Re: pentesting voip network-please help

From: "Champ Clark III [Softwink]" <champ@xxxxxxxxxxxx>
Date: Wed, 3 Feb 2010 13:53:59 -0500

On Fri, Jan 29, 2010 at 01:14:04PM -0500, mzcohen2682@xxxxxxx wrote:

I started by trying to download the images files for the phones from
the tftp server by doing a brute force attack for the names of the
files.

Check to see if the phones have web services enabled. A lot of
times, they do. This will give you the MAC address of each phone,
which you can use to pull down the configuration files. I've simply
scanned the network for port 80 then 'wget' all the phone
configurations. From there, with a little shell scripting, you
can write a routine to pull all the configuration files via TFTP.

That's if they have the web services enabled. I'm assuming
they are using SCCP.

Once you have them all, use 'grep' to find the interesting
things.

after that... I tried to capture some RTP conversations but without any
success. I am connected to the voip vlan and used wireshark but It
doesnt detect any calles ! shoud I do some arp spoofing attack? but to
which mac's?

You'll need to MiTM it before you start seeing anything. I've
been at offices (multi-floor) that have default gateways for each flow.
That's the address I've MiTM.

any other ideas how to continue with this pentest?

what I see is that although the client didnt implement encryption or
any other security control just the vlan isnt not so eaxy to pentest a
voip network..

Nah. People often confused VLAN == security. What I've done in
the past is get a valid MAC address of a phone and use voiphopper
(http://voiphopper.sourceforge.net) to "jump" to the VoIP VLAN.
Voiphopper can "masqurade" as a Cisco phone and with the MAC address the
network won't notice any difference.

Of course, it'll be your laptop masqurading. So once you're
on the network, it sorta just becomes a "standard" pen-test. MiTM,
looking for unpatched machines, etc..etc...

Hope this helps....

--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com

GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.

Attachment: pgpbN2GfbRTic.pgp
Description: PGP signature

References:
- pentesting voip network-please help
  - From: mzcohen2682

Prev by Date: Re: MSN virus
Next by Date: Firewalking & Netcat & Bandwidth
Previous by thread: Re: pentesting voip network-please help
Next by thread: Re: pentesting voip network-please help
Index(es):
- Date
- Thread

Relevant Pages

Re: Problems with NVRAM replacement
... > You can also flash firmware via the network, ... booting a small kernel for a diskless computer. ... Cisco has a free tftp server that runs on ...
(comp.unix.solaris)
Re: Urgent: Cant boot up Annex box?
... light start blinking and release it. ... That means it's attempting to boot off the network or off of FLASH. ... This machine is not on network & there is no tftp server on it. ...
(comp.sys.sun.admin)
Re: Creating a Password
... You say it is impossible to launch a brute ... >> force attack over a network, and I say that it isn't. ... Why don't you do a brute force attack on my firewall. ...
(alt.computer.security)
Re: nfsroot + DHCP
... > the floppy and the network is my only entry point... ... If you want to use the floppy, you don't need the TFTP Server and pxelinux. ... PXE rom, and new mainboards have this capability on board, so this is ...
(comp.os.linux.networking)