While the intricacies of invading a country are slightly different than hacking a VoIP network, the success of each typically depends on having done solid reconnaissance and research well before the first shot is ever fired.
By its very nature, VoIP exemplifies the convergence of the Internet and the phone network. With this convergence, we are starting to see the exploitation of new exposures particular to VoIP as well traditional avenues of attack. Much like WWW technology, VoIP devices, by technical necessity, are advertised and exposed on IP networks in many ways, allowing hackers to find and exploit them more easily.
This chapter focuses on a variety of simple techniques and publicly available tools for gathering information about an organization's VoIP security posture from the perspective of an external hacker.
Most organizations are consistently amazed at the cornucopia of sensitive details hanging out in the public domain and available to any resourceful hacker who knows how and where to look. Exacerbating the situation is that VoIP, as an application much like WWW, DNS, or SMTP, is also dependent on the rest of an organization's network infrastructure for its security posture (for example, its router configuration, firewalls, password strength, OS patching frequency, and so on). As
Figure 1-1 depicts, VoIP security clearly intersects the traditional layers of data security within an organization.
It's clearly in a hacker's best interest to gain as much information about the supporting infrastructure as possible before launching an attack. The path of least resistance to compromising an enterprise VoIP system may not necessarily be to go directly for the VoIP application itself, but instead a vulnerable component in the supporting infrastructure (router, web server, and so on). Why would an attacker bother spending time brute forcing a password in the VoIP voicemail system's web interface when the Linux system it runs on still has a default root password? Simply researching the flavors of a VoIP deployment and its dependent technologies ahead of time can drastically save a hacker time and brute forcing effort. Therefore, the first step to assessing your own external security posture is to discover what information potential attackers might already know about you.
The CSI/FBI Computer Crime and Security Survey for 2005 implies that insider abuse is still very much a threat to the enterprise. Insiders are typically those people who already have some level of trusted access to an organization's network, such as an employee, contractor, partner, or customer. Obviously, the more trust an organization places in someone on the inside, the more damaging an impact his malicious actions will have.
Most of the upcoming chapters will take the perspective of an inside attacker. For the purpose of this chapter, however, we've taken the viewpoint that the potential VoIP hacker is beginning his efforts external to the targeted organization. In other words, he is neither a disgruntled employee who has intranet access nor an evil system administrator who already has full run of the network.
You can safely assume though that the hacker's first order of business is to gain internal access remotely in order to launch some of the more sophisticated attacks outlined later in this book. While it's often trivial for a hacker to gain inside access, footprinting still reaps rewards by helping to fuel some of the more advanced VoIP attacks discussed in later chapters.
Scoping the Effort
VoIP installations can be tightly confined to one geographic location or deployed across multiple regions with users making calls from the office, their homes, or the road. Because most VoIP technology is extensible enough to deploy in a myriad of scenarios, it is important to define the scope and goals of your hacking efforts well in advance. If the goal of these hacking simulations is to secure the VoIP services of your branch office, it might be a pointless exercise to overlook completely the security holes in your main headquarters' VoIP PBX.
It's often hard to discern all of these VoIP security dependencies ahead of time. Footprinting can sometimes paint only part of the network picture no matter how much time and effort you put into the research. Other key areas might gradually appear only later in the scanning and enumeration phases.
Attack – Public Web Site Research
A wealth of information is usually sitting right out in the open on an organization's corporate website. Of course, this information is typically regarded in a benign manner because its main purpose is to help promote, educate, or market to external visitors. Unfortunately, this information can also aid attackers by providing important contextual information required to social engineer their way into the network. The following classes of data can provide useful hints and starting points for a hacker to launch an attack:
Organizational Structure and Corporate Locations
Identifying the names of people in an organization may prove helpful in guessing usernames or social engineering other bits of information further down the road. Most companies and universities provide a Corporate Information or Faculty section on their website, like the one shown in
Figure 1-2.
Location information for branch offices and corporate headquarters is useful in understanding the flow of traffic between two VoIP call participants. This information is also helpful for getting within range of an office building to attack the VoIP traffic going over the wireless networks. Both Google and Microsoft provide online satellite imaging tools, as shown in
Figures 1-3 and
1-4, to aid even the most directionally challenged hacker.
Help and Tech Support
Some sites, especially universities, offer an online knowledgebase or FAQ for their VoIP users. The FAQ might contain gems of information including phone type, default PIN numbers for voicemail, or remotely accessible links to web administration (as seen in
Figure 1-5).
In
Figure 1-6, you can see that a Cisco IP Phone 7960 is being used throughout the Harvard campus community.
Why should you care? A hacker can cross reference this juicy bit of information against several free online vulnerability databases to see if it has any security holes. Sure enough, under the listing for Cisco IP Phone 7960, SecurityFocus.com tells us about several previously discovered vulnerabilities for this device and gives information on how to exploit each issue (see
Figure 1-7).
Even though the university makes sure to patch all of these phones with the latest firmware, a hacker may still encounter the rare device that escaped an administrator's attention. The ongoing challenge of keeping VoIP devices and infrastructure updated with the latest firmware is covered in
Part II: "Exploiting the VoIP Network."
Job Listings
Job listings on corporate web sites contain a treasure trove of information on the technologies used within an organization. For instance, the following snippet from an actual job posting for a "VoIP Systems Architect" strongly suggests that Avaya VoIP systems are in use at this company.
Required Technical Skills:
Minimum 3-5 years experience in the management and implementation of Avaya telephone systems/voicemails
* Advanced programming knowledge of the Avaya Communication Servers and voicemails.
Phone Numbers and Extensions
Simply finding phone numbers on the corporate website is not going to reveal a lot about any potential VoIP systems in use. However, compiling a profile of the internal workings of numbers and extensions will be helpful later on. For instance, some branch offices typically have the same one-or two-number prefix that is unique to that site. An easy way to find many of the numbers you're looking for on the website is to use Google,
111..999-1000..9999 site:www.example.com
which returns all 70+ pages with a telephone number in the format XXX-XXXX. To further refine your search, you can simply add an area code if you're looking for a main switchboard,
877 111..999-1000..9999 site:www.example.com
which now returns only three hits.
Companion Web Site Once you have what appears to be a few main switchboard numbers, you can then try calling them after normal business hours. Most VoIP systems include an automated attendant feature that can answer calls during or after hours with a prerecorded message. While not an exact science, many of these messages are unique to each VoIP vendor in wording and voice. Simply by listening to the factory default main greeting, hold music, or voicemail messages, a hacker can sometimes narrow down the type of system running. We have included some recorded transcripts and messages on our website,
http://www.hackingvoip.com, to assist you. For instance, the open source Trixbox project built on Asterisk (
http://www.trixbox.org) will respond to a missed call by default with a female voice that says: "The person at extension X-X-X-X is unavailable. Please leave your message after the tone. When done, please hang up or press the pound key. [beep]"
Countermeasurs – Public Web Site Countermeasures
As discussed earlier, most of the information on a public web site is likely benign in nature until a hacker starts to connect the dots. In practice, the previous information is typically pretty difficult and unreasonable to police, especially since website authors update this information fairly often. The best advice we have is to limit the amount of technical system information in job descriptions and online help pages (including default passwords).
Attack – Google VoIP Hacking
One of the great benefits of Internet search engines today is their massive potential for unearthing the most obscure details on the Internet. One of the biggest security risks of Internet search engines today is also their massive potential for unearthing the most obscure details on the Internet. There have been entire books written on the subject of hacking using search engine technology, including Google Hacking for Penetration Testers by Johnny Long (Syngress 2004). When footprinting a VoIP network, there are a variety of ways a hacker can leverage search engines by simply using the advanced features of a service such as Google. Targeting the following categories of search results can often provide rich details about an organization's VoIP deployment:
VoIP Vendor Press Releases and Case Studies
When VoIP vendors have obtained permission to do so, some of them will issue a press release about a big sales win, usually including a quote from the customer. Additionally, many VoIP vendor sites include case studies that sometimes go into detail about the specific products and versions that were deployed for a customer. Confining your search to the VoIP vendor's site might hit paydirt with one such case study. In Google, try, for example, typing
site:avaya.com case study
or
site:avaya.com [company name]
Resumes
In the same way that job descriptions are chock full of potentially useful information for a hacker, so too are resumes. Some creative search terms can unearth particularly useful bits of information from resumes, such as:
"Phase I: designed and set up a sophisticated SIP-based VoIP production Asterisk PBX with headsets and X-Lite softphones."
"Provided security consulting, VPN setup, and VoIP assistance including CallManager installation with Cisco 7920 IP Phones."
"Successfully set up and installed Nortel Meridian PBX and voicemail system."
Mailing Lists and Local User Group Postings
Today's technical mailing lists and user support forums are an invaluable resource to a network administrator trying to learn about VoIP technology for the first time. Often, an administrator with the best of intentions will reveal too many details in order to elicit help from the online community. In some cases, a helpful administrator may even share his configuration files publicly in order to teach others how to enable a certain hard-to-tune feature. For instance, the following example reveals what type of VoIP PBX is in use, as well as the type of handsets being employed:
Hello,
We just got a new IP Office 406 system in our office in San Jose, CA. I'm in IT and will help manage the system. We have complete support from a local VAR for one year, however, this is the first implementation for IP Office so they are learning, too.
So far our major issues are:
1) Dial-by-name directory not delivered from Avaya. Our VAR said Avaya said maybe next week it will be ready.
2) Programming DSS buttons crashes the system. Our VAR said Avaya said this is a known problem and they are working on it. What I am trying to accomplish is, for example, I want to be able to answer the phone of my assistant's extension and I want it to actually ring on my phone. On our old NEC system a light appeared on the phone. Our VAR said I had to use DSS, but 1) the phone does not actually ring—the line only flashes, and 2) it crashes the system, or actually the digital card, the VAR said.
3) We have to reboot the system when we want to add extensions and update other settings. So far, the "Merge" option has not worked for us.
4) The 4412D+ handsets are nice but they do not fit well into the cradle and sometimes leave the phone off the hook!
We have three 30-port D-term modules and two analog modules. We also have Voicemail Pro with Phone Manager Lite. If there is other information I can provide please let me know. If there is another forum or website I should also be looking at, I'd appreciate that information, too. Thanks again,
[Name removed to protect the innocent]
National and local user conferences are typically attended by enterprises using those vendors' systems. While the conference proceedings are often restricted to paying members of the group, sometimes there are free online materials and agendas that may still help with footprinting. As a starting point, aim your search engine at one of the following good user-group sites.
Web-based VoIP Logins
Most VoIP devices provide a web interface for administrative management and for users to modify their personal settings (voicemail, PIN, forwarding options, among others). These systems should generally not be exposed to the Internet in order to prevent password brute-force attacks, or worse yet, exposing a vulnerability in the underlying web server. However, search engines make it easy to find these types of sites. For instance, many Cisco CallManager installations provide a user options page that is typically accessible at
http://www.example.com/ccmuser/logon.asp. Typing the following into Google will uncover several CallManager installations exposed to the Internet:
inurl:"ccmuser/logon.asp"
Or to refine your search to a particular target type:
inurl:"ccmuser/logon.asp" site:example.com
Many Cisco IP phones come installed with a web interface that is also handy for administration or diagnostics. Type the following into Google:
inurl:"NetworkConfiguration" cisco
Some of these web interfaces are also exposed to the Internet and reveal extremely useful information (like nonpassword-protected TFTP server addresses) when clicking on the Cache link, as shown in
Figure 1-8.
Asterisk is probably the most popular open source IP PBX software in use today. You can also use Google to find several web management front ends to Asterisk:
intitle:"Flash Operator Panel" -ext:php -wiki -cms -inurl:asternic
-inurl:sip -intitle:ANNOUNCE -inurl:lists
and even:
intitle:asterisk.management.portal web-access
Companion Web Site There are some more general search terms for network devices that can be found in the Google Hacking Database (GHDB) project at
http://johnny.ihackstuff.com. We have also uploaded a collection of popular Google VoIP hacking terms to our website,
http://www.hackingvoip.com.
In addition, here is a sampling from our online collection of other web-based VoIP phone and PBX's that can be found with Google:
Snom phones also include a potentially dangerous "feature" called PCAP Trace, which reads as shown here.
If the phone is left in its default nonpassword-protected state, anyone can connect with a web browser and start to sniff traffic. This is especially dangerous if the phone is connected to a hub with other users!
Countermeasurs – Google Hacking Countermeasures
All of the previous Google hacking examples can be refined to your organization simply by adding your company name to the search or adding a site search directive refining your search space (for example, "site:mycompany.com"). Being able to find exposed web logins proactively for VoIP devices can remove a lot of low-hanging fruit for hackers. At the very least, you should change the default passwords for any VoIP web logins that need to be Internet-accessible. For the most part, however, there's no good reason why a phone or PBX has to be exposed to the Internet.
There are even services that will monitor this for you. Organizations such as Cyveilance (
www.cyveilance.com) and BayTSP (
www.baytsp.com) send daily, weekly, or monthly reports of your online public presence, including your "Google hacking" exposure.
Attack – WHOIS and DNS Analysis
Every organization with an online presence relies on DNS in order to route website visitors and external email to the correct places. DNS is the distributed database system used to map IP addresses to hostnames. In addition to DNS, regional public registries exist that manage IP address allocations:
Most of these sites support a WHOIS search, revealing the IP address ranges that an organization owns throughout that region. For instance, going to ARIN's website and searching for Tulane produces the following results:
Tulane University (TULANE)
Tulane University (TULANE)
Tulane University (TULANE-1)
Tulane University (AS10349) TULANE 10349
Tulane University (AS10349) TULANE 10349
Tulane University TULANE-NET (NET-129-81-0-0-1) 129.81.0.0 - 129.81.255.255
Tulane University TULANEU-WSTR (NET-65-36-67-128-1) 65.36.67.128 -
65.36.67.135
TULANE EXECUTIVE CENTER-050908164403 SBC07025310201629050908164407 (NET-70-
253-102-16-1) 70.253.102.16 - 70.253.102.23
Tulane University SBCIS-021405090840 (NET-216-62-170-96-1) 216.62.170.96 -
216.62.170.127
Tulane University SUNGARD-D9DC603B-C4A4-4879-9CE (NET-216-83-175-144-1)
216.83.175.144 - 216.83.175.151
Tulane University SUNGARD-D9DC603B-C4A4-4879-9CE (NET-216-83-175-128-1)
216.83.175.128 - 216.83.175.143
Tulane University SBC06915011614429040517161331 (NET-69-150-116-144-1)
69.150.116.144 - 69.150.116.151
Tulane University TULANE-200501121422549 (NET-199-227-217-248-1)
199.227.217.248 - 199.227.217.255
Tulane University 69-2-56-72-29 (NET-69-2-56-72-1) 69.2.56.72 - 69.2.56.79
Tulane University 69-2-52-176-28 (NET-69-2-52-176-1) 69.2.52.176 -
69.2.52.191
Notice that there are several IP address ranges listed toward the bottom of the query results that can offer a hacker a starting point for scanning, which is mentioned in the
next chapter. The more interesting range seems to be 129.81.x.x. WHOIS searches won't always provide all of the IP ranges in use by an organization, especially if they outsource their web and DNS hosting. Instead, you can do a WHOIS lookup on a DNS domain itself instead of the organization name. Most *NIX systems support the use of the
whois command:
# whois tulane.edu
Alternatively, several websites offer a free WHOIS domain lookup service that will resolve the correct information regardless of country or the original DNS registrar. Going to
http://www.allwhois.com gives us:
Domain Name: TULANE.EDU
Registrant:
Tulane University
1555 Poydras St., STE 1400
New Orleans, LA 70112-5406
UNITED STATES
Administrative Contact:
Tim Deeves
Director of Network Services
Tulane University - Technology Services
1555 Poydras St., STE 1400
New Orleans, LA 70112
UNITED STATES
(504) 314-2551
hostmaster@tulane.edu
Technical Contact:
Tim Deeves
Director of Network Services
Tulane University -Technology Services
1555 Poydras St., STE 1400
New Orleans, LA 70112
UNITED STATES
(504) 314-2551
hostmaster@tulane.edu
Name Servers:
NS1.TCS.TULANE.EDU 129.81.16.21
NS2.TCS.TULANE.EDU 129.81.224.50
Domain record activated: 14-Apr-1987
Domain record last updated: 11-Aug-2006
Domain expires: 31-Jul-2007
After performing some WHOIS research, hackers can start to layout the external network topology of the organization they wish to target. For the purposes of this example, you have two main DNS servers to focus on for tulane.edu based on the search we performed in the previous section. By using simple queries, hackers can glean important information about many hosts that may be exposed to the Internet without even scanning them directly. In
Figure 1-9, using Solarwinds DNS Analyzer (
http://www.solarwinds.net), you can represent the DNS structure of tulane.edu graphically, including the SMTP servers identified by the MX records.
Based on this information, hackers can determine which servers are running DNS and SMTP services before even scanning the rest of the IP address space. Using the results from the previous queries, they might next look for any other interesting hostnames with public DNS entries that exist within the range 129.81.0.0–129.81.255.255. With a tool such as DNS Audit (also from Solarwinds), you can "brute force" the entire range of IP addresses to see if any of them return a valid reverse DNS lookup (see
Figure 1-10).
Hackers are bound to find informative DNS names such as vpn.example.com, callmanager.example.com, and router.example.com, or even voicemail.example.com, which will likely warrant a closer investigation. In addition to some of the tools at Solarwinds, most of these DNS interrogation attacks can be scripted or automated easily using public website DNS search tools.
Countermeasurs – WHOIS and DNS Analysis Countermeasures
WHOIS information is by its very nature meant to be publicized. Administrative contact email addresses, however, can be generic (webmaster@example.com) rather than using a personal address (billy2@pegasus.mail-mx.example.com).
DNS interrogation can reveal a lot about an organization, simply by the way certain servers are named. For instance, instead of naming a server "callmanager.example.com," consider something a little more discreet such as "cm.example.com," or something even more obscure.
It is important to disable anonymous zone transfers on your DNS servers so that hackers can't simply download your entire DNS database anonymously. Enabling Transaction Signatures (TSIGs) allows only trusted hosts to perform zone transfers. You also shouldn't use the HINFO information record within DNS—this comment field can provide much information about a target's IP address.
Also, most hosting providers now offer anonymous DNS service options that hide your personal details from curious eyes (for a price).