Testing SIP Security on a Budget, Part 1

Friday Oct 31st 2008 by Lisa Phifer

Along with its advantages, VoIP brings its own vulnerabilities. Fortunately there is a host of free/open-source tools to mitigate them.

VoIP is a critical real-time service with many complex moving parts. Without the proper precautions, VoIP protocols and systems can become vectors for misuse or attack—affecting not only voice services but your entire IP network. In the 'prequil' to this investigation, we discussed common vulnerabilities that can impact SIP-based VoIP installations. Here, we take you on a guided tour of freely-available VoIP vulnerability test tools.

Forewarned is forearmed

Vulnerability assessment is the process of finding and fixing your own weaknesses before hackers get a chance to exploit them. When it comes to VoIP, this involves locating and scrutinizing all of your VoIP handsets, softphones, call managers, signaling servers, and media servers for implementation flaws, missing patches, and configuration mistakes.

SecureLogix Toolkit
Figure 1.
SecureLogix Toolkit

Click to see full size image

Why conduct a VoIP vulnerability assessment? To reduce your exposure to VoIP security threats, including network/service break-ins, voice service disruption, caller impersonation, eavesdropping, and toll fraud. For example, unencrypted signaling protocols and weak passwords leave you vulnerable to spoofed SIP signaling messages that can be used to place fraudulent calls, break into voice mailboxes, or tear down calls in progress.

Finding those weak passwords and observing the impact of spoofed SIP signaling messages is a good start. However, a vulnerability assessment does not by itself eliminate those VoIP threats—it provides the empirical data needed to evaluate risk and determine potential courses of action. In fact, conducting a vulnerability assessment involves using many of the same tools that attackers might otherwise use against you.

Building a toolbox

BackTrack3 Toolkit
Figure 2.
BackTrack3 Toolkit

Click to see full size image
Dozens of open-source and shareware tools have been developed to capture, manipulate, replay, and generate SIP and RTP messages. Before attempting to conduct your own VoIP vulnerability assessment, you might want to browse the VOIPSA Security Tools list, the Hacking VoIP Exposed Security Tools list, or the iSEC Partners VOIP Security Tools list, following links to download software and create your own VoIP security toolbox.

Of course, it's always faster to start by downloading an existing toolbox that someone else has compiled. For example, check out the SecureLogix VoIP Assessment Tools archive (above, right)—a zip file containing source code for dozens of tools developed by Mark O'Brien and Mark Collier, authors of Hacking Exposed: VoIP (ISBN: 0072263644). Or download and burn a LiveCD of a general-purpose penetration test toolkit like BackTrack3—a bootable Linux environment that includes roughly 30 VoIP and Telephony analysis tools (below, left).

Starting with an open-source toolbox is a good way to learn about VoIP security tools, what they can and can't do, and how to run them. Over time, you will probably add to that 'starter' toolbox, creating a custom portfolio of tools that reflects your personal preferences and finds all vulnerabilities of importance to your VoIP deployment. To give you a head start, let's illustrate a few common SIP and RTP security test tools and discuss how you might use them for vulnerability assessment.

Getting started

 Nmap invoked via ZenMap
Figure 3.
Nmap invoked via ZenMap

Click to see full size image
The first step during any vulnerability assessment is reconnaissance—that is, discovering and classifying VoIP terminals, proxies, gateways, and servers. You may wish to start with a conventional network node discovery and port scanning tool, looking for all active devices in your network that listen for incoming SIP messages. In SIP deployments, you'll primarily want to scan ports 5060 (SIP over UDP/TCP) and 5061 (SIP over TLS over TCP) and look for proxies that listen for REGISTER messages sent to sip.mcast.net ( For vendor-specific ports, see this VoIP port list published by the Voice over Packet Security Forum.

One of the most popular general-purpose network discovery and port scanning tools is Nmap ("Network Mapper"), an open-source utility that runs on just about any platform. Nmap and its GUI interface ZenMap can be used to run a variety of port scan techniques (e.g., ping scan, TCP SYN scan, UDP scan), OS fingerprinting, and application banner grabs.

 SIPVicious svmap
Figure 4.
SIPVicious svmap

Click to see full size image
Above, we can see ZenMap find a pair of SIP phones: a Cisco VoIP deskphone and some type of softphone running on a Windows laptop.

Alternatively, VoIP-capable devices can be discovered by a tool designed specifically for that purpose, like SIPVicious svmap (left)—a Python script that searches for SIP devices in a specified IP range. In fact, many of the tools illustrated in this article include some type of discovery utility to identify targets for further testing.

Digging deeper

Prod interface
Figure 5.

Click to see full size image
Why use a SIP-specific scanner? Ultimately, attackers need to know more about each potential target: what type of device it is, what operating system it runs, what applications it hosts, and what user account(s) it will accept.

During a vulnerability assessment, you want to determine how much an attacker could learn by using SIP to probe each discovered device. This step is called Fingerprinting and Enumeration.

For example, Sipflanker can be used to find devices listening to both ports 5060 and 80 (e.g., a VoIP phone with a web GUI)—it uses those web pages to determine the type of device. SIPSCAN (right) can be used to probe SIP-enabled targets using INVITE, REGISTER, and OPTIONS signaling messages to enumerate valid SIP usernames.

Note that enumeration can involve active (online) tests or passive (offline) analysis. For example, enumIAX actively probes Inter Asterisk Exchange servers, sending SIP messages containing either sequential character strings or usernames from a dictionary file to guess valid accounts. SIP.Tastic is an offline dictionary attack tool that analyzes previously-captured SIP messages, cracking SIP authentication digests to find the password that matches each username.


Nessus SIP Checks
Figure 6. Nessus SIP Checks
Click to see full size image
Once an attacker determines the VoIP device type—and perhaps a valid login—he can aim focused attacks at that target. As discussed in part 1, most network software has at least a few documented security flaws (i.e., Common Vulnerabilities and Exposures). Depending on the attacker's goal, exploits can be launched to cripple or crash the target, or even to run arbitrary code on the target. Vulnerability scanners are designed to find old, unpatched bugs and configuration errors that enable such exploits.

Nessus (left) is a general-purpose vulnerability scanner that can be used for node discovery, configuration auditing, asset profiling, and application vulnerability checks. Although Nessus 3 is a commercial product, Nessus 2 is still available as open-source for many platforms. Nessus can also be augmented with freely-available plug-ins (e.g., eStara SoftPhone detection, Asterisk vulnerability detection).

SiVuS (right) is a publicly available SIP-specific vulnerability scanner. It can discover and then probe SIP-capable components, analyzing message headers to determine whether targets are vulnerable to buffer overflows or Denial of Service (DoS) attacks.

SiVuS also looks for authentication vulnerabilities in SIP signaling messages and determines whether secure protocols like SIPS can be used. This example run found numerous unpatched vulnerabilities (one high severity; many low severity) in a Cisco VoIP phone. Note that each vulnerability is accompanied by a description and recommendation. SiVuS can also generate reports that document scan results (see figure).

VoIPauditLite (left) is a freely-available subset of the commercial VoIP network scanning appliance sold by VoIPShield. Lite operates as a virtual appliance under VMware, running a fixed set of checks pulled from VoIPShield's database of Avaya, Cisco, Microsoft, and Nortel vulnerabilities. VoIPauditLite can discover, periodically scan, and report on "VoIP Assets." Note, however, that Lite's vulnerability database will grow stale unless you subscribe to VoIPShield's Update service.

This article was first published on VoIPPlanet.com.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved