![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2014\/06\/voip-Copy-1024x600.png\" "\\"voip")
\n <\/p>\n
\n <\/p>\n
In the previous tutorial VoIP Penetration Testing Part \u2013 III<\/span><\/a><\/span> we have learnt about SIP User extension enumeration. This is the last article in which we will focus on various VoIP attacks such as attacking VoIP authentication, DoS Attack and Caller ID Spoofing.<\/span><\/p>\n <\/p>\n SIP uses Digest Authentication, which is vulnerable to a basic offline dictionary attack.<\/span><\/p>\n In order to perform an offline dictionary attack, the attacker needs to sniff the username, realm,<\/span>\u00a0Method,URI and MD5 response hash over the network.<\/span><\/p>\n Figure : Attacking VoIP Authentication<\/p>\n All of these are available over the network in clear text. Once this information has been obtained using sniffing, attacker can perform offline dictionary attack.<\/span><\/p>\n <\/p>\n Lab Setup<\/b> :<\/span><\/p>\n 1.\u00a0 Install Backtrack 4<\/span> \u00a0Steps<\/b> :<\/span><\/p>\n 1.<\/span>\u00a0 Using wireshark first capture few REGISTER<\/strong>\u00a0 requests and save it in a file called voip_attack.<\/span><\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Figure : Capturing REGISTER Request.<\/p>\n 2.<\/span>\u00a0 Now use sipcrack<\/strong> suite, which is available in Backtrack under \/pentest\/voip<\/strong> directory.<\/span><\/p>\n SIPcrack is a SIP login sniffer\/cracker that contains two programs:<\/span><\/p>\n 3.<\/span>\u00a0 Using sipdump tool, let us dump the authentication data to a file and name it as Auth.txt<\/b> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Figure : Dumping authentication data using sipdump<\/p>\n 4.\u00a0<\/span> This authentication data includes User ID, SIP extension, password hash (MD5) and victim\u2019s IP address.<\/span><\/p>\n <\/p>\n Figure : sipcrack Usage<\/p>\n 5.\u00a0<\/span> Let us now use sipcrack tool to crack the authentication hashes using a custom word list.<\/span><\/p>\n Figure : Cracking authentication hash using sipcrack<\/p>\n <\/p>\n Denial of Server (DOS) attack is a dangerous attack that can cause the\u00a0 VoIP network and devices to crash. Inviteflood is the tool used to launch DoS attacks.This attack can occur on two levels, standard network DoS attacks and VoIP specific DoS attacks. Generally we will send tons of data by flooding the network to consume all its resources or a specific protocol in order to overwhelm it with tons of requests.<\/span><\/p>\n inviteflood usage :<\/strong><\/span><\/p>\n Figure : inviteflood usage<\/p>\n As long as the tool keeps flooding the SIP gateway it will prevent users from making phone calls resulting in a DoS attack.<\/span><\/p>\n Syntax:<\/strong><\/span><\/span> Figure : DoS attack using inviteflood<\/p>\n Caller ID Spoofing :<\/span> This is one of the easiest attacks on VoIP networks. Caller ID spoofing creates a scenario where an unknown user may impersonate a legitimate user to call other legitimate users on VoIP network. For demonstration, let us use metasploit\u2019 auxiliary module named sip_invite_spoof.<\/b><\/span><\/p>\n Lab Setup<\/b> :<\/span><\/p>\n Configure two Softphone on two different machines. In our case<\/span><\/p>\n Steps :<\/strong><\/span><\/p>\n 1.<\/span>\u00a0\u00a0 Start your metasploit and load \/auxiliary\/voip\/sip_invite_spoof<\/strong> auxiliary module.<\/span> <\/p>\n <\/a> Figure : Caller ID Spoofing<\/p>\n In our case<\/span>Attacking VoIP Authentication :
\n<\/strong><\/span><\/h3>\n![\"Attacking](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/1.jpg\")
<\/a><\/p>\n
\n 2. Two Softphone on two systems. In our case<\/span><\/p>\n\n
![\"REGISTER\u00a0](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/2.jpg\")
<\/a><\/p>\n\n
\n<\/span><\/p>\n![\"Auth\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/3.jpg\")
<\/a><\/p>\nsipcrack Usage<\/strong> :<\/span><\/h3>\n
![\"sipcrack](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/4.jpg\")
<\/a><\/p>\n![\"Cracking](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/5.jpg\")
<\/a><\/p>\nDenial of Service (DOS) attack On VoIP Network <\/b>:<\/span><\/h3>\n
![\"inviteflood](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/6.jpg\")
<\/a><\/p>\n
\n .\/inviteflood interface\u00a0 Extension Target_domain target_ip Number_of_packets<\/strong><\/span><\/p>\n![\"DoS](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/7.jpg\")
<\/a><\/p>\n
\n<\/b><\/p>\n\n
\n 2. \u00a0<\/span> Configure the option.<\/span><\/p>\n![\"Caller](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/9.jpg\")
<\/a>![\"Caller](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/8.jpg\")
<\/a><\/p>\n
\n Set MSG 200—————————-Caller ID<\/span>
\n Set RHOSTS 192.168.0.3————-Victim IP Address<\/span>
\n Set SRCADDR 192.168.0.139——-Caller IP Address<\/span>
\n 3.<\/span> \u00a0 Auxiliary module will send a spoofed invite request to the victim user.<\/span><\/p>\n
![\"Spoofed](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2014\/07\/10.jpg\")
<\/a><\/p>\n