Practical VoIP Penetration Testing
In this post we will explore the world of performing penetration testing against Voice over IP (VoIP) environments. We created this post as we see a gap in the available methodologies that exist showing real-world enumeration and attack against VoIP environments. Our goal is to provide a detailed attack structure for many of the common techniques and attack vectors that we utilize during our VoIP assessments and provide strategic value to operators attempting to leverage commonly available tools for identification of weaknesses associated with insecure VoIP configurations.
Editors Note:
All of the examples in the article are geared towards an internal VoIP implementation. For managed service deployments and other implementations the methodology may differ. Additionally, all example attacks are performed against UDP VoIP which is the most common implementation. It is possible to replicate the same attacks described in this article over TCP using the Viproy - Voip Penetration Testing Kit.
Introduction to the World of VoIP
Voice over IP (VoIP) is a technology that provides advanced and efficient communication solutions. Compared to legacy digital/analog communications VoIP provides additional functionality and thus additional attack vectors that must be mitigated to further strengthen an organization’s security posture.
The following are examples of functionality commonly used within VoIP installations that are not common in legacy telephony networks:
- Usage of multiple lines and extensions
- Voicemail systems
- Voice recording
- Administrative Control
- Register calls
- Modular Configurations
- Interactive Voice Response (IVR) Systems
Organizations may also choose to leverage a 3rd party to implement their VoIP infrastructure. As is the case with virtually all managed services, by allowing 3rd party access to and management of key services, organizations inherently absorb the risk of not having complete visibility or control over security related parameters that are necessary to securely operate VoIP within their network boundary.
We typically see three common approaches in how VoIP is configured and deployed within organizations: Internal, Managed, and Online SIP Trunking.
The primary differences are:
Internal VoIP Implementation
A Private Branch Exchange (PBX) is installed in the organization and connected to the ISP lines or telephony by a SIP Trunk or Primary Rate Interface (PRI). All traffic is pushed through a designated VLAN.
Managed Services
No internal PBX is needed, only IP phones, a switch, and a router. Connections are provided through a VPN to the service provider.
Online SIP Trunking Service
Services such as Skype, Twilio, among others, provide an easy solution for organizations that do not want to implement any of the above solutions. SIP Trunking delivers telephone and unified communications services over an existing IP network. VoIP users can make calls directly to any phone on the Public Switched Telephone Network (PSTN) without telephone lines by connecting to a compatible hosted PBX System through a SIP Trunk.
Understanding the SIP Protocol
The Session Initiation Protocol (SIP) allows us to establish, end or change voice or video calls. The voice or video traffic is transmitted via the Real Time Protocol (RTP) protocol.
SIP is an application layer protocol that uses UDP or TCP for traffic. By default SIP uses port 5060 UDP/TCP for unencrypted traffic or port 5061 for TLS encrypted traffic. As we will see later, Man-in-the-Middle (MITM) attack vectors exist for all types of communication, including VoIP/SIP. Therefore, encryption is a necessary compensating control to have in place regardless of the environment or service method.
SIP is ASCII based and very similar to the HTTP protocol as it uses a Request/Response Model. Requests to the SIP client are made through SIP URI via a user-agent similar to an HTTP request made by a web browser.
The following request types are common within SIP:
- INVITE — Invites an account to join the call.
- ACK —Confirmation regarding the invite of joining the call.
- CANCEL — Canceling a queued call.
- REGISTER — Registering the user against the SIP server.
- OPTIONS — Shows the options the caller has.
- BYE — Ends the call between both sides.
- REFER — Shows that the receiver needs to communicate through a 3rd party by the information attached to the request.
SIP Requests/Responses:
- 1xx (Informational)
- 2xx (Success)
- 3xx (Redirection)
- 4xx (Failed requests)
- 5xx (Web server cannot complete request)
- 6xx (Global errors)
Typical SIP Interaction Structure:
- Sender initiates an INVITE request.
2. Receiver sends back a 100 (Trying) response.
3. Sender starts ringing by sending a 180 (Ringing) response.
4. Receiver picks up the phone and a 200 success response is sent (OK).
5. ACK is sent by the initiator.
6. Call started using RTP.
7. BYE request sent to end the call.
We can observe the entire call process over Wireshark:
Real Time Protocol (RTP)
The Real-time Transport Protocol (RTP) is a standardized packet format used by IP networks in order to deliver audio/video signals. RTP was developed by the Audio/Video Transport Working Group of the Internet Engineering Task Force (IETF) standards organization. It was initially described in IETF RFC 1889 and then superseded by IETF RFC 3550. It was designed for end-to-end, real-time, transfer of stream data and it is regarded as the primary standard for audio/video transport in IP networks.
Common VoIP attacks
- Enumeration and Information Gathering
- Eavesdropping
- Authentication Attacks
- Denial-of-Service (DoS) Attacks
- Voicemail Spoofing
- VLAN Hopping
- Provisioning Servers
Requirements
- SIPVicious
- Wireshark
- Viproy - Voip Penetration Testing Kit
- SIPTools (Can be cloned from GitHub or installed directly through APT in Kali)
- Inviteflood (APT Installation)
- VoIPHopper (Can be pulled from GitHub or installed directly through APT in Kali)
- Switched Port Analyzer (SPAN) Port (also known as Port Mirroring). This is extremely useful for data monitoring purposes. Ask your client to open this on the switch if possible.
Before beginning we need to configure our testing machine by installing the necessary tools as follows:
SIPVicious
Viproy
In order for Metasploit to load the necessary modules we must add a few lines to the mixins.rb file (/opt/metasploit-framework/embedded/framework/lib/msf/core/auxiliary/mixins.rb)
SIPTools
InviteFlood
VoIPHopper
Enumeration and Information Gathering
As with any other penetration test, we begin with enumeration. Enumeration of a VoIP environment requires us to first identify the SIP servers that the phones are communicating with. During the blog we will show different ways to perform the attacks using the Viproy toolkit/Metasploit and standalone tools.
Identifying SIP Servers
Svmap is part of the SIPVicious package. It is used to scan and identify systems by providing a single IP or a range of IP addresses. Svmap allows us to choose the type of SIP request we would like to use to enumerate with. It uses the OPTIONS method by default.
Scanning a Single IP Address with Svmap:
Scanning a Single IP Address with a Metasploit Scanner Module:
Identifying Valid Extensions
Once we have identified the SIP Servers we can attempt to identify valid extensions. This attack will later allow us to perform a brute-force attack to attempt to guess the extension password.
Every user in an organization has a SIP account assigned to them which contains the extension (username), password and the address of the SIP server. In our real-world assessments we have encountered companies that do not deploy all SIP accounts with a password, resulting in a null password. To find valid extensions we can observe the error messages returned by sending different SIP requests such as:
• REGISTER
• METHOD
• OPTIONS
• INVITE
To identify valid extensions we will use a tool called Svwar (part of the SIPVicious package). This tool allows us to enumerate a range of extensions. Svwar supports all methods listed above. By default it uses REGISTER requests.
In the above example we used the INVITE method and provided Svwar a range of extensions to scan.
We recommend caution using that method because it will actually call the phone extensions and can be very noisy/disruptive.
We managed to enumerate three valid extensions. If an extensions returns Authentication:weird it usually means that the extension does not require a password. As we can see, the Metasploit module is less reliable as it can generate a lot of false positives and does not show extensions that do not require a password.
Svwar also allows us to also perform a dictionary-based attack:
Eavesdropping
Note: This attack is possible due to unencrypted traffic.
Eavesdropping is possible by capturing SIP and RTP packets sent from soft phones to the server and back. Once captured, we can then assemble the packets and listen to the voice call.
In order to perform this attack we will have to perform a MITM attack to intercept the traffic from users connected to the SIP server.
In order to perform a MITM attack we must do the following:
1. ARP Poisoning.
2. Capture traffic using a packet capture utility (Wireshark in our example).
3. Analyze the RTP packets that have been captured in audio format.
Before performing ARP poisoning we need to allow traffic forwarding:
We will have to spoof traffic in both directions for this attack to work.
Note: ARP poisoning is not required if we have a SPAN port open.
When two users initiate a phone call we can observe the captured SIP traffic using Wireshark:
Wireshark allows us to convert RTP traffic into audio format using a built in module (Telephony>Voice Calls).
The call has been initiated by a user named James with the extension 123456 to extension 102. The duration of the call and the current state can be seen in the above example.
Wireshark assembled the call packets and now we can listen to the entire phone call.
Authentication Attacks
Capturing Authentication using SIPDump
The SIP protocol uses a similar mechanism to HTTP known as “HTTP Digest”. Since SIP is a text-based protocol in the past it used weak authentication where passwords were transmitted in clear text. It was deprecated and replaced with SIP 2.0. In SIP 2.0 an MD5 hashing algorithm is applied to the authentication details before they are sent to the server.
We can use the tool SIPDump to extract SIP Traffic in real time that contains the MD5 digest challenge for offline cracking later on. SIPDump is part of a package called SIPCrack, and can be installed through APT for Kali users.
SIPDump usage:
Offline Cracking SIP Digest Response Hashes
Any tool capable of cracking MD5 hashes can be used at this point. In this example we will be using SIPCrack by providing the digest response hashes we captured in the previous step and a word list(preferably one that contains common VoIP passwords) to attempt to crack the password.
Online Brute-Force attack
Online brute-force attacks are performed by attempting to guess authentication details against the SIP server with set of passwords. It is best to perform this attack using a customized word list based on the client.
For this attack we will use the tool svcrack (part of SIPVicious) to brute force SIP accounts.
We can provide svcrack a single SIP account or multiple accounts. In the example below we are using one extension from the previously enumerated extensions.
Attacking SIP account using svcrack :
Password Spraying Extensions
It is possible to performed a password spraying attack against multiple extensions using a single password. This attack can be useful if we would like to test commonly used weak passwords against set of extensions.
For this attack we will use the Viproy module that we imported earlier into Metasploit.
During our assessments we have seen SIP Servers that allow connections from the internet, allowing us to perform this type of attack remotely.
Denial-of-Service Attacks
DoS attacks can result in damage such as preventing outgoing and incoming calls. Always consult with your client performing Denial-of-Service attacks as they are destructive in nature.
We can use Inviteflood (available through APT) to cause a denial-of-service by sending an extremely large amount of INVITE requests to the SIP server. Performing this attack will prevent outgoing calls.
Inviteflood usage:
While INVITE requests are being sent at a high rate it will not be possible to make any calls. It is also possible to flood the SIP server with non-existing extensions to force it to create 404 errors, slowing it down and potentially crashing it.
Aside from the above method, there are many more ways to susceptibility to Denial-of-Service attacks, such as sending a crafted BYE request to end calls.
Voicemail Spoofing
Voice mail spoofing is one of our favorite attacks. It is a very simple but effective attack if combined with social engineering (Vishing).
Voicemail spoofing is possible due to unencrypted communications allowing us to manipulate the parameters in the INVITE request to impersonate anyone we like.
We can use Inviteflood (the same tool we used to perform a denial-of-service attack) to manipulate the INVITE parameter and spoof voicemails.
Inviteflood usage:
This attack has been found to be very useful during our red team engagements. Here is one such scenario:
During an assessment we managed to gain access by leveraging a vulnerability on an externally facing server. Once inside, we deployed a L2VPN tunnel and were able to view and intercept all traffic passing over the wire. While analyzing the traffic, we noticed an insecure VoIP implementation, which allowed us to spoof the internal IT department extension and perform a social engineering attack against the employees. This attack eventually resulted in full compromise of the internal network.
VLAN Hopping
In a properly configured environment VoIP traffic is linked to a designated VLAN known as the Voice VLAN. Ideally, this VLAN should be completely segregated from the office network (DATA VLAN). This will prevent an attacker from intercepting VoIP traffic using a sniffing tool. VLAN hopping is the ability to jump from the VoIP network to the office network.
Most IP phones have a built in switch. The end user’s PC is connected to a tagged port on the phone usually labeled PC, and the phone is connected from its LAN port to a managed switch.
In order to perform VLAN Hopping we will use a tool called VoIP Hopper. Voip Hopper mimics the behavior of an IP phone. The tool supports multiple discovery protocols (such as DHCP, CDP, and LLDP-MED).
It works by creating a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request.
Before we can attempt to hop between VLANs we have to load 802.1q module in our assessment VM.
VoipHopper has a feature called Assessment Mode that is especially useful if we don’t know if we are dealing with well-known IP phones such as Cisco, AVAYA, etc.
A libpcap loop listens for any traffic that could allow the tool to discover the Voice VLAN ID. This includes CDP, LLDP-MED, and 802.1q Ethernet frames containing a VLAN ID saving us from performing the process manually.
VLAN Hopping using Assessment Mode:
Hopping with a Known VLAN ID:
If we already know the VLAN ID, we can attempt to jump directly to it without the need to listen to the traffic.
If successful, we should see a new VLAN added to the interface we specified (eth0 in our example).
Provisioning Servers
Many organizations use a designated provisioning server to pull configuration files during the soft phone initial boot process. This server pushes configuration settings to the phones in the organization from a main server. The configurations are usually files in various formats and binaries. Using a tool such as Wireshark we can sometimes locate these files.
These files can potentially contain sensitive information such as passwords for the phone management interfaces which can be very valuable for an attacker. If an attacker gains access to the phone management interface they could cause destructive attacks such as altering configurations or changing passwords. If compromised, a provisioning server could also be leveraged to pivot further into the network or even gain an initial foothold within the Active Directory environment.
Closing Thoughts
In closing, VoIP is an often overlooked area of focus for internal assessments but as we have demonstrated it can be easily misconfigured and leveraged to perform a variety of attacks such as eavesdropping to gain access to potentially sensitive information, denial-of-service attacks that can lead to interruptions and downtime, VLAN hopping to move around an internal network, as well as a foothold for social engineering. A VoIP system should be treated as any other system with a large attack surface and should be deployed and configured in a secure manner to prevent potentially devastating attacks.
Note: There are many ways to perform any of the demonstrated attacks, we chose the most convenient one for us.
Interested in hearing more about our services?
Contact us at info@vartaisecurity.com to discuss your unique project needs.
