Voice over Internet Telephony Protocol (VoIP) is a technology that provides advanced and efficient communication solutions. Compared to legacy digital communications, analogue communications, VoIP offers extra functionality, and consequently, further attack vectors mitigation is essential to strengthen an organization’s security posture further.
What is VoIP penetration testing?
OMVAPT offers an impeccable penetration testing through our unparalleled security assessment methodology for VoIP.
VoIP’s security exposure is significantly affected by IP telephony-specific threats that comprises toll fraud, voicemail hacking. Social engineering attacks such as Vishing and telephony denial of service. VoIP systems are vulnerable to the security issues that affect the operating system of the phone equipment (most commonly based on Linux or Windows), network-based intrusions and web application vulnerabilities. Many VoIP systems are being exposed externally so that remote employees receive their phone calls and messages around the globe.
Exposing the phone system to the Internet does not come without its risks. Attackers who can abuse the phone system can run hefty bills sometimes topping millions of dollars. Additionally, adversaries may be able to spy on confidential phone calls when abusing certain phone system features. For certain organisations, when the communications system is unavailable, large monetary sums are lost in revenues.
The scope of a VoIP pen test
- PBX servers such as Avaya Aura, Avaya IP Office, Cisco Unified Communications Server and Asterisk PBX
- Hardware phones and conference call equipment on the network such as Tandberg/Cisco equipment
- Mobile softphone Apps, for instance, Avaya one-X
- Telecom solutions and Unified Communications systems such as Broadworks (Cisco).
- Session Border Controllers (SBCs) such as Acme Packet (Oracle) and solutions based on Kamailio, OpenSIPS, Audiocodes and Sonus networks
- Customer premises equipment (CPE) such as DSL and cable modems which often provide phone access through SIP or other protocols.
VoIP Attack Methodology
The SIP servers that the phones are communicating with and classify systems by giving an IP address or a range of IP addresses. Enumerate the type of SIP requests. It is done by our expert penetration testers who have in-depth knowledge in the VoIP Pen Testing.
SIP call relaying – intruders can make calls for free at victim company’s expense. It is a way evading the dial-plan security systems.
Once we have identified the SIP Servers we can attempt to identify valid extensions. This attack will later allow us to perform a brute-force attack to attempt to guess the extension password.
Every user in the company has a SIP account provided to them that comprises the extension (username), passcode and the address of the SIP server. We have come across companies that do not deploy all SIP accounts with a passphrase, resulting in a null password. To find authentic extensions we can watch the error messages displayed by sending several SIP requests such as:
• REGISTER
• METHOD
• OPTIONS
• INVITE
Eavesdropping is feasible by capturing SIP and RTP packets sent from softphones to the server forth and back. We can then assemble the fragmented packets and listen to the voice call.
We will have to perform a MiTM attack to intercept the traffic from users connected to the SIP server.
RTP bleed and RTP injection attacks. And, further – Dialplan injection attacks precisely to the platform’s dial-plan management.
1. ARP Poisoning.
2. Capture traffic using a packet capture utility
3. Analyze the Real-Time Protocol (RTP) packets that have been captured in audio format.
4. XMPP attacks for several XEPs (XMPP protocol extensions) and custom implementations
Before performing ARP poisoning we need to allow traffic forwarding:
Note: ARP poisoning is not required if we have a SPAN port open.
The SIP protocol utilises a similar system to HTTP known as “HTTP Digest”. Since SIP is a text-based protocol in the earlier days it used insecure authentication where passphrases were transmitted in cleartext. It was deprecated and replaced with SIP 2.0. In SIP 2.0 an MD5 hashing algorithm is applied to the authentication details before they are sent to the server.
We can use Inviteflood (available through APT) to cause a denial-of-service by sending an extremely large amount of INVITE requests to the SIP server. Performing this attack will prevent outgoing calls.
Note: This will be done on the limited VoIP devices and not always recommended as it causes disruption.
Voice mail spoofing is one of the popular attacks. It is a very simple yet effective adversarial approach if correlated with social engineering (Vishing).
Voicemail spoofing is feasible due to unencrypted communications allowing us to manipulate the parameters in the INVITE request to impersonate anyone we like.
We can use flooding the INVITE to manipulate the INVITE parameter and spoof voicemails.
VoIP traffic is connected to a designated VLAN known as the Voice VLAN. Generally, this VLAN should be entirely isolated from the corporate network (DATA VLAN). It will minimise the risk of an attacker from intercepting VoIP traffic utilising a sniffing app. VLAN hopping is the ability to jump from the VoIP network to the corporate network.
Most IP phones have a built-in switch. The end user’s system is connected to a tagged port on the phone usually labelled PC, and the phone is connected from its LAN port to a managed switch.
VoIP Hopper mimics the behaviour of an IP phone. Further, we proceed in multiple discovery protocols (such as DHCP, CDP, and LLDP-MED).
For instance, well-known IP phones such as Cisco, AVAYA.
Many companies use a designated provisioning server to pull VoIP configuration files during the softphone initial boot process. This server pushes configuration settings to the phones in the organisation from the primary VoIP domain controller. The configurations are generally files in various formats and binaries.
These files can potentially contain sensitive information such as passphrases for the phone management interfaces that is very valuable for an adversary. If an intruder gains access to the phone management interface they could cause destructive attacks such as modifying configurations or changing passphrases. If negotiated, a provisioning server could also be leveraged to pivot further into the network or even gain initial access within the Active Directory or LDAP environment in the Lateral Movement.
After patching the defects, we perform an in-depth reassessment to ensure there are no vulnerabilities.
We ensure that the patches did not inject any additional vulnerabilities as well.