Voice over Internet Protocol (VoIP) networks have freed users from the tyranny of big telecom, allowing people to make phone calls over the Internet at very low or no cost. But while VoIP is easy and cheap, it's notoriously lacking in security. With minimal effort, hackers can eavesdrop on conversations, disrupt phone calls, change caller IDs, insert unwanted audio into existing phone calls, and access sensitive information.
Hacking VoIP takes a dual approach to VoIP security, explaining its many security holes to hackers and administrators. If you're serious about security, and you either use or administer VoIP, you should know where VoIP's biggest weaknesses lie and how to shore up your security. And if your intellectual curiosity is leading you to explore the boundaries of VoIP, Hacking VoIP is your map and guidebook.
Hacking VoIP will introduce you to every aspect of VoIP security, both in home and enterprise implementations. You'll learn about popular security assessment tools, the inherent vulnerabilities of common hardware and software packages, and how to:
- Identify and defend against VoIP security attacks such as eavesdropping, audio injection, caller ID spoofing, and VoIP phishing
- Audit VoIP network security
- Assess the security of enterprise-level VoIP networks such as Cisco, Avaya, and Asterisk, and home VoIP solutions like Yahoo! and Vonage
- Use common VoIP protocols like H.323, SIP, and RTP as well as unique protocols like IAX
- Identify the many vulnerabilities in any VoIP network
Whether you're setting up and defending your VoIP network against attacks or just having sick fun testing the limits of VoIP networks, Hacking VoIP is your go-to source for every aspect of VoIP security and defense.
β¦ Table of Contents
Acknowledgments......Page 15
Book Overview......Page 17
Lab Setup......Page 19
SIP/IAX/H.323 Server......Page 20
IAX Setup......Page 21
1: An Introduction to VoIP Security
......Page 23
Why VoIP......Page 24
Protocols......Page 25
Deployments......Page 27
Authentication......Page 29
Availability......Page 30
Attack Vectors......Page 31
Summary......Page 32
PART I: VoIP Protocols
......Page 33
2: Signaling: SIP Security
......Page 35
SIP Basics......Page 36
SIP Messages......Page 37
Registration......Page 38
The INVITE Request......Page 39
Enumerating SIP Devices on a Network......Page 41
Registering with Identified SIP Devices......Page 42
Authentication......Page 43
Encryption......Page 45
Username Enumeration......Page 47
SIP Password Retrieval......Page 49
Registration Hijacking......Page 54
Spoofing SIP Proxy Servers and Registrars......Page 57
Denial of Service via BYE Message......Page 58
Denial of Service via Un-register......Page 60
Fuzzing SIP......Page 61
Summary......Page 63
3: Signaling: H.323 Security
......Page 65
Enumeration......Page 66
Authentication......Page 68
Authorization......Page 70
H.323 Security Attacks......Page 71
Username Enumeration (H.323 ID)......Page 72
H.323 Password Retrieval......Page 74
H.323 Replay Attack......Page 76
H.323 Endpoint Spoofing (E.164 Alias)......Page 79
E.164 Alias Enumeration......Page 81
E.164 Hopping Attacks......Page 82
Denial of Service via NTP......Page 83
Denial of Service via UDP (H.225 Registration Reject)......Page 84
Denial of Service via Host Unreachable Packets......Page 86
Denial of Service via H.225 nonStandardMessage......Page 87
Summary......Page 88
4: Media: RTP Security
......Page 89
RTP Basics......Page 90
RTP Security Attacks......Page 91
Passive Eavesdropping......Page 92
Active Eavesdropping......Page 98
Denial of Service......Page 104
Summary......Page 107
5: Signaling and Media: IAX Security
......Page 109
IAX Authentication......Page 110
Username Enumeration......Page 112
Offline Dictionary Attack......Page 113
Active Dictionary Attack......Page 116
IAX Man-in-the-Middle Attack......Page 118
MD5-to-Plaintext Downgrade Attack......Page 119
Denial of Service Attacks......Page 122
Summary......Page 126
PART II: VoIP Security Threats
......Page 127
6: Attacking VoIP Infrastructure
......Page 129
Vendor-Specific VoIP Sniffing......Page 130
Hard Phones......Page 131
Compromising the Phoneβs Configuration File......Page 132
Uploading a Malicious Configuration File......Page 133
Exploiting Weaknesses of SNMP......Page 135
Cisco CallManager and Avaya Call Center......Page 136
Using Nmap to Scan VoIP Devices......Page 137
Scanning Web Management Interfaces with Nikto......Page 138
Modular Messaging Voicemail System......Page 139
Spoofing SIP Proxies and Registrars......Page 142
Redirecting H.323 Gatekeepers......Page 143
Summary......Page 144
7: Unconventional VoIP Security Threats
......Page 147
Spreading the Message......Page 149
Receiving the Calls......Page 152
Making Free Calls......Page 154
Caller ID Spoofing......Page 155
Example 1......Page 156
Example 2......Page 158
Example 3......Page 159
Example 4......Page 160
Anonymous Eavesdropping and Call Redirection......Page 162
Spam Over Internet Telephony......Page 163
SPIT and the City......Page 164
Lightweight SPIT with Skype/Google Talk......Page 166
Summary......Page 168
8: Home VoIP Solutions
......Page 169
Commercial VoIP Solutions......Page 170
Vonage......Page 171
Voice Injection (RTP)......Page 178
Username/Password Retrieval (SIP)......Page 182
PC-Based VoIP Solutions......Page 183
Yahoo! Messenger......Page 184
Google Talk......Page 186
Microsoft Live Messenger......Page 188
SOHO Phone Solutions......Page 189
Summary......Page 191
PART III: Assess and Secure VoIP
......Page 193
9: Securing VoIP
......Page 195
SIP over SSL/TLS......Page 196
Secure RTP......Page 197
SRTP and Authentication and Integrity Protection with HMAC-SHA1......Page 198
ZRTP and Zfone......Page 199
The VoIP and Firewall Problem......Page 202
Summary......Page 203
10: Auditing VoIP for Security Best Practices
......Page 205
VoIP Security Audit Program......Page 206
Summary......Page 213
Index
......Page 215
Updates
......Page 234