Security Basics mailing list archives

Re: pentesting voip network-please help

From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Wed, 3 Feb 2010 13:53:59 -0500

On Fri, Jan 29, 2010 at 01:14:04PM -0500, mzcohen2682 () aim com wrote:

I started by trying to download the images files for the phones from 
the tftp server by doing a brute force attack for the names of the 
files.


        Check to see if the phones have web services enabled. A lot of
times,  they do.   This will give you the MAC address of each phone, 
which you can use to pull down the configuration files.   I've simply
scanned the network for port 80 then 'wget' all the phone
configurations.  From there,  with a little shell scripting,   you
can write a routine to pull all the configuration files via TFTP. 

        That's if they have the web services enabled.   I'm assuming
they are using SCCP.

        Once you have them all,   use 'grep' to find the interesting
things.

after that... I tried to capture some RTP conversations but without any 
success. I am connected to the voip vlan and used wireshark but It 
doesnt detect any calles ! shoud I do some arp spoofing attack? but to 
which mac's?


        You'll need to MiTM it before you start seeing anything.  I've
been at offices (multi-floor) that have default gateways for each flow.
That's the address I've MiTM.

any other ideas how to continue with this pentest?

what I see is that although the client didnt implement encryption or 
any other security control just the vlan isnt not so eaxy to pentest a 
voip network..


        Nah.  People often confused VLAN == security.  What I've done in
the past is get a valid MAC address of a phone and use voiphopper
(http://voiphopper.sourceforge.net) to "jump" to the VoIP VLAN.
Voiphopper can "masqurade" as a Cisco phone and with the MAC address the
network won't notice any difference.  

        Of course,    it'll be your laptop masqurading.  So once you're
on the network,   it sorta just becomes a "standard" pen-test.  MiTM, 
looking for unpatched machines,  etc..etc...

        Hope this helps....

-- 
        Champ Clark III | Softwink, Inc | 800-538-9357 x 101
                     http://www.softwink.com

GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.

Attachment: _bin
Description:

Current thread:

pentesting voip network-please help mzcohen2682 (Feb 01)
- Re: pentesting voip network-please help Joseph McCray (Feb 01)
- Re: pentesting voip network-please help J. Oquendo (Feb 01)
  - Re: pentesting voip network-please help Ivan . (Feb 02)
- Re: pentesting voip network-please help Jan Muenther (Feb 01)
- Re: pentesting voip network-please help infolookup (Feb 02)
- Re: pentesting voip network-please help Champ Clark III [Softwink] (Feb 04)
- <Possible follow-ups>
- Re: pentesting voip network-please help Duren, Preston David (Feb 01)