Voice over IP (VoIP) has finally come of age and is being rapidly embraced across most markets as an alternative to the traditional public-switched telephone network (PSTN). VoIP is a broad term , describing many different types of applications (hard phones, softphones, proxy servers, Instant Messaging clients, peer-to-peer clients , and so on), installed on a wide variety of platforms (Linux, Windows, VxWorks, mobile devices, PCs, and so on), and using a wide variety of both proprietary and open protocols (SIP, RTP, H.323, MGCP, SCCP, Unistim, SRTP, ZRTP, and so on) that depend heavily on your preexisting data network's infrastructure and services (routers, switches, DNS, TFTP, DHCP, VPNs, VLANs and so on). Correspondingly, VoIP security is just as broad a subject thanks to the heterogeneous nature of these environments found in the consumer, enterprise, carrier, and small/medium sized business markets.
In order to narrow the focus, we decided to cater mainly to the enterprise IT audience and include some of the more popular deployments in our target list. Because VoIP packetizes phone calls through the same routes used by traditional enterprise data networks today, it is consequently prone to the very same cyber threats that plague those same networks. These include denial-of service attacks, worms, viruses, and general hacker exploitation. For instance, if your enterprise is under attack from a distributed denial of service (DDoS) attack, internal users' web browsing might be slower than normal. A DDoS attack on a VoIP-enabled network can completely cripple your VoIP applications, at least to the point where conversations are unintelligible.
In addition to these traditional network security and availability concerns, there are also a plethora of new VoIP protocol implementations that have yet to undergo detailed security analysis and scrutiny. Most major enterprise VoIP vendors are integrating the up-and-coming Session Initiation Protocol (SIP) into their products. As a result, SIP-specific attacks such as registration hijacking, BYE call teardown , and INVITE flooding are also likely to emergenot to mention the plethora of financially motivated nuisances such as Spam over Internet Telephony (SPIT) and the voice phishing attacks that are just beginning to bleed into the VoIP realm.
There is no one silver bullet to solving current and emerging VoIP security problems. Rather, a well-planned defense- in-depth approach that extends your current security policy is your best bet to mitigate the current and emerging threats to VoIP.
This book is written in the best tradition of the Hacking Exposed series. The topic of VoIP- related hacking isn't exactly the most researched topic. Many potential security threats and attack algorithms described here are little-known or new and were discovered during the process of writing this book. To do this, we assembled a tiny testing and research VoIP network, consisting of two Linux servers each running a SIP-based software PBX, one running Asterisk and the other running SIP EXpress Router. We connected to both PBX's as many different SIP-based hard phones that we could get our hands on, including Cisco, Sipura, D-link, Avaya, Polycom, and others. A diagram of our SIP test bed is illustrated in Chapter 2 and throughout the book. For the vendor-specific Chapters 710, we also installed a Cisco and Avaya environment as well.
We made every effort to test all the presented methods and techniques on these test beds. In addition, some of the published data is, of course, based on our hands-on experience as penetration testers, network security administrators, and VoIP architects .
Companion Web Site We have created a separate online resource specifically for the book at http://www.hackingvoip.com . It contains the collection of new tools and resources mentioned in the book and not available anywhere else. As to the remaining utilities covered in the book, each one of them has an annotated URL directing you to its home site. In case future support of the utility is stopped by the maintainer, we will make the latest copy available at http://www.hackingvoip.com , so you won't encounter a description of a nonexisting tool in the book. We also plan to post any relevant future observations and ideas at this website and accompanying blog.
A standard tested and tried Hacking Exposed format is used throughout this book:
This icon identifies specific penetration testing techniques and tools. The icon is followed by the technique or attack name and a traditional Hacking Exposed risk rating table:
The frequency with which we estimate the attack takes place in the wild. Directly correlates with the Simplicity field: 1 is the most rare, 10 is used a lot.
The degree of skill necessary to execute the attack: 10 is using a widespread point-and-click tool or an equivalent; 1 is writing a new exploit yourself. Values around 5 are likely to indicate a difficult-to-use available command-line tool that requires knowledge of the target system or protocol by the attacker.
The potential damage caused by successful attack execution. Varies from 1 to 10: 1 is disclosing some trivial information about the device or network; 10 is getting full access on the target or being able to redirect, sniff, and modify network traffic.
This value is obtained by averaging the three previous value.
We have also used these visually enhanced icons to highlight specific details and suggestions, where we deem it necessary:
Where appropriate, we have tried to provide different types of attack countermeasures for various VoIP platforms. Such countermeasures can be full (upgrading the vulnerable software or using a more secure network protocol) or temporary (reconfiguring the device to shut down the vulnerable service, option, or protocol). We always recommend that you follow the full countermeasure solution; however, we do recognize that due to some restrictions, this may not be possible every time. In such a situation, both temporary and incomplete countermeasures are better than nothing. An incomplete countermeasure is a safeguard that only slows down the attacker and can be bypassedfor example, a standard access list can be bypassed via IP spoofing, man-in-the-middle, and session hijacking attacks.
You'll notice that most of the longer website references throughout the book are written in two ways. First as the entire URL and then followed by a tinyurl. TinyURL is a service that rewrites any link into a shorter, easier to type form than its longer original format. For instance, going to TinyURL.com and typing the following link in the submission form,
So now we can easily type http://tinyurl.com/yywp3z instead of the more cumbersome original link, and it brings us to the exact same page!