Chapter 2: Scanning a VoIP Network

Overview

In the previous chapter, you learned how to scout out a range of IP addresses surreptitiously that might include VoIP gear and supporting infrastructure. The next logical step is to probe each IP address in that range for evidence of live systems and identify the services running on each system. If footprinting can be compared to an art thief casing the Louvre, then scanning can be compared to the thief sneaking around the museum to locate all the open doors and windows .

A VoIP environment is so much more than just phones and servers. Because the availability and security of VoIP networks relies so heavily on supporting infrastructure, an attacker would be silly to confine his scope to just devices running VoIP services. It behooves him to identify and map out other core network devices, including routers and VPN gateways, web servers, TFTP servers, DNS servers, DHCP servers, RADIUS servers, firewalls, intrusion prevention systems, and session border controllers to name a few.

For instance, if an attacker were able to locate and knock down your TFTP server, several models of phones trying to download configuration files on bootup might crash or stall. If an attacker can cause your core routing and switching gear to reboot at will by breaking into an administrative port, your VoIP traffic will obviously also be adversely affected. If your DHCP server is overwhelmed or maliciously crashed, phones trying to request an IP address on bootup will not be usable either. These are just a few examples of how intertwined your existing data network is to your VoIP applications.

By the end of this scanning effort, you should be able to identify core network infrastructure and any network-accessible VoIP systems in your environment.