VoIP Penetration Testing Part -I
Voice over Internet Protocol (VoIP) has seen rapid implementation over the past few years. Most of the organizations which have implemented VoIP are either unaware or ignore the security issues with VoIP and its implementation. Like every other network, a VoIP network is also susceptible to abuse. This document details, step by step, how to install and configure trixbox. It includes information on how to set up extensions, incoming and outgoing phone calls, VoIP penetration Testing, Caller ID Spoofing.
This is a four parts series tutorial detailing on how to conduct Penetration Testing on VoIP. For practical we will set up our own LAB with VoIP setup and attack against it.
In first tutorial, we will go through step-by-step instructions on how to install trixbox and understand various terms in VoIP.
What is trixbox?
trixbox CE is an easy to install, VoIP Phone System based on the Asterisk PBX. trixbox is designed for home or office use. trixbox CE includes CentOS, Linux, MySQL, and all the tools needed to run a business quality phone system.
In October of 2006, the Asterisk@Home project was renamed to “trixbox” in order to get away from the being the small basement project that Andrew Gillis started back in 2004. Today it is known as trixbox CE (Community Edition) to differentiate itself from the trixbox Pro product that is available from Fonality, the company that sponsors the trixbox CE project. With over 100,00 installed systems, trixbox CE is the most popular full-featured, open source PBX distribution available.
What is VoIP?
VoIP is a technology that allows telephone calls to be made over computer networks like the Internet. VoIP converts analog voice signals into digital data packets and supports real-time, two-way transmission of conversations using Internet Protocol (IP).>
VoIP calls can be made on the Internet using a VoIP service provider and standard computer audio systems. Alternatively, some service providers support VoIP through ordinary telephones that use special adapters to connect to a home computer network. Many VoIP implementations are based on the H.323 technology standard.
Here are some terms that you probably want to know:
SIP: Session Initiation Protocol is one of the most widely used VoIP protocols.
H.323: An ITU standard protocol.
IAX: A new VoIP protocol introduced by Asterisk (Digium).
Codec: Short for Coder-Decoder, algorithms used to convert audio into data.
DID: Direct Inward Dial. A phone number mapped to VoIP.
CDR: Call Detail Records.
PDD: Post dial delay, delay after a number is dialed until the call is connected.
IP Phone: Phone that connects to a network instead of a regular phone line.
ATA: Analog Telephone Adapter.
Rate center: Numbers within the same area code.
IVR: Interactive voice recording that interacts with the caller via menus.
PBX: Private branch exchange systems that interconnect extensions and phone lines.
Asterisk: The most widely used open source PBX.
Direct route: Channels to route calls to a specific destination.
Softphone: Software based phone.
For this tutorial, I have used following lab setup to demonstrate various security issues in VoIP.
Lab Setup for VoIP Testing:
1. Virtual Machine with following specification
– Hard Disk – 10GB
– RAM – 256MB
2. Trixbox CE 2.6.2 (Stable)
Steps to Install :
- Download the trixbox CE 2.6.2 (Stable) ISO image from http://sourceforge.net/projects/asteriskathome/files/. Burn this image into DVD.
- Start the virtual machine. You will see a cool green screen of trixbox installation. Now press ENTER to install trixbox.
- It will ask you to select the language, so select the language of your choice.
- Select appropriate timezone.
- Now it will ask for root Password. Enter the password of your choice and confirm it by pressing OK.
- After installation, machine will be restarted and you will see following welcome screen.
- At this point you will be asked to enter username and password. Login:root Password: Enter the one you have gave during the installation.
- After assigning IP address you can login to GUI. Open your browser and enter the server IP. In our case it is http://192.168.0.126
- Click on the “switch” web link at the upper right corner of the screen to enter into the Admin mode.
- When a popup appears, enter the following default credentials.
User Name: maint
We have successfully installed trixbox platform and lets move ahead to understand about security issues on VoIP. Let us start with the Information Gathering phase of Penetration Testing
VoIP Google Hacking
Google Hacking uses search engine like Google to find vulnerable web server and websites. Google Hacking makes use of special search queries to locate servers and web application running with inadequate security or with no security.
For detail information on Google Hacking please visit:
In this tutorial we will try to learn how to use Google Dorks for getting as much information as possible about the target.
Some of the dorks related to VoIP are mentioned below.
You can also use Google to find several web management front end i.e. web based login of Asterisk.
Enumerating TFTP Server
Many VoIP phones use a Trivial File Transfer Protocol (TFTP) server to download configuration settings each time they power on. TFTP does not require any authentication to upload or download files, so one of the easiest way for an attacker to compromise a VoIP network is to attack the TFTP server which uses UDP port 69. Attackers can simply looking for listening services on UDP port 69 find out TFTP service running.
TFTP is insecure, as it requires no authentication to upload or fetch a file. Many phones first try to download a configuration file. Sometimes this configuration file is a derivative of the phone’s MAC address.
In this tutorial, I have used below mentioned Google Dork to enumerate TFTP.
Now lets carry out enumeration on target TFTP IP using BackTrack Pentest Tools:
There are three essential steps that a pentester needs to perform to get a good picture of an organization’s network layout.
In next tutorial VoIP Penetration Testing Part-II we will learn on these steps such as Footprinting, Scanning and Enumeration.
Attack & PenTest Team,