Home page logo

basics logo Security Basics mailing list archives

Re: pentesting voip network-please help
From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Wed, 3 Feb 2010 13:53:59 -0500

On Fri, Jan 29, 2010 at 01:14:04PM -0500, mzcohen2682 () aim com wrote:
I started by trying to download the images files for the phones from 
the tftp server by doing a brute force attack for the names of the 

        Check to see if the phones have web services enabled. A lot of
times,  they do.   This will give you the MAC address of each phone, 
which you can use to pull down the configuration files.   I've simply
scanned the network for port 80 then 'wget' all the phone
configurations.  From there,  with a little shell scripting,   you
can write a routine to pull all the configuration files via TFTP. 

        That's if they have the web services enabled.   I'm assuming
they are using SCCP.

        Once you have them all,   use 'grep' to find the interesting

after that... I tried to capture some RTP conversations but without any 
success. I am connected to the voip vlan and used wireshark but It 
doesnt detect any calles ! shoud I do some arp spoofing attack? but to 
which mac's?

        You'll need to MiTM it before you start seeing anything.  I've
been at offices (multi-floor) that have default gateways for each flow.
That's the address I've MiTM.  

any other ideas how to continue with this pentest?

what I see is that although the client didnt implement encryption or 
any other security control just the vlan isnt not so eaxy to pentest a 
voip network..

        Nah.  People often confused VLAN == security.  What I've done in
the past is get a valid MAC address of a phone and use voiphopper
(http://voiphopper.sourceforge.net) to "jump" to the VoIP VLAN.
Voiphopper can "masqurade" as a Cisco phone and with the MAC address the
network won't notice any difference.  

        Of course,    it'll be your laptop masqurading.  So once you're
on the network,   it sorta just becomes a "standard" pen-test.  MiTM, 
looking for unpatched machines,  etc..etc...

        Hope this helps....

        Champ Clark III | Softwink, Inc | 800-538-9357 x 101

GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]