This book is split into five completely different parts . Each part can be read without even touching the remaining fourso if the reader is interested only in the issues described in the selected part, he or she may consult only that part.
The first part is introductory and describes how an attacker would first scan the whole network and then pick up specific targets and enumerate them with great precision in order to proceed with further advanced attacks through or from the hacked VoIP devices.
We begin the book by describing how a hacker first profiles the target organization by performing passive reconnaissance using tools such as Google, DNS, and WHOIS records, as well as the target's own website.
A logical continuation of the previous chapter, this chapter provides a review of various remote scanning techniques in order to identify potentially active VoIP devices on the network. We cover the traditional UDP, TCP, SNMP, and ICMP scanning techniques as applied to VoIP devices.
Here, we show active methods of enumeration of various standalone VoIP devices, from softphones, hard phones, proxies, and other general SIP-enabled devices. Plenty of examples are provided, along with a demonstration of SIPScan, a SIP directory scanning tool we wrote.
This part of the book is focused on exploiting the supporting network infrastructure on which your VoIP applications depend. We begin with typical network denial-of-service attacks and eventually lead up to VoIP conversation eavesdropping. While many of the demonstrated techniques originate from the traditional data security world, we applied them against VoIP devices and supporting network services.
In this chapter, we introduce quality of service and how to objectively measure the quality of a VoIP conversation on the network using various free and commercial tools. Next, we discuss various flooding and denial of service attacks on VoIP devices and supporting services such as DNS and DHCP.
This section is very much focused on the types of VoIP privacy attacks an attacker can perform with the appropriate network access to sniff traffic. Techniques such as number harvesting , call pattern tracking, TFTP file snooping, and actual conversation eavesdropping are demonstrated.
The methods described in this chapter detail how to perform man-in-the-middle attacks in order to intercept and alter an active VoIP session and conversation. We demonstrate some man-in-the-middle methods of ARP poisoning and present a new tool called sip_rogue that can sit in between two calling parties and monitor or alter their session and conversation.
In this part of the book, we shift our attention to attacking specific vendor platforms where each has unique security weaknesses and countermeasures. We demonstrate some of the attacks covered in the last few chapters in order to detail the vendor-specific best practices for mitigating them.
We installed Cisco CallManager 4. x with Cisco hard phones in a fully homogenous Cisco-switched environment in order to perform many of the attacks we've already detailed.
We also cover the various best practices to apply to the Cisco switching gear to mitigate most of the network attacks covered in Part II.
Similarly, we installed a full Avaya Communication Manager along with Avaya hard phones to detail some of the specific attacks we covered in Part I and Part II.
We targeted our SIP test bed running Asterisk with the similar attacks detailed in Part I and Part II. We also performed some basic platform testing on a subset of the SIP phones in our test bed.
In this chapter, we discuss some security issues with the emerging softphone services, such as Skype, Gizmo, and others. While these services have not yet dominantly emerged into the enterprise space, they are poised to do so through some interesting partnerships under way.
In this part of the book, we shift our attention from attacking the network and device to attacking the protocol. The fine art of protocol exploitation can hand intruders full control over the VoIP application traffic without any direct access and reconfiguration of the hosts or phones deployed.
The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol. In this chapter, we demonstrate some tools and techniques for fuzzing your VoIP applications.
In this chapter, we cover additional attacks that disrupt SIP proxies and phones by flooding them with various types of VoIP protocol and session-specific messages. These types of attacks partially or totally disrupt service for a SIP proxy or phone while the attack is under way. Some of the attacks actually cause the target to go out of service, requiring a restart.
In this chapter, we cover other attacks in which an attacker manipulates SIP signaling or RTP media to hijack , terminate, or otherwise manipulate calls. We introduce no less than ten new tools to demonstrate these attacks. As with other attacks we have covered, these attacks are simple to execute and quite lethal.
In the same way that the traditional email realm has been inundated with spam and phishing, so too are we starting to see the evolution of these social nuisances into the VoIP world. This chapter focuses on how advertisers and scam artists will likely target VoIP users and how to help counter their advance.
Voice SPAM or SPAM over Internet Telephony (SPIT) is a similar problem that will affect VoIP. SPIT, in this context, refers to bulk, automatically generated, unsolicited calls. SPIT is like telemarketing on steroids. You can expect SPIT to occur with a frequency similar to email SPAM. This chapter describes how you can use the Asterisk IP PBX and a new tool called spitter to generate your own SPIT. This chapter also details how you can detect and mitigate SPIT.
Voice phishing relies on the effective gullibility of a victim trusting a phone number much more than an email link. Also, for a fraction of the cost, an attacker can set up an interactive voice response system through a VoIP provider that is harder to trace than a compromised web server. Also, the nature of VoIP makes this type of attack even more feasible because most VoIP services grant their customers an unlimited number of calls for a monthly fee. This chapter details how these attacks are performed and how to detect them at their various stages.