{"id":599,"date":"2014-06-23T13:00:15","date_gmt":"2014-06-23T13:00:15","guid":{"rendered":"https:\/\/www.varutra.com\/blog\/?p=599"},"modified":"2023-04-05T12:09:13","modified_gmt":"2023-04-05T06:39:13","slug":"voip-penetration-testing-part-iii","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/voip-penetration-testing-part-iii\/","title":{"rendered":"VoIP Penetration Testing Part – III"},"content":{"rendered":"

<\/p>\n

In the previous tutorial VoIP Penetration Testing Part-II<\/a>\u00a0 we have learnt on how to do scanning against VoIP Server. In this tutorial we will configure the softphone which we will be using for further attacks.<\/p>\n

 <\/p>\n

Softphone Configuration<\/b>\u00a0For VoIP Penetration Testing :<\/h3>\n

Lab Setup<\/b> :<\/p>\n

    \n
  1. VoIP Server -192.168.0.4<\/li>\n
  2. Two Softphone on two systems running on VMware’s<\/li>\n<\/ol>\n

    Steps<\/b> :<\/p>\n

    <\/p>\n

    Normal
    \n0<\/p>\n

    false
    \nfalse
    \nfalse<\/p>\n

    EN-US
    \nX-NONE
    \nX-NONE<\/p>\n

    <\/p>\n

    <\/p>\n

    \/* Style Definitions *\/
    table.MsoNormalTable
    \t{mso-style-name:”Table Normal”;
    \tmso-tstyle-rowband-size:0;
    \tmso-tstyle-colband-size:0;
    \tmso-style-noshow:yes;
    \tmso-style-priority:99;
    \tmso-style-qformat:yes;
    \tmso-style-parent:””;
    \tmso-padding-alt:0in 5.4pt 0in 5.4pt;
    \tmso-para-margin-top:0in;
    \tmso-para-margin-right:0in;
    \tmso-para-margin-bottom:10.0pt;
    \tmso-para-margin-left:0in;
    \tline-height:115%;
    \tmso-pagination:widow-orphan;
    \tfont-size:11.0pt;
    \tfont-family:”Calibri”,”sans-serif”;
    \tmso-ascii-font-family:Calibri;
    \tmso-ascii-theme-font:minor-latin;
    \tmso-hansi-font-family:Calibri;
    \tmso-hansi-theme-font:minor-latin;
    \tmso-bidi-font-family:”Times New Roman”;
    \tmso-bidi-theme-font:minor-bidi;}<\/p>\n

    <\/p>\n

    Normal
    \n0<\/p>\n

    false
    \nfalse
    \nfalse<\/p>\n

    EN-US
    \nX-NONE
    \nX-NONE<\/p>\n

    1.\u00a0\u00a0 The main task is to configure Softphone. Download Zoiper Softphone from below link.<\/p>\n

    http:\/\/www.zoiper.com\/<\/a><\/p>\n

    2.\u00a0 Open your browser and enter IP address of your server. In my case it is http:\/\/192.168.0.4<\/p>\n

    Click on PBX > PBX Settings > Extensions<\/strong><\/p>\n

    3.\u00a0 Select Generic SIP Device<\/strong> and click on submit<\/strong>.<\/p>\n

    \"1\"<\/a><\/p>\n

     <\/p>\n

    4.\u00a0 You need to enter following detail :
    \nUser Extension<\/strong>: ( 202,302,402 and so on)
    \n Display Name<\/strong>: (Enter the name of your choice)<\/p>\n

    \"2\"<\/a><\/p>\n

    5. Secret<\/b>: (Enter string of your choice)<\/p>\n

    \"3\"<\/a><\/p>\n

    6. Click on Add Extension<\/strong>.<\/p>\n

    In my case I have added two extensions as shown below. After adding extension, do not forget to click on the Apply Configuration Changes<\/strong> button.<\/p>\n

    \"4\"<\/a><\/p>\n

    7. After clicking Apply Configuration Changes<\/strong> button, you will see following popup. Click on Continue with reload.<\/strong><\/p>\n

    \"5\"<\/a><\/p>\n

    8. Now let us configure the Softphone.<\/p>\n

    \"6\"<\/a><\/p>\n

    9. Enter the password<\/strong>, which you have entered in the Secret<\/strong> field at the time of adding user on server. In username field enter the User extension that you have added in step 4 (E.g:100,200,) and in Domain field enter the IP address of Server<\/strong>. After submitting this information click on apply<\/strong>.<\/p>\n

    10. After Successful registration you will see following screen<\/p>\n

    \"7\"<\/a><\/p>\n

    <\/p>\n

    Normal
    \n0<\/p>\n

    false
    \nfalse
    \nfalse<\/p>\n

    EN-US
    \nX-NONE
    \nX-NONE<\/p>\n

    <\/p>\n

    <\/p>\n

    \/* Style Definitions *\/
    table.MsoNormalTable
    \t{mso-style-name:”Table Normal”;
    \tmso-tstyle-rowband-size:0;
    \tmso-tstyle-colband-size:0;
    \tmso-style-noshow:yes;
    \tmso-style-priority:99;
    \tmso-style-qformat:yes;
    \tmso-style-parent:””;
    \tmso-padding-alt:0in 5.4pt 0in 5.4pt;
    \tmso-para-margin-top:0in;
    \tmso-para-margin-right:0in;
    \tmso-para-margin-bottom:10.0pt;
    \tmso-para-margin-left:0in;
    \tline-height:115%;
    \tmso-pagination:widow-orphan;
    \tfont-size:11.0pt;
    \tfont-family:”Calibri”,”sans-serif”;
    \tmso-ascii-font-family:Calibri;
    \tmso-ascii-theme-font:minor-latin;
    \tmso-hansi-font-family:Calibri;
    \tmso-hansi-theme-font:minor-latin;
    \tmso-bidi-font-family:”Times New Roman”;
    \tmso-bidi-theme-font:minor-bidi;}<\/p>\n

    Note: Same way we have configured one more softphone for user \u2018wagh\u2019.<\/p>\n

    11. Now let us try to call from user wagh<\/strong> to user sachin <\/strong>to check whether the setup is working properly.<\/p>\n

    \"8\"<\/a><\/p>\n

    Normal
    \n0<\/p>\n

    false
    \nfalse
    \nfalse<\/p>\n

    EN-US
    \nX-NONE
    \nX-NONE<\/p>\n

    <\/p>\n

    <\/p>\n

    \/* Style Definitions *\/
    table.MsoNormalTable
    \t{mso-style-name:”Table Normal”;
    \tmso-tstyle-rowband-size:0;
    \tmso-tstyle-colband-size:0;
    \tmso-style-noshow:yes;
    \tmso-style-priority:99;
    \tmso-style-qformat:yes;
    \tmso-style-parent:””;
    \tmso-padding-alt:0in 5.4pt 0in 5.4pt;
    \tmso-para-margin-top:0in;
    \tmso-para-margin-right:0in;
    \tmso-para-margin-bottom:10.0pt;
    \tmso-para-margin-left:0in;
    \tline-height:115%;
    \tmso-pagination:widow-orphan;
    \tfont-size:11.0pt;
    \tfont-family:”Calibri”,”sans-serif”;
    \tmso-ascii-font-family:Calibri;
    \tmso-ascii-theme-font:minor-latin;
    \tmso-hansi-font-family:Calibri;
    \tmso-hansi-theme-font:minor-latin;
    \tmso-bidi-font-family:”Times New Roman”;
    \tmso-bidi-theme-font:minor-bidi;}<\/p>\n

    It was observed that call from user wagh<\/strong> to sachin<\/strong> was successful.<\/p>\n

     <\/p>\n

    <\/p>\n

    <\/p>\n

    \/* Style Definitions *\/
    table.MsoNormalTable
    \t{mso-style-name:”Table Normal”;
    \tmso-tstyle-rowband-size:0;
    \tmso-tstyle-colband-size:0;
    \tmso-style-noshow:yes;
    \tmso-style-priority:99;
    \tmso-style-qformat:yes;
    \tmso-style-parent:””;
    \tmso-padding-alt:0in 5.4pt 0in 5.4pt;
    \tmso-para-margin-top:0in;
    \tmso-para-margin-right:0in;
    \tmso-para-margin-bottom:10.0pt;
    \tmso-para-margin-left:0in;
    \tline-height:115%;
    \tmso-pagination:widow-orphan;
    \tfont-size:11.0pt;
    \tfont-family:”Calibri”,”sans-serif”;
    \tmso-ascii-font-family:Calibri;
    \tmso-ascii-theme-font:minor-latin;
    \tmso-hansi-font-family:Calibri;
    \tmso-hansi-theme-font:minor-latin;
    \tmso-bidi-font-family:”Times New Roman”;
    \tmso-bidi-theme-font:minor-bidi;}<\/p>\n

    SIP User Extension Enumeration<\/strong> :<\/h3>\n

    The next and last step in information gathering is enumeration. It involves probing the identified services for known weaknesses. Enumeration involves getting information such as user account names, misconfigured shared resources, and software versions. One of the most common enumerations is against SIP protocol.<\/p>\n

    Targeting SIP proxy or location server will provide user registration and presence.<\/p>\n

    Lab Setup <\/strong>:
    \n1. Client where the softphone is installed – 192.168.0.5
    \n2. Server IP – 192.168.0.7<\/p>\n

    Before starting the practical, let us understand the SIP Request method and Response code.<\/p>\n

    SIP Request Method<\/strong>:<\/p>\n

    \"1\"<\/a>
    \nSIP Response Code:<\/strong><\/p>\n

    \"2\"<\/a><\/p>\n

     <\/p>\n

    Methods of enumeration<\/span>:<\/h3>\n