The CSI/FBI Computer Crime and Security Survey for 2005 implies that insider abuse is still very much a threat to the enterprise. Insiders are typically those people who already have some level of trusted access to an organization's network, such as an employee, contractor, partner, or customer. Obviously, the more trust an organization places in someone on the inside, the more damaging an impact his malicious actions will have.
Most of the upcoming chapters will take the perspective of an inside attacker. For the purpose of this chapter, however, we've taken the viewpoint that the potential VoIP hacker is beginning his efforts external to the targeted organization. In other words, he is neither a disgruntled employee who has intranet access nor an evil system administrator who already has full run of the network.
You can safely assume though that the hacker's first order of business is to gain internal access remotely in order to launch some of the more sophisticated attacks outlined later in this book. While it's often trivial for a hacker to gain inside access, footprinting still reaps rewards by helping to fuel some of the more advanced VoIP attacks discussed in later chapters.
Time and time again throughout this book, we will emphasize the importance of supporting infrastructure security. Because of the security posture dependencies that VoIP places on your traditional data network, it's not uncommon for attackers to compromise a trusted workstation or server to gain access to the VoIP network.
VoIP installations can be tightly confined to one geographic location or deployed across multiple regions with users making calls from the office, their homes , or the road. Because most VoIP technology is extensible enough to deploy in a myriad of scenarios, it is important to define the scope and goals of your hacking efforts well in advance. If the goal of these hacking simulations is to secure the VoIP services of your branch office, it might be a pointless exercise to overlook completely the security holes in your main headquarters' VoIP PBX.
It's often hard to discern all of these VoIP security dependencies ahead of time. Footprinting can sometimes paint only part of the network picture no matter how much time and effort you put into the research. Other key areas might gradually appear only later in the scanning and enumeration phases.
A wealth of information is usually sitting right out in the open on an organization's corporate website. Of course, this information is typically regarded in a benign manner because its main purpose is to help promote, educate, or market to external visitors . Unfortunately, this information can also aid attackers by providing important contextual information required to social engineer their way into the network. The following classes of data can provide useful hints and starting points for a hacker to launch an attack:
Organizational structure and corporate locations
Help and tech support
Phone numbers and extensions
Identifying the names of people in an organization may prove helpful in guessing usernames or social engineering other bits of information further down the road. Most companies and universities provide a Corporate Information or Faculty section on their website, like the one shown in Figure 1-2.
Location information for branch offices and corporate headquarters is useful in understanding the flow of traffic between two VoIP call participants . This information is also helpful for getting within range of an office building to attack the VoIP traffic going over the wireless networks. Both Google and Microsoft provide online satellite imaging tools, as shown in Figures 1-3 and 1-4, to aid even the most directionally challenged hacker.
Some sites, especially universities, offer an online knowledgebase or FAQ for their VoIP users. The FAQ might contain gems of information including phone type, default PIN numbers for voicemail, or remotely accessible links to web administration (as seen in Figure 1-5).
In Figure 1-6, you can see that a Cisco IP Phone 7960 is being used throughout the Harvard campus community.
Why should you care? A hacker can cross reference this juicy bit of information against several free online vulnerability databases to see if it has any security holes. Sure enough, under the listing for Cisco IP Phone 7960, SecurityFocus.com tells us about several previously discovered vulnerabilities for this device and gives information on how to exploit each issue (see Figure 1-7).
Even though the university makes sure to patch all of these phones with the latest firmware, a hacker may still encounter the rare device that escaped an administrator's attention. The ongoing challenge of keeping VoIP devices and infrastructure updated with the latest firmware is covered in Part II: "Exploiting the VoIP Network."
Job listings on corporate web sites contain a treasure trove of information on the technologies used within an organization. For instance, the following snippet from an actual job posting for a "VoIP Systems Architect" strongly suggests that Avaya VoIP systems are in use at this company.
Required Technical Skills:
Minimum 3-5 years experience in the management and implementation of Avaya telephone systems/voicemails
* Advanced programming knowledge of the Avaya Communication Servers and voicemails.
Simply finding phone numbers on the corporate website is not going to reveal a lot about any potential VoIP systems in use. However, compiling a profile of the internal workings of numbers and extensions will be helpful later on. For instance, some branch offices typically have the same one-or two-number prefix that is unique to that site. An easy way to find many of the numbers you're looking for on the website is to use Google,
which returns all 70+ pages with a telephone number in the format XXX - XXXX . To further refine your search, you can simply add an area code if you're looking for a main switchboard,
877 111..999-1000..9999 site:www.example.com
which now returns only three hits.
Companion Web Site Once you have what appears to be a few main switchboard numbers, you can then try calling them after normal business hours. Most VoIP systems include an automated attendant feature that can answer calls during or after hours with a prerecorded message. While not an exact science, many of these messages are unique to each VoIP vendor in wording and voice. Simply by listening to the factory default main greeting, hold music, or voicemail messages, a hacker can sometimes narrow down the type of system running. We have included some recorded transcripts and messages on our website, http://www.hackingvoip.com, to assist you. For instance, the open source Trixbox project built on Asterisk (http://www.trixbox.org) will respond to a missed call by default with a female voice that says: "The person at extension X-X-X-X is unavailable. Please leave your message after the tone. When done, please hang up or press the pound key. [beep]"
As discussed earlier, most of the information on a public web site is likely benign in nature until a hacker starts to connect the dots. In practice, the previous information is typically pretty difficult and unreasonable to police, especially since website authors update this information fairly often. The best advice we have is to limit the amount of technical system information in job descriptions and online help pages (including default passwords).
One of the great benefits of Internet search engines today is their massive potential for unearthing the most obscure details on the Internet. One of the biggest security risks of Internet search engines today is also their massive potential for unearthing the most obscure details on the Internet. There have been entire books written on the subject of hacking using search engine technology, including Google Hacking for Penetration Testers by Johnny Long (Syngress 2004). When footprinting a VoIP network, there are a variety of ways a hacker can leverage search engines by simply using the advanced features of a service such as Google. Targeting the following categories of search results can often provide rich details about an organization's VoIP deployment:
VoIP vendor press releases and case studies
Mailing lists and local user group postings
Web-based VoIP logins
When VoIP vendors have obtained permission to do so, some of them will issue a press release about a big sales win, usually including a quote from the customer. Additionally, many VoIP vendor sites include case studies that sometimes go into detail about the specific products and versions that were deployed for a customer. Confining your search to the VoIP vendor's site might hit paydirt with one such case study. In Google, try, for example, typing
site:avaya.com case study
site:avaya.com [ company name ]
In the same way that job descriptions are chock full of potentially useful information for a hacker, so too are resumes. Some creative search terms can unearth particularly useful bits of information from resumes, such as:
"Phase I: designed and set up a sophisticated SIP-based VoIP production Asterisk PBX with headsets and X-Lite softphones."
"Provided security consulting, VPN setup, and VoIP assistance including CallManager installation with Cisco 7920 IP Phones."
"Successfully set up and installed Nortel Meridian PBX and voicemail system."
Today's technical mailing lists and user support forums are an invaluable resource to a network administrator trying to learn about VoIP technology for the first time. Often, an administrator with the best of intentions will reveal too many details in order to elicit help from the online community. In some cases, a helpful administrator may even share his configuration files publicly in order to teach others how to enable a certain hard-to-tune feature. For instance, the following example reveals what type of VoIP PBX is in use, as well as the type of handsets being employed:
We just got a new IP Office 406 system in our office in San Jose, CA. I'm in IT and will help manage the system. We have complete support from a local VAR for one year, however, this is the first implementation for IP Office so they are learning, too.
So far our major issues are:
1) Dial-by-name directory not delivered from Avaya. Our VAR said Avaya said maybe next week it will be ready.
2) Programming DSS buttons crashes the system. Our VAR said Avaya said this is a known problem and they are working on it. What I am trying to accomplish is, for example, I want to be able to answer the phone of my assistant's extension and I want it to actually ring on my phone. On our old NEC system a light appeared on the phone. Our VAR said I had to use DSS, but 1) the phone does not actually ringthe line only flashes, and 2) it crashes the system, or actually the digital card, the VAR said.
3) We have to reboot the system when we want to add extensions and update other settings. So far, the "Merge" option has not worked for us.
4) The 4412D+ handsets are nice but they do not fit well into the cradle and sometimes leave the phone off the hook!
We have three 30-port D- term modules and two analog modules. We also have Voicemail Pro with Phone Manager Lite. If there is other information I can provide please let me know. If there is another forum or website I should also be looking at, I'd appreciate that information, too. Thanks again,
[Name removed to protect the innocent]
National and local user conferences are typically attended by enterprises using those vendors' systems. While the conference proceedings are often restricted to paying members of the group, sometimes there are free online materials and agendas that may still help with footprinting. As a starting point, aim your search engine at one of the following good user-group sites.
International Alliance of Avaya Users
International Nortel Networks Users Association
Asterisk User Forum
Most VoIP devices provide a web interface for administrative management and for users to modify their personal settings (voicemail, PIN, forwarding options, among others). These systems should generally not be exposed to the Internet in order to prevent password brute-force attacks, or worse yet, exposing a vulnerability in the underlying web server. However, search engines make it easy to find these types of sites. For instance, many Cisco CallManager installations provide a user options page that is typically accessible at http://www.example.com/ccmuser/logon.asp. Typing the following into Google will uncover several CallManager installations exposed to the Internet:
Or to refine your search to a particular target type:
Many Cisco IP phones come installed with a web interface that is also handy for administration or diagnostics. Type the following into Google:
Some of these web interfaces are also exposed to the Internet and reveal extremely useful information (like nonpassword-protected TFTP server addresses) when clicking on the Cache link, as shown in Figure 1-8.
Asterisk is probably the most popular open source IP PBX software in use today. You can also use Google to find several web management front ends to Asterisk:
intitle:"Flash Operator Panel" -ext:php -wiki -cms -inurl:asternic -inurl:sip -intitle:ANNOUNCE -inurl:lists
Companion Web Site There are some more general search terms for network devices that can be found in the Google Hacking Database (GHDB) project at http://johnny.ihackstuff.com. We have also uploaded a collection of popular Google VoIP hacking terms to our website, http://www.hackingvoip.com.
In addition, here is a sampling from our online collection of other web-based VoIP phone and PBX's that can be found with Google:
Linksys (Sipura) series of phones
Grandstream series of phones
Polycom SoundPoint series of phones
Zultys series of phones
Snom series of phones
intitle:"Sipura SPA Configuration"
intitle:"Grandstream Device Configuration" password inurl:"coreConf.htm"
intitle:"SoundPoint IP Configuration Utility"
intitle:"VoIP Phone Web Configuration Pages"
"(e.g. 0114930398330)" snom
Snom phones also include a potentially dangerous "feature" called PCAP Trace, which reads as shown here.
If the phone is left in its default nonpassword-protected state, anyone can connect with a web browser and start to sniff traffic. This is especially dangerous if the phone is connected to a hub with other users!
All of the previous Google hacking examples can be refined to your organization simply by adding your company name to the search or adding a site search directive refining your search space (for example, "site:mycompany.com" ). Being able to find exposed web logins proactively for VoIP devices can remove a lot of low-hanging fruit for hackers. At the very least, you should change the default passwords for any VoIP web logins that need to be Internet-accessible. For the most part, however, there's no good reason why a phone or PBX has to be exposed to the Internet.
There are even services that will monitor this for you. Organizations such as Cyveilance (www.cyveilance.com) and BayTSP (www.baytsp.com) send daily, weekly, or monthly reports of your online public presence, including your "Google hacking" exposure.
Every organization with an online presence relies on DNS in order to route website visitors and external email to the correct places. DNS is the distributed database system used to map IP addresses to hostnames. In addition to DNS, regional public registries exist that manage IP address allocations :
APNIC (http://www.apnic.net) Asia Pacific
ARIN (http://www.arin.net) North and South America, part of Africa
LACNIC (http://www.lacnic.net) Latin America and the Caribbean
RIPE (http://www.ripe.net) Europe, Middle East, and parts of Asia and Africa
AfriNIC (http://www.afrinic.net) Eventually all of Africa
Most of these sites support a WHOIS search, revealing the IP address ranges that an organization owns throughout that region. For instance, going to ARIN's website and searching for Tulane produces the following results:
Tulane University (TULANE) Tulane University (TULANE) Tulane University (TULANE-1) Tulane University (AS10349) TULANE 10349 Tulane University (AS10349) TULANE 10349 Tulane University TULANE-NET (NET-129-81-0-0-1) 22.214.171.124 - 126.96.36.199 Tulane University TULANEU-WSTR (NET-65-36-67-128-1) 188.8.131.52 - 184.108.40.206 TULANE EXECUTIVE CENTER-050908164403 SBC07025310201629050908164407 (NET-70- 253-102-16-1) 220.127.116.11 - 18.104.22.168 Tulane University SBCIS-021405090840 (NET-216-62-170-96-1) 22.214.171.124 - 126.96.36.199 Tulane University SUNGARD-D9DC603B-C4A4-4879-9CE (NET-216-83-175-144-1) 188.8.131.52 - 184.108.40.206 Tulane University SUNGARD-D9DC603B-C4A4-4879-9CE (NET-216-83-175-128-1) 220.127.116.11 - 18.104.22.168 Tulane University SBC06915011614429040517161331 (NET-69-150-116-144-1) 22.214.171.124 - 126.96.36.199 Tulane University TULANE-200501121422549 (NET-199-227-217-248-1) 188.8.131.52 - 184.108.40.206 Tulane University 69-2-56-72-29 (NET-69-2-56-72-1) 220.127.116.11 - 18.104.22.168 Tulane University 69-2-52-176-28 (NET-69-2-52-176-1) 22.214.171.124 - 126.96.36.199
Notice that there are several IP address ranges listed toward the bottom of the query results that can offer a hacker a starting point for scanning, which is mentioned in the next chapter. The more interesting range seems to be 129.81.x.x. WHOIS searches won't always provide all of the IP ranges in use by an organization, especially if they outsource their web and DNS hosting. Instead, you can do a WHOIS lookup on a DNS domain itself instead of the organization name. Most *NIX systems support the use of the whois command:
# whois tulane.edu
Alternatively, several websites offer a free WHOIS domain lookup service that will resolve the correct information regardless of country or the original DNS registrar. Going to http://www.allwhois.com gives us:
Domain Name: TULANE.EDU Registrant: Tulane University 1555 Poydras St., STE 1400 New Orleans, LA 70112-5406 UNITED STATES Administrative Contact: Tim Deeves Director of Network Services Tulane University - Technology Services 1555 Poydras St., STE 1400 New Orleans, LA 70112 UNITED STATES (504) 314-2551 firstname.lastname@example.org Technical Contact: Tim Deeves Director of Network Services Tulane University -Technology Services 1555 Poydras St., STE 1400 New Orleans, LA 70112 UNITED STATES (504) 314-2551 email@example.com Name Servers: NS1.TCS.TULANE.EDU 188.8.131.52 NS2.TCS.TULANE.EDU 184.108.40.206 Domain record activated: 14-Apr-1987 Domain record last updated: 11-Aug-2006 Domain expires: 31-Jul-2007
After performing some WHOIS research, hackers can start to layout the external network topology of the organization they wish to target. For the purposes of this example, you have two main DNS servers to focus on for tulane.edu based on the search we performed in the previous section. By using simple queries, hackers can glean important information about many hosts that may be exposed to the Internet without even scanning them directly. In Figure 1-9, using Solarwinds DNS Analyzer (http://www.solarwinds.net), you can represent the DNS structure of tulane.edu graphically, including the SMTP servers identified by the MX records.
Based on this information, hackers can determine which servers are running DNS and SMTP services before even scanning the rest of the IP address space. Using the results from the previous queries, they might next look for any other interesting hostnames with public DNS entries that exist within the range 129.81.0.012220.127.116.11. With a tool such as DNS Audit (also from Solarwinds), you can "brute force" the entire range of IP addresses to see if any of them return a valid reverse DNS lookup (see Figure 1-10).
Hackers are bound to find informative DNS names such as vpn.example.com, callmanager.example.com, and router.example.com, or even voicemail.example.com, which will likely warrant a closer investigation. In addition to some of the tools at Solarwinds, most of these DNS interrogation attacks can be scripted or automated easily using public website DNS search tools.
WHOIS information is by its very nature meant to be publicized. Administrative contact email addresses, however, can be generic (firstname.lastname@example.org) rather than using a personal address (email@example.com).
DNS interrogation can reveal a lot about an organization, simply by the way certain servers are named. For instance, instead of naming a server "callmanager.example.com," consider something a little more discreet such as "cm.example.com," or something even more obscure.
It is important to disable anonymous zone transfers on your DNS servers so that hackers can't simply download your entire DNS database anonymously. Enabling Transaction Signatures (TSIGs) allows only trusted hosts to perform zone transfers. You also shouldn't use the HINFO information record within DNSthis comment field can provide much information about a target's IP address.
Also, most hosting providers now offer anonymous DNS service options that hide your personal details from curious eyes (for a price).