RE: VoIP pentest ?

From: Sérgio Yoshioka (sergioy2004@yahoo.com.br)
Date: Thu Dec 09 2004 - 22:04:11 EST


Hi people,

Maybe help:

Another tool to test VoIP (SIP) is Protos. With this
tool a lot of security problems were found in various
SIP products. Details in
http://www.cert.org/advisories/CA-2003-06.html

You can get more information about Protos in the link:

http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/

SiVus is recent and you can find in
www.vopsecurity.org

By the way another serious problem in VoIP will be
spam or SPIT (spam over internet telephony).

VoIP Protocols have in general problem when needs to
make traversal NAT. Another problem is to dynamically
open/close ports in firewall to make VoIP
communication/conversation with RTP/RTPC.

Sérgio Yoshioka

 --- Mark Teicher <mht3@earthlink.net> escreveu:
> Jerry,
>
> These are just some of the product for Item #2
> discussed in my post.
>
> NetAlly from
> http://www.violanetworks.com/products.asp
> Qovia Central from http://www.qovia.com
>
> Physical Security of the Telecommunications Room
> (always a good place to start)
> Encryption Methodologies (with each option,
> advantages and disadvantages of performance/security
> or security/performance)
> VOIP Configuration Testing
> Quality of Service Performance and Security Testing
> TFTP exploitation (since most IP phones retrieve
> their settings via TFTP)
> CALEA Compliance
> Most VoIP Equipment have basic protection against
> DDOS, but during a VOIP Security Assessment, what
> occurs to the equipment when it is being attacked is
> far more interesting and what are the continuity
> plans of the organization for when the VOIP network
> is not responding.
>
> -----Original Message-----
> From: Jerry Shenk <jshenk@decommunications.com>
> Sent: Dec 9, 2004 10:56 AM
> To: 'Mark Teicher' <mht3@earthlink.net>,
> pen-test@securityfocus.com
> Subject: RE: VoIP pentest ?
>
> So, Mark - what are some of the good tools for
> testing a network for
> VOIP readiness? I've got a local company that is
> "real hot" on
> VOIP....like it's gonna be the end-all to every
> problem. I suppose it
> can help a few issues but they need a little help
> giving a little
> thought to some of the performance and security
> issues.
>
> -----Original Message-----
> From: Mark Teicher [mailto:mht3@earthlink.net]
> Sent: Monday, December 06, 2004 9:28 PM
> To: pen-test@securityfocus.com
> Subject: Re: VoIP pentest ?
>
>
> Actually, the question for VOIP pen-testing should
> be split into two
> issues:
>
> 1. How many vulnerable is a network with VOIP ?
> 2. Is the network ready for VOIP?
> 3. VOIP Attack suite
>
> 1. Here is the tricky part, most saavy security
> consultants will apply
> normal security methodology techniques in examining
> a network using
> <insert
> your favorite network topology mapping tool> and <
> insert your favorite
> network scanning tools> to assess the network. In a
> previous life, I
> worked with a Phd who didn't want to listen that
> wrote some a
> methodology
> for security assessments, only a minimum of what he
> wrote applies in
> examining a network with VoIP.
>
> 2. Is a network ready for VOIP? That is an
> interesting question since
> most
> <insert you favorite scanning tool here> will
> provide an organization or
>
> security consultants very minimal information on
> whether a network is
> ready
> for VOIP. WARNING: If a security consultant who
> offers a VOIP readiness
>
> check, inquire what tools they use, if their answer
> begins with <insert
> your favorite network scanning tool>, be very
> afraid.
>
> 3. VOIP Attack suite - there are rudimentary
> scanning tools out there
> for
> assessing VOIP products, but does not encompass all
> the components of a
> VOIP setup. Here is the issue, running a scan
> across IP phones will
> cause
> users of a particular organization get a little
> miffed, since most IP
> phones do not have denial of service protection
> built-in, so that is
> out. Another issue is that most common intrusion
> detection systems have
>
> not incorporated VOIP protocol decodes into their
> products yet, there
> are a
> couple of pattern matching signatures out there for
> Sn0rt but very few,
> so
> at most, when running VOIP attacks on a VOIP
> network, the majority of
> noise
> will be from the users and very little information
> will be gathered
> about
> the VOIP products except OS banner collection, and
> port flapping.
>
> hope this helps
>
> /m
>
>
> At 08:32 AM 10/28/2004, Volker Tanger wrote:
>
> >Greetings!
> >
> >On Wed, 27 Oct 2004 11:28:51 +0200 Frederic
> Charpentier
> ><fcharpen@xmcopartners.com> wrote:
> > > does anyone have experiences or papers on VoIP
> pentest/assessment ?
> > > Expecting classic OS/Network audits and
> H323/ASN.1 flaws, I can't
> find
> > > any documentations or papers about flaws in VoIP
> architecture.
> >
> >VoIP (SIP and H.323) do media transfer via
> (unencrypted) RTP/RTCP.
> >SIP is a simple, unauthenticated cleartext
> protocol. H.323 similar
> >(binary and more complex, but still
> unauthenticated).
> >
> >With ARPspoofing etc. it is simple to listen to
> voice streams or call
> >setup - or change it. So re-routing voice streams
> or calls should be
> >simple.
> >
> >Quite a high percentage of systems were/are
> susceptible to buffer
> >overflows it seems (forgot the URL - about half a
> year ago).
> >
> >For other fun with SIP see e.g.
>
>http://www.infoanarchy.org/story/2004/9/15/23127/3363
> >
> >Bye
> >
> >Volker Tanger
> >ITK Security
>
>
>
>
>
>
>
>

        
        
                
_______________________________________________________
Yahoo! Mail - Agora com 250MB de espaço gratuito. Abra
uma conta agora! http://br.info.mail.yahoo.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT