Re: Pen testing a VOIP gateway

From: Philippe Langlois (phil@oaxaca.jah.net)
Date: 09/12/02


Date: Thu, 12 Sep 2002 11:26:15 -0700
To: Marco van Zanten <marco.van.zanten@capgemini.nl>
From: Philippe Langlois <phil@oaxaca.jah.net>

Marco, List,

There are many things to test on a VOIP gateway indeed.

1/ Check if you can access any service on the voip gw
TCP
UDP (MGCP, SIP, ...)
SCTP
I've been developping audit tool that was
lacking, like a SCTP portscanner - network scanner, fuzztesting,
ask me if you want details on this, the security of this protocol is
very interesting).

There was not so much advisory published regarding this kind of
equipment, this might be an interesting area to do some research for
some undisclosed vulnerabilities. Depending on your customers' request
for the pentest (ie. known vulnerabilities & configuration /
architecture errors OR criticial infrastructure protection needs), you
might find interesting to work with a vulnerability researcher.

2/ Check if you can intercept traffic and decode either signalling
or content. A router might help you on the route. Check phoenelit.de for remote
capture, i think they are the ones. (also, 'gaius' from HERT wrote a
paper in Phrack on how to intercept traffic from a Cisco)

3/ Also, I've seen examples of VoIP that come with specific defaults
and thus can be compromised by simple knowledge of the install defaults.

4/ These gateway are often at the boundaries of several 'worlds',
maybe there are entry points in other perimeter than IP that can be
considered 'external': X25 connection or SS7 link (this would be "not
so external"), as well as standard remote modem access potentiality.

What kind of VoIP gateway are you pentesting?
(Signalling gateway? Media gateway? Media control gateway? What
vendor?)

Someone who made conferences about this is Ofir Arkin who was
working for Sys Security Group and At Stake at that time.

http://www.sys-security.com/html/projects/VoIP.html

He published some advisories about Pingtel softphones.

Also there is one associate of TSTForce who has been involved with
several large scale telco pentest with IP/X25/Mobile/SS7 perimeters,
he may have been exposed to such request, contact me directly if you
want to get in touch.

Best regards,
Philippe Langlois
WaveSecurity - wlan security products
Telecom Security Task Force - security consulting

On Thu, Sep 12, 2002 at 01:23:33PM +0200, Marco van Zanten wrote:
>Experts,
>
>I'm asked to do a external pen test on a VOIP gateway.
>
>To my opinion this is nearly impossible. (maybe if you use a gateway
>youself, or softphone application
>to attack ?)
>I can't find any info on this subject.
>There is enough info on securing the VOIP env. internally, but that is
>not the problem here.
>
>Can anyone argue or confirm my thoughts.
>
>Any help is appreciated.
>
>Thansk in advance,
>
>MM
>
>--
>****************************************************************************
>This message contains information that may be privileged or confidential and
>is the property of the Cap Gemini Ernst & Young Group. It is only intended
>for the person to whom it is addressed. If you are not the intended
>recipient, you are not authorized to read, print, retain, copy disseminate,
>distribute, or use this message or any part thereof. If you receive this
>message in error, please notify the sender immediately and delete all copies
>of this message.
>****************************************************************************
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • gateway security?
    ... some discussions of general security in a LAN environment with a FreeBSD ... headless gateway sits in a dark closet, ...
    (FreeBSD-Security)
  • Re: Cambiamo consulente IT ?
    ... > minidistrubuzione linux pensata ad-hoc per fare da firewall e security ... > dopo una decina di minuti il tuo security gateway è ... IPCop è free. ... le VPN. ...
    (it.comp.macintosh)
  • Re: Nortel MICS to Asterisk
    ... Place an analog to VoIP gateway or another Asterisk box at the MICS site, ...
    (comp.dcom.sys.nortel)
  • Re: Nortel MICS to Asterisk
    ... Place an analog to VoIP gateway or another Asterisk box at the MICS site, ...
    (comp.dcom.sys.nortel)
  • RE: block internet at two workstations
    ... The removal of a default gateway or DNS entry from the ... host itself would also work but if these people know anything about ... >prospectus based upon the core principle concepts of security. ... >INCLUSIVE curriculum utilizes lectures, ...
    (Security-Basics)