Security Basics mailing list archives
Re: pentesting voip network-please help
From: "J. Oquendo" <sil () infiltrated net>
Date: Mon, 01 Feb 2010 14:43:29 -0500
mzcohen2682 () aim com wrote:
hi all !! im doing an internal (lan) pentest for a voip network. the network has 6 cisco call manager version 6.1.3 as a cluster. they have cisco phones 7911 and 7941. they use a seperate vlan por the voip network. I started by trying to download the images files for the phones from the tftp server by doing a brute force attack for the names of the files. I have access to one of the 7941 phones so I checked that the verion of the image is 4.0/8.0 (9.0) in not sure what should be the names for the file images that the phones reload after boot but according to cisco documentation there must be SIPdefault.cnf and OS79xx.txt on the root directory of the tftp server. but I tried and there are not.. so what are the nemes of the files? I read a documents that said that if im am able to download those files I will find lots of interseting information like phone passwords etc.. after that... I tried to capture some RTP conversations but without any success. I am connected to the voip vlan and used wireshark but It doesnt detect any calles ! shoud I do some arp spoofing attack? but to which mac's? any other ideas how to continue with this pentest? what I see is that although the client didnt implement encryption or any other security control just the vlan isnt not so eaxy to pentest a voip network.. thanks marco
1) What to look for from Cisco. What you would be looking for via the TFTP server would be SIP00xxxxxxxxxx.cnf where the X's are the MAC addresses of the phones themselves. There is usually a SEP file as well: SEP0000xxxxxxxxxx.cnf.xml same rule applies (x = MAC). SIP is the file you would be concerned with. # awk '/line/{print}' SIP00xxxxxxxxxx.cnf line1_name: "XXZZXX" line1_shortname:"XXZZXX" line1_displayname: "XXZZXX" line1_authname: "XXZZXX" line1_password: "XXZZXX" line2_name: "XXZZXX" line2_shortname:"XXZZXX" line2_displayname: "XXZZXX" line2_authname: "XXZZXX" line2_password: "XXZZXX" Because people will usually follow others (guidelines, etc) there is a high likelihood the usernames and passwords are the same. 2) RTP conversations. Just because you're running any sniffer, doesn't mean you're going to get anything. For starters, what VLAN are you sniffing on? Did you hop over to the voice VLAN to capture traffic. Personally, I would try something similar to macchanger --mac=XX:XX:XX:XX:XX:XX where X is the MAC address you pulled from one of the TFP servers. Provided they DON'T have any kind of portsecurity, you could try to represent a your machine as a phone to get access to the VLAN to run a sniffer or do whatever else you intend on doing. 3) Creativity... So you have the data from the SIP00xxxxxxxxxx.cfg files, are all phones located on prem? If not, then register a softphone for someone you know to be out of office, shoot off a spoofed email as the person who is out of office, try to have someone reset a password and leave a voicemail, e.g.: from "spoofed_as_tom_jones () clientsite com to "admin () clientsite com" Subject Password reset Hi admin, I'm currently on the road right now and need my password reset for INSERT_SERVICE_HERE. I'm an hour away from a crucial meeting and need this done. Please reset my password and leave the instructions on my voicemail so I can retrieve it when I arrive at this meeting. Depending on your level of social engineering skills, IF the admin indeed resets a password and leaves a message... If you were capable of sniffing the audio, you could replay it to obtain the password. If you didn't manage to sniff traffic and have the SIP file, the username and password is kept in cleartext. Register a softphone and retrieve the password information from there. Personally, I think you should have read up prior to taking the work. Kind of misrepresenting a capability no? SIP slash VoIP is nothing more than data. Same method you listen to a streaming MP3 is the same method in which VoIP is delivered. The mechanisms to connect are the same as well. Username, password and at times MAC address based authentication. All else fails create a numbers based text file and unload Hydra against CCM. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- pentesting voip network-please help mzcohen2682 (Feb 01)
- Re: pentesting voip network-please help Joseph McCray (Feb 01)
- Re: pentesting voip network-please help J. Oquendo (Feb 01)
- Re: pentesting voip network-please help Ivan . (Feb 02)
- Re: pentesting voip network-please help Jan Muenther (Feb 01)
- Re: pentesting voip network-please help infolookup (Feb 02)
- Re: pentesting voip network-please help Champ Clark III [Softwink] (Feb 04)
- <Possible follow-ups>
- Re: pentesting voip network-please help Duren, Preston David (Feb 01)