List of Figures | Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions

Chapter 1: Footprinting a VoIP Network

Figure 1-1: The VoIP security pyramid sliced open
Figure 1-2: A few names to get started
Figure 1-3: Use Microsofts TerraServer (http://terraserver.microsoft.com) to locate your target, in this case the Spy Museum in Washington DC.
Figure 1-4: Google Local (http://local.google.com) can help locate targets in any town.
Figure 1-5: Here a hacker can figure out where your online voicemail system is installed.
Figure 1-6: A brief overview of Harvard's VoIP offering
Figure 1-7: SecurityFocus catalogs a good collection of vulnerabilities for a variety of products, including the Cisco IP Phone 7960.
Figure 1-8: The network settings for a phone exposed to the Internet, including IP addresses for TFTP servers, the CallManager server, and the router
Figure 1-9: A graphical structure of the Tulane DNS and SMTP servers
Figure 1-10: Some interesting DNS names are attached to this IP address space.

Chapter 2: Scanning a VoIP Network

Figure 2-1: SIP environment network map
Figure 2-2: SuperScan from Foundstone quickly returns our ping sweep results.
Figure 2-3: SolarWinds Ping Sweep tool
Figure 2-4: SuperScan host probing other ICMP options
Figure 2-5: MAC Address Discovery tool from SolarWinds
Figure 2-6: SNMP scanning using SNScan within an organization

Chapter 3: Enumerating a VoIP Network

Figure 3-1: SiVuS helps us find the same information we found manually with the click of a button.
Figure 3-2: The Retina scanner against the Polycom phone
Figure 3-3: The Saint scanner in action against the Polycom phone
Figure 3-4: Selecting the specific Nessus scanning modules to run against the phone
Figure 3-5: Selecting the VoIP exploit plugins to launch
Figure 3-6: SIPSCAN using REGISTER requests against the Asterisk deployment at 192.168.1.103
Figure 3-7: Using SIPSCAN against our Cisco IP Phone 7912 to find its extension
Figure 3-8: SNMPSweep shows that the Avaya IP phone and Zultys Zip2 phone both responded to SNMP probes with the "public" community string.
Figure 3-9: SolarWind's MIB browser finding the Avaya OID

Chapter 4: VoIP Network Infrastructure Denial of Service (DoS)

Figure 4-1: Cisco Policy Manager 3.2
Figure 4-2: Wireshark raw packet capture
Figure 4-3: RTP Streams overview
Figure 4-4: Graph of jitter over time
Figure 4-5: Empirix Hammer Call Analyzer
Figure 4-6: WildPackets EtherPeek VoIP analysis

Chapter 5: VoIP Network Eavesdropping

Figure 5-1: Netstumbler shows which networks are using WEP encryption.
Figure 5-2: Ministumbler is a stripped-down version of Netstumbler that runs on PDAs.
Figure 5-3: Beware of the Snom phone packet capture feature!
Figure 5-4: A Metasploit Framework exploit for Windows
Figure 5-5: Wireshark's VoIP call analyzer
Figure 5-6: Wireshark RTP Streams listing
Figure 5-7: Wireshark RTP Stream Analysis
Figure 5-8: Saving the stream as an audio file
Figure 5-9: Cain and Abel
Figure 5-10: Cain and Abel's VoIP reconstruction
Figure 5-11: DTMF Decoder translating the touch tones for 1-2-3-4

Chapter 6: VoIP Interception and Modification

Figure 6-1: Our SIP test bed
Figure 6-2: Cain's MAC Address Scanner
Figure 6-3: List of newly found hosts
Figure 6-4: New ARP Poison Routing window
Figure 6-5: Selecting the ARP poisoning victims
Figure 6-6: All ready to begin the ARP poisoning
Figure 6-7: Packet interception after our phone call
Figure 6-8: Our captured conversation converted to a WAV file
Figure 6-9: Capturing SIP hashes
Figure 6-10: Listing of all passwords we can try to crack
Figure 6-11: Cracking the phone's password through a brute-force attack
Figure 6-12: ettercap setup
Figure 6-13: ettercap is now ready to start scanning for hosts.
Figure 6-14: Our targets are now selected.
Figure 6-15: Our active VoIP connection
Figure 6-16: Dialog box showing a possible man-in-the-middle attack as it's occurring
Figure 6-17: Rogue SIP B2BUA
Figure 6-18: Rogue SIP proxy
Figure 6-19: SIP test bed
Figure 6-20: Using a rogue SIP B2BUA to tap a call

Chapter 7: Cisco Unified CallManager

Figure 7-1: The SCCP call setup
Figure 7-2: The media setup
Figure 7-3: The session teardown
Figure 7-4: Loading the traffic capture of Skinny communications in Wireshark
Figure 7-5: Single site Cisco VoIP deployment
Figure 7-6: Centralized multisite VoIP deployment
Figure 7-7: Finding the phones in order to disable the web browser
Figure 7-8: CDP dump in Wireshark of a Cisco SIP 7960 phone
Figure 7-9: SNMP browsing of a Cisco CallManager
Figure 7-10: SNMP Service Properties window editing the Public string
Figure 7-11: Metasploit Framework with the infamous LSASS vulnerability
Figure 7-12: Cisco Voice Technology Group Subscription Tool
Figure 7-13: Cisco Product Alert Tool
Figure 7-14: Disabling features on a Cisco hard phone

Chapter 8: Avaya Communication Manager

Figure 8-1: Avaya media servers
Figure 8-2: Avaya media gateways
Figure 8-3: Avaya systems and number of supported stations
Figure 8-4: Selected Avaya IP phones
Figure 8-5: Avaya Standard Management Solution main screen
Figure 8-6: Example System Access Terminal (SAT) screen
Figure 8-7: Management systems and systems using APIs
Figure 8-8: Small site configuration
Figure 8-9: Large site configuration containing several small sites
Figure 8-10: Avaya test bed
Figure 8-11: IP phone signaling and audio ports
Figure 8-12: IP phone initialization and address resolution ports
Figure 8-13: IP phone application resolution ports
Figure 8-14: Service Access control screen
Figure 8-15: Firewall control screen

Chapter 9: Asterisk

Figure 9-1: Asterisk as a PBX gateway
Figure 9-2: Asterisk test configuration

Chapter 10: Emerging Softphone Technologies

Figure 10-1: Making a call with Skype
Figure 10-2: SkypeKiller lets you uninstall Skype.
Figure 10-3: Making a call with Gizmo
Figure 10-4: Setting preferences in Gizmo
Figure 10-5: VoIP and Google Talk
Figure 10-6: VoIP and AOL Triton
Figure 10-7: VoIP and Windows Live Messenger
Figure 10-8: VoIP and Yahoo Messenger with Voice
Figure 10-9: A traditional click-to-call dialog box

Chapter 11: VoIP Fuzzing

Figure 11-1: TCPView running on the softphone host
Figure 11-2: The Pingtel SIP Softphone
Figure 11-3: The Pingtel crash error message
Figure 11-4: The Codenomicon SIP test tool

Chapter 12: Flood-based Disruption of Service

Figure 12-1: Flood-based disruption of service
Figure 12-2: SIP test bed
Figure 12-3: Basic setup for fl ood-based attacks
Figure 12-4: SIP phone with over 12,000 missed calls
Figure 12-5: Targeting a SIP proxy with a nonexistent SIP phone
Figure 12-6: Targeting a SIP proxy with an invalid IP domain address
Figure 12-7: Targeting a SIP proxy with an invalid domain name
Figure 12-8: Targeting a SIP proxy with an invalid SIP phone in another domain
Figure 12-9: Targeting a SIP proxy with a valid SIP phone in another domain
Figure 12-10: Targeting a SIP proxy for a valid SIP phone
Figure 12-11: Targeting a SIP proxy when authentication is enabled
Figure 12-12: Using SiVuS to target a SIP proxy with an invalid SIP phone
Figure 12-13: Using SiVuS to target a SIP proxy with a valid SIP phone
Figure 12-14: Targeting SIP phones with INVITE fl oods using SiVuS
Figure 12-15: Operating a media gateway in a SIP network

Chapter 13: Signaling and Media Manipulation

Figure 13-1: Registration removal with SiVuS
Figure 13-2: Registration addition with SiVuS
Figure 13-3: Registration hijacking
Figure 13-4: MITM registration hijacking
Figure 13-5: Registration hijacker attack approach
Figure 13-6: SIP phone reboot with SiVuS
Figure 13-7: RTP insertion/mixing

Chapter 14: SPAM over Internet Telephony (SPIT)

Figure 14-1: SPIT call product examples
Figure 14-2: SPIT test bed

Chapter 15: Voice Phishing

Figure 15-1: A traditional phishing campaign
Figure 15-2: The PayPal voice phishing email
Figure 15-3: Getting an 800 number through a VoIP provider is easy .
Figure 15-4: The Trixbox administrative web console
Figure 15-5: Voice phishing hits the mainstream.