sbte1_82.bin                 <--- note: this is the boot load DSPV_5F82 

Pressing <MUTE> 8439# (in other words, <MUTE> VIEW ) on the 4602SW IP phone at x221/10.1.14.12 yielded the following information:

 Model=4602D02A Phone SN=06GM01006309 PWB SN=0 PWB comcode= <a bunch of black boxes> MAC address-00:09:6E:0F:18:5A L2 tagging=off VLAN ID=none IP address=10.1.14.12 Subnet mask=255.255.255.0 Router=10.1.14.1 File server=0.0.0.0 Call server=10.1.14.100:1719 Group=0 Protocol=default a02d01b2_3.bin                   <--- note: this is the application load 100 Mbps Ethernet b02d01b2_3.bin                   <--- note: this is the boot load 

Pressing <MUTE> 8439# (in other words, <MUTE> VIEW ) on the 4610 IP phone at x231/10.1.14.13 yielded the following information:

 Model = 4610D01A Phone SN = 06GM27012072 PWB SN = N/A PWB comcode = 001010101 MAC address = 00:09:6E:12:0A:31 L2 tagging = auto:off VLAN ID = none IP address = 10.1.14.13 Subnet mask = 255.255.255.0 Router = 10.1.14.1 File server = 10.1.14.100:411 Call server = 10.1.14.100:1719 802.1X = pass-thru-mode Group = 0 Protocol: default a10d01b2_6.bin                (i.e. application load, H.323 R2.6) 100 Mbps Ethernet b10d01b2_6.bin                (i.e. boot load, H.323 R2.6) Build = 2_6 DHCPSTD = 0 

Pressing <MUTE> 8439# (in other words, <MUTE> VIEW ) on the 9630 IP phone at x251/10.1.14.15 yielded the following information:

 MODEL = 9630D01A PHONE SN = 06N523750175 PWB SN = 06N523750175 PWB COMCODE = 700382922 MAC address = 00:04:0D:EB:BB:D0 L2 tagging = auto:off VLAN ID = none IP address = 10.1.14.15 Subnet mask = 255.255.255.0 Router = 10.1.14.1 File server = 0.0.0.0 Call server = 10.1.14.100:1719 802.1X = pass-thru-mode Group = 0 Protocol = default h96xx0971SVS.bin 100 Mbps Ethernet b96xx0971SVS.bin 

The 4602SW IP phone at x211/10.1.14.10 Nmap TCP port scan yielded the following result:

 (The 65515 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE       VERSION 1024/tcp open  kdm? 1025/tcp open  NFS-or-IIS? 1026/tcp open  LSA-or-nterm? 1027/tcp open  IIS? 1028/tcp open  unknown 1029/tcp open  ms-lsa? 1030/tcp open  iad1? 1031/tcp open  iad2? 1032/tcp open  iad3? 1033/tcp open  tcpwrapped 1034/tcp open  tcpwrapped 1035/tcp open  tcpwrapped 1036/tcp open  tcpwrapped 1037/tcp open  tcpwrapped 1038/tcp open  tcpwrapped 1039/tcp open  tcpwrapped 1040/tcp open  tcpwrapped 1041/tcp open  tcpwrapped 1042/tcp open  tcpwrapped 1043/tcp open  tcpwrapped 4543/tcp open  unknown 

Following is a comment on the open port:

  • 4543   This is a dynamic port, so it will vary between scans.

The 4602SW IP phone at x211/10.1.14.10 UDP port scan yielded the following result:

 (The 65530 ports scanned but not shown below are in state: closed) PORT     STATE         SERVICE 0/udp    openfiltered unknown 68/udp   openfiltered dhcpc 161/udp  openfiltered snmp 3000/udp openfiltered unknown 3030/udp openfiltered unknown 3031/udp openfiltered unknown 

Here are some comments on the open ports:

  • 68: dhcpc   This port is used for client-side DHCP.

  • 161: snmp   This port is closed by default in more recent firmware versions.

  • 3030/3031   These are dynamic ports, so they will vary between scans.

The 4602SW IP phone at x221/101.1.14.12 Nmap TCP port scan yielded the following result:

 (The 65535 ports scanned but not shown below are in state: closed) PORT  STATE    SERVICE VERSION 0/tcp filtered unknown 

This H.323 IP phone load was far more impervious to TCP port scanning than 1.8.2.

The 4602SW IP phone at x221/10.1.14.12 Nmap UDP port scan yielded the following result:

 (The 65533 ports scanned but not shown below are in state: closed) PORT      STATE         SERVICE 0/udp     openfiltered unknown 68/udp    openfiltered dhcpc 49304/udp openfiltered unknown 

This H.323 IP phone load was more impervious to UDP port scanning than R1.8.2. Here are some comments on the open ports:

  • 68: dhcpc   This port is used for client-side DHCP.

The 4610 IP phone at x231/101.1.14.13 Nmap TCP port scan yielded the following result:

 All 65536 scanned ports on 10.1.14.13 are: filtered PORT      STATE         SERVICE 

The 4610 IP phone is more impervious to scans than the 4602 IP phones.

The 4610 IP phone at x231/10.1.14.13 Nmap UDP port scan yielded the following result:

 (The 63304 ports scanned but not shown below are in state: openfiltered) PORT      STATE  SERVICE 32768/udp closed omad 32769/udp closed unknown 32770/udp closed sometimes-rpc4 32771/udp closed sometimes-rpc6 32772/udp closed sometimes-rpc8 32773/udp closed sometimes-rpc10 32774/udp closed sometimes-rpc12 32775/udp closed sometimes-rpc14 32776/udp closed sometimes-rpc16 32777/udp closed sometimes-rpc18 32778/udp closed sometimes-rpc20 32779/udp closed sometimes-rpc22 32780/udp closed sometimes-rpc24 32781/udp closed unknown 32782/udp closed unknown 32783/udp closed unknown 32784/udp closed unknown 32785/udp closed unknown 32786/udp closed sometimes-rpc26 32787/udp closed sometimes-rpc28 32790/udp closed unknown To 34999/udp closed unknown 

As you can see, the scans for the 4610 and 9630 are very similar. Here are some comments on the open ports:

  • 68: dhcpc   This port is used for client-side DHCP.

The 9630 IP phone at x251/101.1.14.15 Nmap TCP port scan yielded the following result:

 All 65536 scanned ports on 10.1.14.15 are: filtered 

The 9630 IP phone is more impervious to scans than the 4602 IP phones.

The 9630 IP phone at x251/10.1.14.15 Nmap UDP port scan yielded the following result:

 32768/udp closed omad 32769/udp closed unknown 32770/udp closed sometimes-rpc4 32771/udp closed sometimes-rpc6 32772/udp closed sometimes-rpc8 32773/udp closed sometimes-rpc10 32774/udp closed sometimes-rpc12 32775/udp closed sometimes-rpc14 32776/udp closed sometimes-rpc16 32777/udp closed sometimes-rpc18 32778/udp closed sometimes-rpc20 32779/udp closed sometimes-rpc22 32780/udp closed sometimes-rpc24 32781/udp closed unknown 32782/udp closed unknown 32783/udp closed unknown 32784/udp closed unknown 32785/udp closed unknown 32786/udp closed sometimes-rpc26 32787/udp closed sometimes-rpc28 32788/udp closed unknown To 34999/udp closed unknown 

As you can see, the scans for the 4610 and 9630 are very similar. Here are some comments on the open ports:

  • 32768-34999   These are dynamic ports, so it will vary between scans.

Countermeasurs Open Ports/Services Countermeasures

There are several countermeasures you can employ to control and/or protect the open ports on an Avaya Communication Manager system. These are covered in the following sections.

Disable Unnecessary Ports

As discussed in Chapters 2 and 3, it's a good idea to disable as many default services as possible on your VoIP devices to avoid giving away too much information about your infrastructure. You can't do this directly on Avaya Communication Manager IP PBXs or IP phones, but you can use their management system to control some ports.

The Avaya management system allows the administrator to control which ports are open and, in some cases, which ports are internally "firewalled." The screens where you can access these controls are shown in Figures 8-14 and 8-15. As discussed previously, nonsecure services such as telnet should be disabled, if possible.

image from book
Figure 8-14: Service Access control screen
image from book
Figure 8-15: Firewall control screen

Use a Firewall to Protect the IP PBX

Tables 8-1, 8-2, and 8-3, shown previously in the chapter, list ports and access lists that you can use to program a firewall, which protects the Communication Manager system from the rest of the network. Deploying a firewall and adding these access lists will help prevent attackers from accessing the Communication Manager from unauthorized systems.

In addition to a traditional firewall, you can deploy application-layer or VoIP firewalls. VoIP firewalls are available from several vendors , including SecureLogix (http://www.securelogix.com), Sipera (http://www.sipera.com), Borderware (http://www.borderware.com), and Ingate (http://www.ingate.com). Some traditional firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) also provide support for VoIP.

Attack TFTP Enumeration

Popularity:

5

Simplicity:

7

Impact:

4

Risk Rating:

5

As we demonstrated in Chapter 3, the TFTP server used to provision IP phones can often contain sensitive configuration information sitting out in cleartext. You can easily enumerate these files with the TFTPbrute.pl exploit demonstrated in Chapter 3 or even with the latest version of Nessus (http://www.nessus.org). See Chapter 3 for more information, along with countermeasures for this attack.

Attack SNMP Enumeration

Popularity:

6

Simplicity:

7

Impact:

6

Risk Rating:

6

As you saw in Chapter 3, most networked devices support SNMP as a management function. An attacker can easily sweep for active SNMP ports on a device, and then query with specific Avaya OIDs in order to glean sensitive information from the device.

The Administration for the Avaya G250 and Avaya G350 Media Gateways states that the G250 and G350 Media Gateways support three versions of SNMP, including SNMPv1, SNMPv2, and SNMPv3. The Avaya G350 Media Gateway supports all three of these versions. The implementation of SNMPv3 on the G350 is backward compatible. An agent that supports SNMPv3 will also support SNMPv1 and SNMPv2c. By default, SNMP is not enabled for Avaya media servers.

Tech FAQ (www.tech-faq.com/snmp.shtml) provides the following definition of SNMP community strings. "The most basic form of SNMP security is the Community String. SNMP Community Strings are like passwords for network elements. Most often, there is one community string which is used for read-only access to a network element. The default value for this community string is often 'public.' Using this community string like a password, the Network Management System (NMS) can retrieve data from network elements. Less often, there is also a read-write community string. The default value for this is often 'private.' Using this community string, the NMS can actually change MIB variables on a network element."

When you browse to the Avaya G350 gateway IP address, you will be presented with a dialog box to enter SNMP parameters and radio buttons that allow you to select between SNMPv1 and SNMPv3 community string input. The default community string for the SNMPv1 selection is public .

Undocumented SNMP R/W community strings in Avaya equipment are not without precedent, as these sites show:

  • http://support.avaya.com/elmodocs2/security/Unauthorized_SNMP.pdf

  • http://www. securiteam .com/securitynews/5TP0E0U80U.html

 Companion Web Site   We used the snmpwalk tool for configuration enumeration of the S8300 Media Server and the G350 Media Gateway. The community string employed for the scans was public . The first snmpwalk was executed by supplying simply the target's IP address and then again targeting the Avaya particular OID of 1.3.6.1.4.1.6889. The commands executed are listed here. The output of these commands is significant, so we included a few interesting values from each command. The complete output is available on the Hacking Exposed VoIP website (www.hackingvoip.com).

S8300 Media Server:

 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.100 SNMPv2-MIB::sysDescr.0 = STRING: Avaya S8300 Server SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.8.1.50 SNMPv2-MIB::sysName.0 = STRING: SecureLogixS8300 IP-MIB::ipAdEntAddr.10.1.14.100 = IpAddress: 10.1.14.100 IP-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1 IP-MIB::ipAdEntAddr.127.1.1.31 = IpAddress: 127.1.1.31 IP-MIB::ipAdEntAddr.192.11.13.6 = IpAddress: 192.11.13.6 TCP-MIB::tcpConnLocalPort.0.0.0.0.23.0.0.0.0.0 = INTEGER: 23 TCP-MIB::tcpConnLocalPort.0.0.0.0.111.0.0.0.0.0 = INTEGER: 111 TCP-MIB::tcpConnLocalPort.0.0.0.0.514.0.0.0.0.0 = INTEGER: 514 TCP-MIB::tcpConnLocalPort.0.0.0.0.5023.0.0.0.0.0 = INTEGER: 5023 TCP-MIB::tcpConnLocalPort.0.0.0.0.21873.0.0.0.0.0 = INTEGER: 21873 TCP-MIB::tcpConnLocalPort.0.0.0.0.21874.0.0.0.0.0 = INTEGER: 21874 TCP-MIB::tcpConnLocalPort.10.1.14.100.1039.0.0.0.0.0 = INTEGER: 1039 TCP-MIB::tcpConnLocalPort.10.1.14.100.1039.10.1.14.101.1138 = INTEGER: 1039 TCP-MIB::tcpConnLocalPort.10.1.14.100.1720.0.0.0.0.0 = INTEGER: 1720 TCP-MIB::tcpConnLocalPort.10.1.14.100.1720.10.1.14.10.3685 = INTEGER: 1720 TCP-MIB::tcpConnLocalPort.10.1.14.100.1720.10.1.14.12.3778 = INTEGER: 1720 UDP-MIB::udpLocalAddress.10.1.14.100.123 = IpAddress: 10.1.14.100 UDP-MIB::udpLocalAddress.10.1.14.100.1719 = IpAddress: 10.1.14.100 UDP-MIB::udpLocalAddress.127.0.0.1.123 = IpAddress: 127.0.0.1 UDP-MIB::udpLocalAddress.127.1.1.31.123 = IpAddress: 127.1.1.31 UDP-MIB::udpLocalAddress.192.11.13.6.123 = IpAddress: 192.11.13.6 UDP-MIB::udpLocalPort.0.0.0.0.69 = INTEGER: 69 UDP-MIB::udpLocalPort.0.0.0.0.111 = INTEGER: 111 UDP-MIB::udpLocalPort.0.0.0.0.123 = INTEGER: 123 UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161 UDP-MIB::udpLocalPort.0.0.0.0.162 = INTEGER: 162 UDP-MIB::udpLocalPort.10.1.14.100.123 = INTEGER: 123 UDP-MIB::udpLocalPort.10.1.14.100.1719 = INTEGER: 1719 UDP-MIB::udpLocalPort.127.0.0.1.123 = INTEGER: 123 UDP-MIB::udpLocalPort.127.1.1.31.123 = INTEGER: 123 UDP-MIB::udpLocalPort.192.11.13.6.123 = INTEGER: 123 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.100 1.3.6.1.4.1.6889 Lots of info, but very little that appears interesting. 

G350 Media Gateway:

 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.101 SNMPv2-MIB::sysDescr.0 = STRING: Avaya Inc., G350 Media Gateway, SW Version 25.23.0 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.45.103.2 IF-MIB::ifDescr.16777216 = STRING: Avaya Inc., G350 Media Gateway, SW Version 25.23.0 IF-MIB::ifDescr.167774722 = STRING: Avaya Inc., G350 Media Gateway, 10/100Base-Tx,  FastEthernet 10/2 IF-MIB::ifDescr.211828737 = STRING: Avaya Inc., G350 Media Gateway, Vlan, Vlan 1 IF-MIB::ifDescr.218106371 = STRING: Avaya Inc., G350 Media Gateway, 10/100BaseTx Port IF-MIB::ifDescr.268438021 = STRING: Avaya Inc., G350 Media Gateway, Console port,  Console IF-MIB::ifDescr.788531718 = STRING: Avaya Inc., G350 Media Gateway, USB port,  USB-Modem IF-MIB::ifDescr.855640581 = STRING: Avaya Inc., G350 Media Gateway, PPP Session,  Console IF-MIB::ifDescr.855640582 = STRING: Avaya Inc., G350 Media Gateway, PPP Session,  USB-Modem IF-MIB::ifDescr.872417797 = STRING: Avaya Inc., G350 Media Gateway, External serial  Modem, Console IF-MIB::ifDescr.872417798 = STRING: Avaya Inc., G350 Media Gateway, External USB  Modem, USB-Modem IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.1 = IpAddress: 10.1.14.1 IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.10 = IpAddress: 10.1.14.10 IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.12 = IpAddress: 10.1.14.12 IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.99 = IpAddress: 10.1.14.99 IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.100 = IpAddress: 10.1.14.100 SNMPv2-SMI::mib-2.47.1.1.1.1.2.27 = STRING: "T1/E1 Media Module" SNMPv2-SMI::mib-2.47.1.1.1.1.2.29 = STRING: "Integrated Analog 1T+2L Module" SNMPv2-SMI::mib-2.47.1.1.1.1.2.32 = STRING: "Avaya Inc., G350 Converged Media Gateway" [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.101 1.3.6.1.4.1.6889 Lots of info, but very little that appears interesting. 

Each IP phone responded to SNMP requests. The snmpwalk utility was used for configuration enumeration. Several IP phones responded despite the fact that the Nmap scan for reported port 161 (SNMP) was in the closed status under the UDP and TCP protocols. The community string used for the scans was public .

 Companion Web Site   First, snmpwalk was executed supplying simply the phone's IP address and then again targeting the Avaya particular OID of 1.3.6.1.4.1.6889. The commands executed are listed here. The output of these commands is significant, so we included a few interesting values from each command. The complete output is available on the Hacking Exposed VoIP website (www.hackingvoip.com).

Avaya 4602 IP phone, Extension 211 (IP address 10.1.14.10):

 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.10 SNMPv2-MIB::sysDescr.0 = STRING: MIB Module for 46xx IP Telephones SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.69.1.6 SNMPv2-MIB::sysName.0 = STRING: AvayaIPT4602 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.99 = IpAddress: 10.1.14.99 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.100 = IpAddress: 10.1.14.100 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.101 = IpAddress: 10.1.14.101 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.10 1.3.6.1.4.1.6889 SNMPv2-SMI::enterprises.6889.2.69.1.1.1.0 = STRING: "domestic" SNMPv2-SMI::enterprises.6889.2.69.1.1.2.0 = STRING: "4602D02A" SNMPv2-SMI::enterprises.6889.2.69.1.1.3.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.4.0 = IpAddress: 10.1.14.100 SNMPv2-SMI::enterprises.6889.2.69.1.1.5.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.1.6.0 = STRING: "06GM01006310" SNMPv2-SMI::enterprises.6889.2.69.1.1.7.0 = STRING: "003040202" SNMPv2-SMI::enterprises.6889.2.69.1.1.9.0 = STRING: "00:09:6E:0F:18:5B"c SNMPv2-SMI::enterprises.6889.2.69.1.1.11.0 = IpAddress: 10.1.14.10 SNMPv2-SMI::enterprises.6889.2.69.1.1.21.0 = STRING: "4602sbte1_82.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.22.0 = STRING: "4602sape1_82.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.32.0 = STRING: "46xxupgrade.scr" SNMPv2-SMI::enterprises.6889.2.69.1.1.40.0 = STRING: "Version: 4602E1806(SW): Jun 11 2004" SNMPv2-SMI::enterprises.6889.2.69.1.2.1.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.2.2.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.2.3.0 = STRING: "10.1.14.10" SNMPv2-SMI::enterprises.6889.2.69.1.2.4.0 = STRING: "10.1.14.1" SNMPv2-SMI::enterprises.6889.2.69.1.3.2.0 = STRING: "4602sape1_82.bin" SNMPv2-SMI::enterprises.6889.2.69.1.4.5.0 = STRING: "G711Ulaw64k,20mS,Sil. Sup.OFF" SNMPv2-SMI::enterprises.6889.2.69.1.4.6.0 = STRING: "G711Ulaw64k,20mS,Sil. Sup.OFF" SNMPv2-SMI::enterprises.6889.2.69.1.4.9.0 = STRING: "211" 

Avaya 4602 IP phone, Extension 221 (IP address 10.1.14.12):

 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.12 SNMPv2-MIB::sysDescr.0 = STRING: VxWorks SNMPv1/v2c Agent SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.69.1.6 SNMPv2-MIB::sysContact.0 = STRING: Wind River Systems SNMPv2-MIB::sysName.0 = STRING: AV SNMPv2-MIB::sysLocation.0 = STRING: Planet Earth IP-MIB::ipAdEntAddr.10.1.14.12 = IpAddress: 10.1.14.12 TCP-MIB::tcpConnState.10.1.14.12.3778.10.1.14.100.1720 = INTEGER: established(5) TCP-MIB::tcpConnLocalAddress.10.1.14.12.3778.10.1.14.100.1720 = IpAddress: 10.1.14.12 TCP-MIB::tcpConnLocalPort.10.1.14.12.3778.10.1.14.100.1720 = INTEGER: 3778 TCP-MIB::tcpConnRemAddress.10.1.14.12.3778.10.1.14.100.1720 = IpAddress: 10.1.14.100 TCP-MIB::tcpConnRemPort.10.1.14.12.3778.10.1.14.100.1720 = INTEGER: 1720 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.12 1.3.6.1.4.1.6889 SNMPv2-SMI::enterprises.6889.2.69.1.1.1.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.1.2.0 = STRING: "4602D02A" SNMPv2-SMI::enterprises.6889.2.69.1.1.3.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.4.0 = IpAddress: 10.1.14.100 SNMPv2-SMI::enterprises.6889.2.69.1.1.5.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.1.6.0 = STRING: "06GM01006309" SNMPv2-SMI::enterprises.6889.2.69.1.1.9.0 = STRING: "00:09:6E:0F:18:5A" SNMPv2-SMI::enterprises.6889.2.69.1.1.10.0 = STRING: "100" SNMPv2-SMI::enterprises.6889.2.69.1.1.11.0 = IpAddress: 10.1.14.12 SNMPv2-SMI::enterprises.6889.2.69.1.1.19.0 = STRING: "AvayaTFTPserver" SNMPv2-SMI::enterprises.6889.2.69.1.1.21.0 = STRING: "b02d01b2_3.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.22.0 = STRING: "a02d01b2_3.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.32.0 = STRING: "46xxupgrade.scr" SNMPv2-SMI::enterprises.6889.2.69.1.1.40.0 = STRING: "<ZSPV_x.x>" SNMPv2-SMI::enterprises.6889.2.69.1.3.2.0 = STRING: "a02d01b2_3.bin" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.1 = STRING: "Dec 99 3:59:59:tBoot:msgQSend failed (mt=2, st=0) errno=3d0001, QID=0x806ac160" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.2 = STRING: "Dec 99 23:59:59:tPTunnel:<-- GRQ : msg sent to 10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.3 = STRING: "Dec 99 23:59:59:tReceive:<-- RRQ: msg sent." SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.4 = STRING: "Dec 99 23:59:59:tReceive:--> RCF: msg received" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.5 = STRING: "Dec 99 23:59:59:tReceive:--> L4 Audio changed" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.6 = STRING: "Dec 99 23:59:59:tAudio:. Error: can't disable audio path because audio is already " SNMPv2-SMI::enterprises.6889.2.69.1.4.5.0 = STRING: "EM_AudioCapability_g711Ulaw64k_chosen" SNMPv2-SMI::enterprises.6889.2.69.1.4.6.0 = STRING: "EM_AudioCapability_g711Ulaw64k_chosen" SNMPv2-SMI::enterprises.6889.2.69.1.4.9.0 = STRING: "221" SNMPv2-SMI::enterprises.6889.2.69.1.4.28.1.1.1 = STRING: "10.1.14.100" 

Avaya 4602 IP phone, Extension 231 (IP address 10.1.14.13):

 [root@hackerbox]# snmpwalk -c public -v1 10.1.14.13 SNMPv2-MIB::sysDescr.0 = STRING: VxWorks SNMPv1/v2c Agent SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.69.1.7 SNMPv2-MIB::sysContact.0 = STRING: Wind River Systems IF-MIB::ifDescr.1 = STRING: Avaya0 IF-MIB::ifPhysAddress.1 = STRING: 0:9:6e:12:a:31 IP-MIB::ipAdEntAddr.10.1.14.13 = IpAddress: 10.1.14.13 RFC1213-MIB::ipRouteDest.10.1.14.0 = IpAddress: 10.1.14.0 IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.100 = STRING: 0:4:d:e3:e2:b1 IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.101 = STRING: 0:4:d:9a:b4:2d IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.210 = STRING: 0:4:75:ed:3f:d9 IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.211 = STRING: 0:12:17:50:3e:dd IP-MIB::ipNetToMediaPhysAddress.2.10.1.14.13 = STRING: 0:9:6e:12:a:31 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.100 = IpAddress: 10.1.14.100 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.101 = IpAddress: 10.1.14.101 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.210 = IpAddress: 10.1.14.210 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.211 = IpAddress: 10.1.14.211 UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161 UDP-MIB::udpLocalPort.0.0.0.0.1025 = INTEGER: 1025 UDP-MIB::udpLocalPort.0.0.0.0.49300 = INTEGER: 49300 UDP-MIB::udpLocalPort.127.0.0.1.10000 = INTEGER: 10000 [root@hackerbox]# snmpwalk -c public -v1 10.1.14.13 1.3.6.1.4.1.6889 SNMPv2-SMI::enterprises.6889.2.69.1.1.1.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.1.2.0 = STRING: "4610D01A" SNMPv2-SMI::enterprises.6889.2.69.1.1.3.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.4.0 = IpAddress: 10.1.14.100 SNMPv2-SMI::enterprises.6889.2.69.1.1.5.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.1.6.0 = STRING: "06GM27012072" SNMPv2-SMI::enterprises.6889.2.69.1.1.7.0 = STRING: "001010101" SNMPv2-SMI::enterprises.6889.2.69.1.1.8.0 = STRING: "EJ0718163956" SNMPv2-SMI::enterprises.6889.2.69.1.1.9.0 = STRING: "00:09:6E:12:0A:31" SNMPv2-SMI::enterprises.6889.2.69.1.1.11.0 = IpAddress: 10.1.14.13 SNMPv2-SMI::enterprises.6889.2.69.1.1.19.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.21.0 = STRING: "b10d01b2_6.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.22.0 = STRING: "a10d01b2_6.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.32.0 = STRING: "46xxupgrade.scr" SNMPv2-SMI::enterprises.6889.2.69.1.1.40.0 = STRING: "<ZSPV_x.x>" SNMPv2-SMI::enterprises.6889.2.69.1.1.48.0 = STRING: "700274673" SNMPv2-SMI::enterprises.6889.2.69.1.1.51.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.63.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.64.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.2.1.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.2.2.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.2.3.0 = STRING: "10.1.14.13" SNMPv2-SMI::enterprises.6889.2.69.1.3.2.0 = STRING: "a10d01b2_6.bin" 

Avaya 4602 IP phone, Extension 251 (IP address 10.1.14.15):

 [root@hackerbox]# snmpwalk -c public -v1 10.1.14.15 SNMPv2-MIB::sysDescr.0 = STRING: Avaya Phone SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.69.2.2 SNMPv2-MIB::sysContact.0 = STRING: Customer support SNMPv2-MIB::sysName.0 = STRING: AVAEBBBD0 SNMPv2-MIB::sysLocation.0 = STRING: Lincroft New Jersey USA IF-MIB::ifPhysAddress.2 = STRING: 0:4:d:eb:bb:d0 IP-MIB::ipAdEntAddr.10.1.14.15 = IpAddress: 10.1.14.15 IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.15 = STRING: 0:4:d:eb:bb:d0 IP-MIB::ipNetToMediaPhysAddress.2.10.1.14.100 = STRING: 0:4:d:e3:e2:b1 established(5) TCP-MIB::tcpConnLocalAddress.10.1.14.15.4494.10.1.14.100.1720 = IpAddress: 10.1.14.15 TCP-MIB::tcpConnLocalPort.10.1.14.15.4494.10.1.14.100.1720 = INTEGER: 4494 TCP-MIB::tcpConnRemAddress.10.1.14.15.4494.10.1.14.100.1720 = IpAddress: 10.1.14.100 TCP-MIB::tcpConnRemPort.10.1.14.15.4494.10.1.14.100.1720 = INTEGER: 1720 UDP-MIB::udpLocalPort.0.0.0.0.68 = INTEGER: 68 UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161 UDP-MIB::udpLocalPort.0.0.0.0.1025 = INTEGER: 1025 UDP-MIB::udpLocalPort.0.0.0.0.49300 = INTEGER: 49300 SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2) [root@hackerbox]# snmpwalk -c public -v1 10.1.14.15 1.3.6.1.4.1.6889 SNMPv2-SMI::enterprises.6889.2.69.2.1.4.0 = STRING: "h96xx0971SVS.bin" SNMPv2-SMI::enterprises.6889.2.69.2.1.5.0 = STRING: "h96xx0971SVS.bin" SNMPv2-SMI::enterprises.6889.2.69.2.1.7.0 = STRING: "b96xx0971SVS.bin" SNMPv2-SMI::enterprises.6889.2.69.2.1.11.0 = STRING: "G.711U" SNMPv2-SMI::enterprises.6889.2.69.2.1.12.0 = STRING: "G.711U" SNMPv2-SMI::enterprises.6889.2.69.2.1.22.0 = STRING: "PX3.2" SNMPv2-SMI::enterprises.6889.2.69.2.1.33.0 = IpAddress: 10.1.14.15 SNMPv2-SMI::enterprises.6889.2.69.2.1.42.0 = STRING: "00:04:0D:EB:BB:D0" SNMPv2-SMI::enterprises.6889.2.69.2.1.43.0 = STRING: "9630D01A" SNMPv2-SMI::enterprises.6889.2.69.2.1.45.0 = STRING: "700383409" SNMPv2-SMI::enterprises.6889.2.69.2.1.46.0 = STRING: "06N523750175" SNMPv2-SMI::enterprises.6889.2.69.2.1.58.0 = STRING: "700382922" SNMPv2-SMI::enterprises.6889.2.69.2.1.59.0 = STRING: "06N523750175" SNMPv2-SMI::enterprises.6889.2.69.2.2.7.0 = IpAddress: 10.1.14.100 

Perhaps the most interesting information here is the names of binary and configuration files. If an attacker can gather these names and then retrieve the files from a TFTP server, then if the files contain passwords or other security- related information, the attacker can exploit the IP phone.

Countermeasurs SNMP Enumeration Countermeasures

There are several countermeasures you can employ to secure SNMP. These are covered next .

Control Access to SNMP

Best practices for network design suggest that SNMP access should be fairly limited within an enterprise network from the VoIP phone access ports. This means that an attacker shouldn't be allowed to simply unplug a VoIP phone, plug in his laptop to the access port, and start arbitrarily querying SNMP devices on the VLAN. Strict access control can be applied on the switch to make sure the only SNMP management traffic is allowed from controlled locations.

Disable SNMP If Not Needed

You should disable SNMP if it is not being used. Avaya has been in the process of disabling SNMP by default on new firmware loads. An Avaya Security Advisory along with a new version of firmware is being released. For more information, see http://support.avaya.com/elmodocs2/security/ipphone_snmp_secv7.pdf.

Use Secure Versions of SNMP

Another countermeasure is to avoid using SNMPv1 and SNMPv2 in preference of SNMPv3. At the current time, however, Avaya does not support SNMPv3 on their IP phones.

Change Community Strings

Community strings are like passwords. It is always wise to change the default to a new, hard-to-guess value.

H.323 Software Release 2.6 for the 4610SW, 4620SW, 4621SW, and 4622SW IP telephones in software bundle 081406 does not support a default value for the SNMP community string. Therefore, phones upgraded to Release 2.6 will not support SNMP unless an SNMP community string is configured.



Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net