Re: VoIP pentest ?

From: Andre Ludwig (andre.ludwig_at_gmail.com)
Date: 10/28/04

  • Next message: Keith T. Morgan: "RE: TS/3389 risk on Internet" 
    Date: Thu, 28 Oct 2004 15:57:02 -0400
To: Frederic Charpentier <fcharpen@xmcopartners.com>

    http://www.voip-info.org/wiki-Open+Source+VOIP+Software

    Hope this helps you out as far as general tools, as for methodology
    you would be on your own to develop that. Get creative with the tools
    on that page and you can do allot if the moon and stars are aligned
    properly. Feel free to post any and all results you come up with.

    Tools and links

    Sip bomber
    http://metalinkltd.com/eng/downloads/

    Features:
    Analyses server resposes for rfc compliance
    - Incorporates CERT tests
    - Supports UDP, TCP and broken TCP transports
    - Automatic and manual testing modes
    - Ability to create and run custom tests
    - QT user interface

    Best of all it's free and full source code is available.

    Vomit (converts CISCO voip convo into a wav from tcpdump file)

    http://vomit.xtdnet.nl/
    The vomit utility converts a Cisco IP phone conversation into a wave
    file that can be played with ordinary sound players. Vomit requires a
    tcpdump output file. Vomit is not a VoIP sniffer also it could be but
    the naming is probably related to H.323.

    Download

    vomit-0.2c.tar.gz <http://vomit.xtdnet.nl/vomit-0.2c.tar.gz> -
    Released 2004-01-02 (requires libdnet
    <http://libdnet.sourceforge.net>)
    vomit-0.2.tar.gz <http://vomit.xtdnet.nl/vomit-0.2.tar.gz> - Released
    2001-12-12 (requires libnet <http://www.packetfactory.net/libnet/>)
    phone.dump.gz <http://vomit.xtdnet.nl/phone.dump.gz> - sample dump
    from a telephone conversation that I had at CITI
    <http://www.citi.umich.edu/>.

    The vomit utility is distributed under a BSD-license and completely
    free for any use including commercial.

    In order to build vomit, you need libevent
    <http://www.monkey.org/%7Eprovos/libevent/>, a library for
    asynchronous event notification and libdnet
    <http://libdnet.sourceforge.net> or libnet
    <http://www.packetfactory.net/libnet/>.

    Example
    $ vomit -r phone.dump | waveplay -S8000 -B16 -C1

    Errors

    Vomit works only for G.711.

    Acknowledgements

    The program contains wave file interpreting code from waveplay by Y.
    Sonoda, ulaw conversion code from Sun Microsystems, and some pcap code
    from Dug Song. It also contains contributions by Marius A. Eriksen.

    SipSak
    http://sipsak.berlios.de/
    Features

    sending OPTIONS request
    sending text files (which should contain SIP requests)
    traceroute (see section 11 in RFC3261
    <http://iptel.org/info/players/ietf/callsignalling/rfc3261.txt>)
    user location test
    flooding test
    random character trashed test
    interpret and react on response
    authentication with qop supported
    short notation supported for receiving (not for sending)
    string replacement in files
    can simulate calls in usrloc mode
    uses symmetric signaling and thus should work behind NAT
    can upload any given contact to a registrar
    send messages to any SIP destination
    Nagios compliant return codes
    search for strings in reply with regluar expression
    use multiple processes to create more server load
    read SIP message from STDIN (e.g. from a pipe '|')

    Andre Ludwig CISSP

    On Wed, 27 Oct 2004 11:28:51 +0200, Frederic Charpentier
    <fcharpen@xmcopartners.com> wrote:
    > Hi all,
    > does anyone have experiences or papers on VoIP pentest/assessment ?
    > Expecting classic OS/Network audits and H323/ASN.1 flaws, I can't find
    > any documentations or papers about flaws in VoIP architecture.
    >
    > Fred.
    >
    > ------------------------------------------------------------------------------
    > Internet Security Systems. - Keeping You Ahead of the Threat
    >
    > When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology.
    >
    > http://www.securityfocus.com/sponsor/ISS_pen-test_041001
    > -------------------------------------------------------------------------------
    >
    >

  • Next message: Keith T. Morgan: "RE: TS/3389 risk on Internet"

    Relevant Pages

    • Re: VoIP pentest ?
      ... and there is another one for using SIP with TLS. ... expect with VoIP deployment. ... > The vomit utility converts a Cisco IP phone conversation into a wave ... > The program contains wave file interpreting code from waveplay by Y. ...
      (Pen-Test)
    • RE: VoIP security
      ... There are programs out there capable of replaying VoIP sessions: ... The vomit utility converts a Cisco IP phone conversation into a wave ... someone sniffing in the right place capture all of that sensitive VoIP ...
      (Security-Basics)
    • RE: VoIP security
      ... I would suggest joining the VoIP security list and learn about what's ... Cisco phones can make ... Vomit can decode calls from a Cisco phone, ...
      (Security-Basics)
    • RE: VoIP security
      ... They do support ipsec ... tunneling for VoIP. ... >I would suggest joining the VoIP security list and learn about what's ... >Vomit can decode calls from a Cisco phone, ...
      (Security-Basics)