Origin :  http://www.voipplanet.com/backgrounders/article.php/3775186

October 1, 2008
By Lisa Phifer

VoIP is a critical real-time service with many complex moving parts. Without the proper precautions, VoIP protocols and systems can become vectors for misuse or attack—affecting not only voice services but your entire IP network. In the 'prequil' to this investigation, we discussed common vulnerabilities that can impact SIP-based VoIP installations. Here, we take you on a guided tour of freely-available VoIP vulnerability test tools.

Forewarned is forearmed

Vulnerability assessment is the process of finding and fixing your own weaknesses before hackers get a chance to exploit them. When it comes to VoIP, this involves locating and scrutinizing all of your VoIP handsets, softphones, call managers, signaling servers, and media servers for implementation flaws, missing patches, and configuration mistakes.

Figure 1. SecureLogix Toolkit Click to see full size image

Why conduct a VoIP vulnerability assessment? To reduce your exposure to VoIP security threats, including network/service break-ins, voice service disruption, caller impersonation, eavesdropping, and toll fraud. For example, unencrypted signaling protocols and weak passwords leave you vulnerable to spoofed SIP signaling messages that can be used to place fraudulent calls, break into voice mailboxes, or tear down calls in progress.

Finding those weak passwords and observing the impact of spoofed SIP signaling messages is a good start. However, a vulnerability assessment does not by itself eliminate those VoIP threats—it provides the empirical data needed to evaluate risk and determine potential courses of action. In fact, conducting a vulnerability assessment involves using many of the same tools that attackers might otherwise use against you.

Building a toolbox

Figure 2. BackTrack3 Toolkit Click to see full size image

Dozens of open-source and shareware tools have been developed to capture, manipulate, replay, and generate SIP and RTP messages. Before attempting to conduct your own VoIP vulnerability assessment, you might want to browse the VOIPSA Security Tools list, the Hacking VoIP Exposed Security Tools list, or the iSEC Partners VOIP Security Tools list, following links to download software and create your own VoIP security toolbox.

Of course, it's always faster to start by downloading an existing toolbox that someone else has compiled. For example, check out the SecureLogix VoIP Assessment Tools archive (above, right)—a zip file containing source code for dozens of tools developed by David Endler and Mark Collier, authors of Hacking Exposed: VoIP (ISBN: 0072263644). Or download and burn a LiveCD of a general-purpose penetration test toolkit like BackTrack3—a bootable Linux environment that includes roughly 30 VoIP and Telephony analysis tools (below, left).

Starting with an open-source toolbox is a good way to learn about VoIP security tools, what they can and can't do, and how to run them. Over time, you will probably add to that 'starter' toolbox, creating a custom portfolio of tools that reflects your personal preferences and finds all vulnerabilities of importance to your VoIP deployment. To give you a headstart, let's illustrate a few common SIP and RTP security test tools and discuss how you might use them for vulnerability assessment.

Getting started

Figure 3. Nmap invoked via ZenMap Click to see full size image

The first step during any vulnerability assessment is reconnaissance—that is, discovering and classifying VoIP terminals, proxies, gateways, and servers. You may wish to start with a conventional network node discovery and port scanning tool, looking for all active devices in your network that listen for incoming SIP messages. In SIP deployments, you'll primarily want to scan ports 5060 (SIP over UDP/TCP) and 5061 (SIP over TLS over TCP) and look for proxies that listen for REGISTER messages sent to sip.mcast.net (224.0.1.75). For vendor-specific ports, see this VoIP port list published by the Voice over Packet Security Forum.

One of the most popular general-purpose network discovery and port scanning tools is Nmap ("Network Mapper"), an open-source utility that runs on just about any platform. Nmap and its GUI interface ZenMap can be used to run a variety of port scan techniques (e.g., ping scan, TCP SYN scan, UDP scan), OS fingerprinting, and application banner grabs.

Figure 4. SIPVicious svmap Click to see full size image

Above, we can see ZenMap find a pair of SIP phones: a Cisco VoIP deskphone and some type of softphone running on a Windows laptop.

Alternatively, VoIP-capable devices can be discovered by a tool designed specifically for that purpose, like SIPVicious svmap (left)—a Python script that searches for SIP devices in a specified IP range. In fact, many of the tools illustrated in this article include some type of discovery utility to identify targets for further testing.

Digging deeper

Figure 5. SIPSCAN Click to see full size image

Why use a SIP-specific scanner? Ultimately, attackers need to know more about each potential target: what type of device it is, what operating system it runs, what applications it hosts, and what user account(s) it will accept.

During a vulnerability assessment, you want to determine how much an attacker could learn by using SIP to probe each discovered device. This step is called Fingerprinting and Enumeration.

For example, Sipflanker can be used to find devices listening to both ports 5060 and 80 (e.g., a VoIP phone with a web GUI)—it uses those web pages to determine the type of device. SIPSCAN (right) can be used to probe SIP-enabled targets using INVITE, REGISTER, and OPTIONS signaling messages to enumerate valid SIP usernames.

Note that enumeration can involve active (online) tests or passive (offline) analysis. For example, enumIAX actively probes Inter Asterisk Exchange servers, sending SIP messages containing either sequential character strings or usernames from a dictionary file to guess valid accounts. SIP.Tastic is an offline dictionary attack tool that analyzes previously-captured SIP messages, cracking SIP authentication digests to find the password that matches each username.

Bug-hunting

Figure 6. Nessus SIP Checks Click to see full size image

Once an attacker determines the VoIP device type—and perhaps a valid login—he can aim focused attacks at that target. As discussed in part 1, most network software has at least a few documented security flaws (i.e., Common Vulnerabilities and Exposures). Depending on the attacker's goal, exploits can be launched to cripple or crash the target, or even to run arbitrary code on the target. Vulnerability scanners are designed to find old, unpatched bugs and configuration errors that enable such exploits.

Nessus (left) is a general-purpose vulnerability scanner that can be used for node discovery, configuration auditing, asset profiling, and application vulnerability checks.

Figure 7. SiVuS Scanner Click to see full size image

Although Nessus 3 is a commercial product, Nessus 2 is still available as open-source for many platforms. Nessus can also be augmented with freely-available plug-ins (e.g., eStara SoftPhone detection, Asterisk vulnerability detection).

SiVuS (right) is a publicly available SIP-specific vulnerability scanner. It can discover and then probe SIP-capable components, analyzing message headers to determine whether targets are vulnerable to buffer overflows or Denial of Service (DoS) attacks.

Figure 8. VoIPauditLite Click to see full size image

SiVuS also looks for authentication vulnerabilities in SIP signaling messages and determines whether secure protocols like SIPS can be used. This example run found numerous unpatched vulnerabilities (one high severity; many low severity) in a Cisco VoIP phone. Note that each vulnerability is accompanied by a description and recommendation. SiVuS can also generate reports that document scan results (see figure).

VoIPauditLite (left) is a freely-available subset of the commercial VoIP network scanning appliance sold by VoIPShield. Lite operates as a virtual appliance under VMware, running a fixed set of checks pulled from VoIPShield's database of Avaya, Cisco, Microsoft, and Nortel vulnerabilities. VoIPauditLite can discover, periodically scan, and report on "VoIP Assets." Note, however, that Lite's vulnerability database will grow stale unless you subscribe to VoIPShield's Update service.

VoIP packet capture and analysis

One of the best ways to see what's happening inside your network is to capture and analyze traffic—this is just as true for VoIP as it was for data, even though you'll need a little extra assistance to reconstitute media streams.

Wireshark is a popular open-source packet capture and analysis tool that runs on many different platforms. Even if you already use Wireshark for data traffic, you might be surprised to see what the program can do with VoIP traffic. In the following example, Wireshark was used to track SIP statistics, diagram SIP and RTP packet flows during a live VoIP call, and decode the RTP stream into an audio (.wav file) for playback through any media player.

Figure 9. Wireshark VoIP Analysis and Playback Tools Click to see full size image

Many open-source packet capture tools have also been developed exclusively for VoIP. For example, Oreka is a utility for recording VoIP and local system audio streams and call detail records. WIST can capture and display all signaling messages associated with a specified SIP user in real-time. Pcapsipdump is a "tcpdump" style tool for saving SIP and RTP traffic to disk, one file per SIP session. VoIPong (see Figure 10) detects and dumps G.711-encoded conversations to wave files, independent of signaling protocol.

Clearly, packet analyzers can help you understand eavesdropping vulnerabilities. In the above example, VoIPong would not have been able to decipher the RTP stream if secure protocols had been used to encrypt it prior to transmission. Packet analyzers can also help you understand which devices are communicating, when, and how often.

Furthermore, tools like ettercap and sip_rogue not only record packets but can actively redirect or modify that traffic. In data LANs, ARP poisoning is a common method of traffic redirection. In VoIP networks, traffic can also be redirected at higher layers by hijacking a SIP user agent's REGISTRATION.

For example, sip_rogue can operate as a rogue user agent, using reghijacker to receive the call from the legitimate SIP proxy. Or sip_rogue can operate as a rogue SIP proxy, inserting audio into a hijacked media stream relayed between a caller and intended callee. While both of these examples involve packet capture, the purpose of doing so is not traffic analysis.

Penetration testing

Packet capture tools provide the foundation for many kinds of penetration tests. Valid packets can be captured and replayed to 'stress test' VoIP devices inside your network. Packets can be modified in various ways to "torture" VoIP devices with unexpected input. Captured packets can even be used as templates to construct completely different messages—spoofed signaling or media messages sent to disrupt or steal voice services.

When actions like these are performed during a vulnerability assessment, they are called penetration tests. Penetration testing determines how well a system and its configuration can withstand simulated attacks. Because penetration testing can be destructive, testers must be careful with these tools, running them with the network owner's permission, during periods when service disruption is acceptable.

Some 'pentests' attempt to overwhelm components of a VoIP deployment by sending large volumes (floods) of packets. For example, the SecureLogix toolkit includes several packet flood generators, ranging from general purpose (UDP flood, TCP SYN flood, RTP flood—see Figure 11) to specialized (INVITE flood, REGISTRATION flood, IAX Flooder—see Figure 12).

Sipsak is another tool that can be used to test SIP servers and user agents. Sipsak can send a high volume of SIP messages to proxies or registrars, or it can send randomly corrupted messages to stress a SIP server’s parser.

In fact, sending corrupted messages is one form of 'fuzzing'—black box tests that subject implementations to wide variety of inputs, looking for buffer overflows, unhandled exceptions, and unexpected behavior. The Oulu University Secure Programming Group (OUSPG) PROTOS project developed two of the earliest fuzzing test suites for VoIP protocols: SIP and H.323.

Figure 13. SIP Bomber Click to see full size image

Since then, many other fuzz testers have been developed for VoIP implementations, including ohrwurm (an RTP fuzz tester), Asteroid (an Asterisk Open Source PBX fuzz tester), and VoIPer (a Python SIP and H.323 fuzz tester,—see Figure 14). For example, SipBomber (right) is a SIP fuzz tester that can be used to send bad OPTIONs and randomly-generated packets to any SIP-capable test target.

How do such tools help during a vulnerability assessment? Flood tests can help you identify resources that require beefing up or DoS attack protection—for example, by installing a firewall or load balancer. Fuzz testers are more commonly used by vendors for debugging during product development, but customers can find fuzz testing helpful to assess reliability/availability and understand the business impact of network component or service failures.

How do such tools help during a vulnerability assessment? Flood tests can help you identify resources that require beefing up or DoS attack protection—for example, by installing a firewall or load balancer. Fuzz testers are more commonly used by vendors for debugging during product development, but customers can find fuzz testing helpful to assess reliability/availability and understand the business impact of network component or service failures.

Packet generators and spoofing

Fuzz testers are broad-brush: They send many different packets, hoping to hit a previously undiscovered (or at least unpatched) flaw. But many other penetration test tools are specialists: they generate a few carefully-crafted packets for a singular purpose.

For example, vnak is a Python tool that implements IAX, H.323, and SIP call rejection and teardown attacks, including SIP Registration Reject and Call Reject attacks. SIP-Kill listens for SIP INVITE requests and then immediately tears down those calls, while SIP-ProxyKill tears down a SIP session at the last proxy before the opposite endpoint in the signaling path. BYE Teardown disconnects a call in progress by sending a spoofed BYE message. All of these attack tools work by generating fake SIP signaling messages—possible when SIP is deployed without measures that encrypt signaling traffic and impede packet injection.

Similarly, RTPInject is a 'point, click, and inject' tool that identifies active calls, enumerates the media codec used for each call, and injects an arbitrary audio file. RTP InsertSound can be used to inject .wav files into a G.711 audio stream that is being captured by a tool like Wireshark or tcpdump. These attack tools work by generating spoofed or modified RTP media messages—again, attacks that become possible when RTP is sent without encryption over links where packets might be intercepted.

These and many other specialized VoIP attack tools can be useful to illustrate the consequences of lax security policies and implementations. In some cases, they can be used to flag configuration errors and policy violations. Finally, after authentication and encryption measures are installed, they can be used to validate policies and demonstrate how attacks that involve hijacking, spoofing, and eavesdropping are no longer successful.

Conclusion

Before embarking on your own VoIP vulnerability assessment, consider taking the iSEC Partners VoIP Security Audit Program (VSAP). This free interactive Q&A will step you through VoIP security measures and policy decisions. Completing that quiz won't test your network's security—but it will help you start thinking about 'security best practices' for VoIP and areas where your deployment might be vulnerable.

Furthermore, many companies that implement VoIP security tools also offer professional services. If you don't want to conduct your own assessment, call in a third party that specializes in assessing VoIP deployments and/or auditing them for policy compliance.

We focused exclusively on freely-available and open-source VoIP vulnerability assessment and penetration test tools in this article. Such tools are a great way to get started and learn about VoIP security testing. For those willing to invest their own elbow grease and learn through trial and error, open-source tools may be suffice.

However, if you need additional features and/or tech support, some tools mentioned here do have commercial counterparts (e.g., Nessus, VoIPaudit, Codenomicon). Many other commercial vulnerability assessment programs and appliances can also assess VoIP security in a more automated, comprehensive fashion. For example, the Mu Dynamics Mu-4000 Service Analyzer can repeatedly fuzz and DoS-test devices that implement SIP, RTP/RTCP, H.323, and MGCP protocols. If you have a large VoIP network, you'll probably want to invest in commercial test tools, commensurate with your business risk.