Voip security

Working on a recent pen test I ran across a system which was a Cisco
Voip gateway allowing SIP and H.323 protocols externally.  Only those
two ports were available.

1)  I fired up Sivus to scan the SIP protocol and found that it
allowed unauthenticated invite messages into the server.  I follow
this up with further research utilizing netcat to receive messages.
After the initial "200 trying" response I received a couple of "403
forbidden" responses.  My understanding is that the 200 trying meant
that the gateway passed the message back to the back end server and
that server gave the forbidden.  Yet Sivus flagged the vulnerability
as High.  Am I right in assuming if I knew more about the layout I
could try such attacks as a denial of service by ringing all of their
phones at the same time, or sending SPIT?  What potential flaws could
come from this?

2)  They also had the H.323 protocol available, but SiVUS doesn't
support scanning of that protocol yet.  Anyone know of tools,
methodologies to test this protocol?

Thanks Guys,
Mike Klingler

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Hey pen-test,

On Sat, 25 Nov 2006, Mike Klingler wrote:

> 2)  They also had the H.323 protocol available, but SiVUS doesn't
> support scanning of that protocol yet.  Anyone know of tools,
> methodologies to test this protocol?

I'm currently writing the Voice over IP chapter for the next edition of
the Hacking Linux Exposed book. While working on it i've developed a VoIP
testing methodology, which i'm also planning to release together with the
next version of the OSSTMM (http://www.osstmm.org/).

While performing the research aimed at creating my attack taxonomy, i've
evaluated several free software products to determine their effectiveness
at auditing VoIP networks: unfortunately, most tested tools were found of
limited usefulness inside real-life scenarios. You should therefore employ
these tools with caution, not overly relying on them to properly secure a
VoIP deployment.

That said, the situation is rapidly evolving and in the next months a huge
growth is expected in this area. Here follows a list of the best free
tools you may find useful for VoIP testing (yeah, there's not a lot of
readily-available software for H.323 yet):

1) Signaling protocols implementation testing

- OpenH323 code
   http://www.openh323.org/
- PROTOS c07-H2250v4
   http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/
- SiVuS (you already know it;)
   http://www.vopsecurity.org/index.php?name=Downloads&req=viewdownload&cid=1
- PROTOS c07-SIP
   http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
- SFTF
   http://www.sipfoundry.org/sftf
- SIPsak
   http://www.sipsak.org
- Smap
   http://www.wormulon.net/index.php?/archives/1125-smap-released.html
- SIP bomber
   http://www.metalinkltd.com/downloads.php
- SIPp
   http://sipp.sourceforge.net/
- NastySIP
   http://phoenix.labri.fr/documentation/sip/Documentation/Material/Clients/Tools/Test/NastySIP/SX%20Design.htm
- SIPNess
   http://www.ortena.com/files/Messenger.zip
- Skora.net
   http://skora.net/voip/attacks/
- Hacking VoIP Exposed tools
   http://www.hackingexposedvoip.com/sec_tools.html
- Scapy
   http://www.secdev.org/projects/scapy/

2) Signaling protocols analysis and traffic monitoring

- SIPcrack
   http://www.remote-exploit.org/index.php/Sipcrack
- SIPv6 Analyzer
   http://pcs.csie.nctu.edu.tw/~yhsung/sipv6_analyzer/
- NetDude
   http://netdude.sourceforge.net/
- Callflow
   http://callflow.sourceforge.net/
- Callplot
   http://sourceforge.net/projects/callplot
- SIP Scenario
   http://www.iptel.org/~sipsc/

3) Transport protocols implementation testing

- Ohwurm
   http://mazzoo.de/d/ohrwurm-0.1.tar.bz2

4) Transport protocols analysis and traffic monitoring

- VoIPong
   http://www.enderunix.org/voipong/
- Vomit
   http://vomit.xtdnet.nl/
- Oreka
   http://oreka.sourceforge.net/
- Wireshark
   http://www.wireshark.org/
- Cain & Abel
   http://www.oxid.it/

Hope this helps;)

--
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------