Re: pentesting voip network-please help

["J. Oquendo" <sil () infiltrated net>]

mzcohen2682 () aim com wrote:
> hi all !!
>
> im doing an internal (lan) pentest for a voip network. the network has
> 6 cisco call manager version 6.1.3 as a cluster. they have cisco
> phones 7911 and 7941. they use a seperate vlan por the voip network.
>
> I started by trying to download the images files for the phones from
> the tftp server by doing a brute force attack for the names of the files.
>
> I have access to one of the 7941 phones so I checked that the verion
> of the image is 4.0/8.0 (9.0)
> in not sure what should be the names for the file images that the
> phones reload after boot but according to cisco documentation there
> must be SIPdefault.cnf and OS79xx.txt on the root directory of the
> tftp server. but I tried and there are not..
>
> so what are the nemes of the files? I read a documents that said that
> if im am able to download those files I will find lots of interseting
> information like phone passwords etc..
>
> after that... I tried to capture some RTP conversations but without
> any success. I am connected to the voip vlan and used wireshark but It
> doesnt detect any calles ! shoud I do some arp spoofing attack? but to
> which mac's?
>
> any other ideas how to continue with this pentest?
>
> what I see is that although the client didnt implement encryption or
> any other security control just the vlan isnt not so eaxy to pentest a
> voip network..
>
> thanks
>
> marco

1) What to look for from Cisco. What you would be looking for via the
TFTP server would be

SIP00xxxxxxxxxx.cnf where the X's are the MAC addresses of the phones
themselves.

There is usually a SEP file as well: SEP0000xxxxxxxxxx.cnf.xml same rule
applies (x = MAC). SIP is the file you would be concerned with.

# awk '/line/{print}' SIP00xxxxxxxxxx.cnf
line1_name: "XXZZXX"
line1_shortname:"XXZZXX"
line1_displayname: "XXZZXX"
line1_authname: "XXZZXX"
line1_password: "XXZZXX"
line2_name: "XXZZXX"
line2_shortname:"XXZZXX"
line2_displayname: "XXZZXX"
line2_authname: "XXZZXX"
line2_password: "XXZZXX"

Because people will usually follow others (guidelines, etc) there is a
high likelihood the usernames and passwords are the same.

2) RTP conversations. Just because you're running any sniffer, doesn't
mean you're going to get anything. For starters, what VLAN are you
sniffing on? Did you hop over to the voice VLAN to capture traffic.
Personally, I would try something similar to  macchanger
--mac=XX:XX:XX:XX:XX:XX where X is the MAC address you pulled from one
of the TFP servers. Provided they DON'T have any kind of portsecurity,
you could try to represent a your machine as a phone to get access to
the VLAN to run a sniffer or do whatever else you intend on doing.

3) Creativity... So you have the data from the SIP00xxxxxxxxxx.cfg
files, are all phones located on prem? If not, then register a softphone
for someone you know to be out of office, shoot off a spoofed email as
the person who is out of office, try to have someone reset a password
and leave a voicemail, e.g.:

from "spoofed_as_tom_jones () clientsite com
to "admin () clientsite com"

Subject Password reset

Hi admin, I'm currently on the road right now and need my password reset
for INSERT_SERVICE_HERE. I'm an hour away from a crucial meeting and
need this done. Please reset my password and leave the instructions on
my voicemail so I can retrieve it when I arrive at this meeting.

Depending on your level of social engineering skills, IF the admin
indeed resets a password and leaves a message... If you were capable of
sniffing the audio, you could replay it to obtain the password. If you
didn't manage to sniff traffic and have the SIP file, the username and
password is kept in cleartext. Register a softphone and retrieve the
password information from there.

Personally, I think you should have read up prior to taking the work.
Kind of misrepresenting a capability no?

SIP slash VoIP is nothing more than data. Same method you listen to a
streaming MP3 is the same method in which VoIP is delivered. The
mechanisms to connect are the same as well. Username, password and at
times MAC address based authentication. All else fails create a numbers
based text file and unload Hydra against CCM.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------