It pays to be obvious, especially if you have a reputation for subtlety.
Now that the hacker has developed a list of active IP addresses and services in your VoIP environment, the next logical step is to probe those services aggressively in search of known weaknesses and vulnerabilities. This process is called enumeration and is more intrusive and noisy than the reconnaissance techniques we have covered so far. In the last chapter, we compared scanning to a masterful art thief walking around the Louvre checking for doors. Enumeration can best be compared to that same thief going one step further and rattling door knobs loudly until he finds an unlocked one.
The goal of enumeration is to leverage the target's open services to glean sensitive information that can assist in launching further attacks. For example, an effective enumeration technique covered in this chapter involves brute forcing VoIP PBXs and phones in order to generate a list of valid phone extensions. Gleaning the phone extensions that are active on a VoIP network is necessary for attacks such as INVITE floods and REGISTER hijacking, which are covered in Chapters 12 and 13, respectively.
Enumerating common VoIP infrastructure support services, such as TFTP and SNMP, can also often unearth a treasure trove of sensitive configuration information. As you saw in the Google hacking exercise in Chapter 1, many VoIP phones come installed with active web servers on them by default so that an administrator can easily configure them. Unfortunately, these web interfaces can reveal very sensitive device and network configuration details given the right enumeration techniques.
This chapter will discuss some of the enumeration techniques relevant to SIP-based devices, as well as targeting the highly exposed VoIP support services such as TFTP, SNMP, and others. The chapter begins, however, with review of SIP and RTP.