I N D E X

INDEX Numbers for IVR services for users, 136 man-in-the-middle attack of, 401 error message, 27, 28 102–103 403 error response, 31–32 to send pre-recorded messages, 407 error message, 27, 28 148–150 802.1x devices, audit program, 194 SRTP implementation steps, 183 911 services, VoIP and, 153 attack surface on home wireless devices, 156 A for RSA authentication, 94 ACK (acknowledge) message audio files (SIP), 21 creating, 164 active dictionary attack, in IAX, recording with hard phone, 117 100–102 from RTPInject, 85 active eavesdropping of RTP, 82–87 saving RTP stream to, 82 audio insertion, 82–86 audio insertion audio replacement, 87 in RTP eavesdropping, 82–86 AES (Advanced Encryption into Yahoo! Messenger calls, 170 Standard) audio replacement, in RTP encryption limitations, 106 eavesdropping, 87 secure RTP with cipher, 182 audio RTP streams, capturing, Aircrack, 175 76–77 anonymous eavesdropping, auditing VoIP, for security best 146–147 practices, 189–197 Apache build, security issues, 121 authentication, 13–14 ARP cache poisoning, 38 audit program, 193 ARP monitoring, audit Denial of Service and, 67–68 program, 194 in Google Talk, 170 ARP Poison Routing menu (Cain & for H.323 gatekeeper, 52 Abel), 79 in IAX, 94–96 ASN.1-encoded buffer, 58, 59 in SIP, 22, 27–29 Asterisk servers, 26, 93, 132 audit program, 190 configuring, 4 data collection for attacks, 34 connecting SIP client to, 142 and Vonage, 166 for free calls, 138 authentication packet, generating, 61 Hacking VoIP (C) 2008 by Himanshu Dwivedi

authorization support for Yahoo! Messenger audit program, 193 RTP codecs, 169 for H.323 protocol, 54–55 call eavesdropping. See in VoIP, 14 eavesdropping AutoDiscovery, audit program, 196 call redirection, 146–147 availability, in VoIP, 14–15 call reject attack, in IAX, 107–108 Avaya caller ID spoofing, 139–146 4600 service hard phone, with iaxComm and VoIPJet, settings from, 118 140–142 Call Center, 120–123 impact, 146 registering Asterisk on internal network with VoIP server to, 145 and SIP, 144–146 identifying TFTP server on from services on websites, network, 116 143–144 Modular Messaging, 123–126 with SIP client, 142–143 SRTP implementation steps, 183 Call-ID field (SIP), 21 TLS implementation steps, 181 CANCEL method (SIP), 21 VoIP hard phone, security for Denial of Service attack, 43 issues, 115–120 challenge (nonce), 27, 28, 29 challenge packet, from SIP B server, 166 Challenge Response Authentica- BackTrack Live CD, 4 tion Mechanism baseline, for measuring VoIP, 190 (CRAM-MD5), 124 boot image, for hard phones, 117 challenge/response method, IAX boot process, for hard phones, support for, 95 audit program, 196 Cisco brute-force attacks CallManager, 120–123 of E.164 alias, 65–66 registering Asterisk to gain valid usernames, 31–32 server to, 145 offline, 59 SRTP implementation steps, 183 buffer overrun attacks, IAX vs. switches, hopping attacks SIP, 94 from, 66 BYE message (RTP), 90 TLS implementation steps, 181 BYE method (SIP), 21, 25 VoIP hard phone Denial of Service attack and, security issues, 115–120 42–43 sniffing network from, 115 cleartext transmission C IAX support for, 94 Cain & Abel, 33, 36, 157, 175 by RTP, 74, 76 for attack on Modular of TFTP/HTTP requests, 117 Messaging, 125 with Vonage, 157 to capture RTP packets, 158, 163 commercial VoIP solutions, for RTP man-in-the-middle 154–167 attacks, 78–80, 159–160 Vonage, 154–161 for SSL man-in-the-middle conference calls attacks, 171 risks of audio replacement, 87 Hacking VoIP security for, 67 (C) 2008 by Himanshu Dwivedi 200 I ND EX

Contact field (SIP), 21 via host unreachable packets, Content-Length field (SIP), 21 70–71 Content-Type field (SIP), 21 via NTP, 67–68 contributing source for RTP via UDP, 68–69 (CSRC), 74 in IAX, 106–110 Conversation Log, for spoofed BYE call reject, 107–108 message, 43 HangUP attack, 108–109 country code (CC), in E.164 Hold (QUELCH) attack, alias, 14 109–110 CRAM-MD5 (Challenge Response Registration Reject, 106–107 Authentication in RTP attack Mechanism), 124 message flooding, 88–89 CSeq field (SIP), 21 RTCP Bye, 89–91 in SIP attack D via BYE message, 42–43 via REGISTER, 44 D-Link, 173 via un-register, 44–45 data network, separating from voice dpkt library, installing, 84, 163 network, 15 dsniff (Linux), 163 audit program, 194 DTMF tool, 137–138 Denial of Service attack. See DoS duplicate error message, 65–66 attack DHCP servers, audit program, 197 dictionary attack E active, in IAX, 100–102 E.164 alias offline, 33, 35, 58, 166, 180 audit program, 192–193 in IAX, 97–100 availability, 63–64 Diffie-Hellman (DH) key agree- for H.323 endpoint, 14, 63–65 ment, ZRTP and, 183 for H.323 protocol, 54–55 digest authentication, to SIP server, enumeration, 65–66 28, 180 E.164 hopping attacks, for H.323 digital phones, 11 protocol, 66–67 disconnecting calls in progress, eavesdropping HangUP attack to cause, anonymous, 146–148 108–109 securing SIP session informa- display language, hard phone tion from, 180 configuration, 118 with Vonage, 157–161 DNS server eavesdropping of RTP audit program, 197 active, 82–87 hard phone configuration, 118 audio insertion, 82–86 lookup by Proxy server, 23 audio replacement, 87 DNS spoofing techniques, 38 passive, 76–82 DoS (Denial of Service) attack, Cain & Abel for man-in-the- 88–91 middle attacks, 78–80 for H.323 protocol man-in-the-middle attack, via H.225 76–77 nonStandardMessage, with Vonage, 157–161 71–72 with Wireshark, 80–82 Hacking VoIP (C) 2008 by Himanshu Dwivedi I N D EX 201

eBay, 151 G Ekiga, 4, 52 Garbutt, Alex, 84, 163 eNapkin, 127 GCF (Gatekeeper Confirmation) encryption packet, 128 in SIP, 29–31 GetIf, 119 with S/MIME, 30–31 Google Talk, 13, 170–171 with TLS, 29–30 lightweight SPIT with, 150–151 in Skype, 173 government data protection stan- symmetric, for H.323 protocol, dards, compliance with, 9 52–53 GRQ (Gatekeeper Request) in VoIP, 15 packet, 128 endpoint, 11 spoofing for H.323 protocol, 63–65 H enumeration H.225 protocol, 49 E.164 alias for H.323 protocol, Denial of Service via 65–66 nonStandardMessage, MAC addresses on subnet, 159 71–72 SIP devices on network, 25–26 for H.323 authentication, 58 username, 65–66 audit program, 190 for H.323 protocol, 56–57 hex information example of in IAX, 96–97 registration request in SIP attack, 31–33 packet, 62 enumIAX tool, 96–97 Registration Admission Status error messages, enumerating SIP (RAS), 55–56 usernames with, 31–32 Registration Reject packets, etherchange, 63 68–69 Ethernet connection, phones H.239 protocol, 49 with, 11 H.245 protocol, 49 expiration value, in REGISTER H.323 client, 4 method (SIP), and un- configuring, 5 register process, 44–45 H.323 gatekeeper, 11, 50 Extensible Messaging and Presence redirecting, 127–128 Protocol (XMPP), for registering with, 51–52 Google Talk, 170 SBC interaction with, 187 extensions.conf file, 4, 137 H.323 gateway, 11, 50 backup, 132 H.323 protocol, 9, 10, 19, 49 and caller ID spoofing, 145 default authentication type, 13 information from VoIPJet, 143 E.164 alias for endpoint, 14 for Zfone, 185 network reliability, 72 ports, 50 F security attacks, 55–72 Denial of Service via H.225 firewalls, 186–187 nonStandardMessage, From field (SIP), 21 71–72 FTP (File Transfer Protocol), Denial of Service via host security issues, 121 unreachable packets, fuzzing SIP, 45–47 Hacking VoIP 70–71 (C) 2008 by Himanshu Dwivedi 202 I ND EX

Denial of Service via NTP, HTTP protocol 67–68 as cleartext protocol, 116 Denial of Service via UDP, and SIP, 20, 180 68–69 hub, sniffing on, 76 E.164 alias enumeration, Hunt, 83 65–66 E.164 hopping attacks, 66–67 I endpoint spoofing, 63–65 IAX (Inter-Asterisk eXchange) password retrieval, 58–59 protocol, 9, 11, 93 replay attack, 60–63 audit program, 192 username enumeration, authentication, 94–96 56–57 audit program, 191 security basics, 50–55 default type, 13 authorization, 54–55 control frame sequencing enumeration, 50–52 predictability, 103 password hashing, 53–54 VoIP deployments with public key, 54 devices, 12 symmetric encryption, 52–53 IAX client, 4 VoIP deployments with configuring, 5–6 devices, 12 IAX security attacks, 96–110 H.323.conf file, 4 active dictionary attack, 100–102 H.323-ID, Wireshark for sniffing, Denial of Service, 106–110 56–57 call reject, 107–108 H.450 protocol, 49 HangUP attack, 108–109 H.460 protocol, 49 Hold (QUELCH) attack, handsets, 173–174 109–110 HangUP attack, in IAX, 108–109 Registration Reject, 106–107 hard phones, 11, 20, 115–120 man-in-the-middle attack, audit program, 196 102–103 cable connections, and network MD5-to-plaintext downgrade vulnerability, 114–115 attack, 103–105 call handling for, 120 offline dictionary attack, 97–100 compromising configuration username enumeration, 96–97 file, 116–117 IAXAuthJack, 104–105 SNMP weaknesses, 119–120 IAX.Brute tool, 99 uploading malicious configura- iaxComm, for caller ID spoofing, tion file, 117–119 140–142 vulnerability to DoS attack, 71 iax.conf file, 4 header in packet, 9 backup, 132 Hewlett-Packard, 67 IAXHangup.py tool, 108–109 HMAC-SHA1, secure RTP with, ICMP, Host Unreachable packets to 182–183 execute DoS attack, 70 Hold (QUELCH) attack, in IAX, infrastructure VoIP attacks, 113 109–110 Avaya Call Center, 120–123 home VoIP services, 9, 153–154 Cisco CallManager, 120–123 host unreachable packets, Denial of Service via, 70–71 Hacking VoIP (C) 2008 by Himanshu Dwivedi I N D EX 203

infrastructure VoIP attacks, K continued key distribution method, hard phones, 115–120 in SRTP, 183 compromising configuration Kismet, 175 file, 116–117 SNMP weaknesses, 119–120 uploading malicious configu- L ration file, 117–119 lab setup, 3–6, 132 Modular Messaging, 123–126 Lackey, Zane, 84, 101, 104, 108, 163 Nessus for discovering landline home phone vulnerable services, 123 Microsoft Live Messenger Nikto to scan web management calls to, 172 interfaces, 122–123 security, vs. VoIP security, 154 Nmap to scan VoIP devices, Yahoo! Messenger calls to, 168 121–122 language, hard phone server impersonation, 126–128 configuration, 118 redirecting H.323 LDAP (Lightweight Directory gatekeepers, 127–128 Access Protocol), audit spoofing SIP proxies and program, 191 registrars, 126–127 libSRTP, 183 vendor-specific sniffing, 114–115 Linux, packages for RTPInject, 84 injection attacks, 82, 83–86 Live Messenger (Microsoft), 13, 172 integrity protection, IAX protocol lockout, reducing risk, 98 and, 103 logging Inter-Asterisk eXchange (IAX) audit program, 196 protocol. See IAX (Inter- security issues, 121 Asterisk eXchange) Lynksys, 173 protocol internal network, caller ID spoof- M ing, with VoIP and SIP, MAC (Machine Access Control) 144–146 addresses INVITE method (SIP), 20, 23–25, in E.164 alias, 14 126–127 enumerating on subnet, 159 audit program and, 190 filtering, 55 IP (Internet Protocol), for voice for wireless access point, 63 communications, 8 man-in-the-middle attack IP PBX, 11 and, 76 IPSec, 15 management methods, audit ITU-T protocols, 49 program, 195 IVR services for users, from Asterisk man-in-the-middle attacks PBX, 136 in IAX, 102–103 in RTP, 76–77 J Cain & Abel for, 78–80 Jabber open source group, 170 in SIP, 36, 38 jitter, 73 MD5 authentication, in IAX, 94–96 Junk Fax Prevention Act of 2005, 133 Hacking VoIP (C) 2008 by Himanshu Dwivedi 204 I ND EX

MD5 hash Network Time Protocol (NTP), ASN.1-encoded buffer for, 58 Denial of Service via, audit program, 190 67–68 brute-force attacks, 166 Nikto, 121 from SIP User Agent, 28 to scan web management SIP User Agent creation of interfaces, 122–123 response value, 33 nmap command, 25, 50–51 MD5-to-plaintext downgrade attack, to scan VoIP devices, 121–122 in IAX, 103–105 nonce (challenge), 27, 28, 29 media encryption, audit nonStandardMessage, Denial of program, 191 Service via, 71–72 message flooding, for RTP Denial NTP (Network Time Protocol), of Service attack, 88–89 Denial of Service via, messages, in SIP, 21–22 67–68 Microsoft Live Messenger, 13, 172 Modular Messaging (Avaya), O 123–126 offline dictionary attack, 33, 35, 58, preventing authentication 166, 180 attacks, 125 in IAX, 97–100 Montoro, Massimiliano, 78, 159 Open Ser TLS, implementation steps, 181 N open STATE for IP address, and NAT (Network Address SIP device, 26 Translation), 186 OpenSSH, security issues, 121 national destination code (NDC), OpenSSL, security issues, 121 in E.164 alias, 14 OPTIONS method (SIP), 21 National Do Not Call Registry, 147 OSI model, with VoIP, 10 Nemesis, 61 outbound dialing, controls for, 66 executing DoS attack, 69, 70 Outlook plug-in, in Modular for RTP packet creation, 88–89, Messaging, security 90–91 issues, 124 for UDP packet generation, 68 Nessus, 121 P for discovering vulnerable packets, 9 services, 123 generation tool, 61 Net2Phone, 153 passive dictionary attack, 99 Netgear, 173 passive eavesdropping of RTP, Network Address Translation 76–82 (NAT), 186 man-in-the-middle attacks, network sniffing 76–77 enumerating SIP usernames Cain & Abel for, 78–80 with, 32–33 with Wireshark, 80–82 and IAX registration traffic, 105 password verifiers, 95n vendor-specific VoIP, 114–115 password-equivalent values, 95 Hacking VoIP (C) 2008 by Himanshu Dwivedi I N D EX 205

passwords Proxy server for SIP, 20 hashing for H.323 protocol, SBC interaction with, 187 53–54 pypcap library, installing, 84, 163 retrieval in H.323 protocol attack, Q 58–59 QoS (Quality of Service) in SIP attack, 33–37 RTCP for sending from Vonage, 166–167 information, 73 for voicemail, 9 for SIP, 15 PayPal, as email phisher target, 151 quality, of VoIP services, 154 PC-based VoIP solutions, 167–173 QUELCH (Hold) attack, in IAX, Google Talk, 13, 170–171 109–110 lightweight SPIT with, 150–151 Microsoft Live Messenger, R 13, 172 RAS (Registration Admission Skype, 13, 153, 173 Status), for H.225 icon to initiate outgoing protocol, 55–56 VoIP calls, 133–135 Real Time Control Protocol lightweight SPIT with, (RTCP), 73 150–151 Real-time Transport Protocol SOHO phone solutions, (RTP), 9, 10 173–175 entropy, audit program, 192 Yahoo! Messenger, 13 receiving phishing calls, 136–137 audio insertion, 170 Redirect server, for SIP, 20 eavesdropping on, 168–170 redirecting phishing, 133–137 calls, 146–147 phones. See hard phones; soft H.323 gatekeepers, 127–128 phones REGAUTH packet, in downgrade PINs, for hard phones, audit attack, 104 program, 196 REGISTER request (SIP), 21 plaintext authentication, in IAX, 94 audit program, 190 Polycom, VoIP hard phone, secu- for Denial of Service attack, 44 rity issues, 115–120 Registrar server, for SIP, 20 port scan, 50 Registration Admission Status Nmap for, 121 (RAS), for H.225 ports, for VoIP, 186 protocol, 55–56 power outage, and VoIP, 153 Registration Reject attack, in IAX, PowerPlay, 4 106–107 pre-computed attacks, 100–101 registration request (REGREQ) pre-recorded calls, sending over packet, for Asterisk VoIP, 148–150 server, 104 pre-texting, 140 registration with SIP identified privacy devices, 22–23, 26–27 Modular Messaging risks to, 123 hijacking in SIP attack, 38–41 VoIP security and, 8 replay attack protocols, for VoIP, 9–11 for H.323 protocol, 60–63 PROTOS project, 46 MD5 hash vulnerability to, 95 Hacking VoIP (C) 2008 by Himanshu Dwivedi 206 I ND EX

response packet, from User Secure Real Time Transfer Protocol Agent, 166 (SRTP). See SRTP (Secure RFC (Request for Comments) Real Time Transfer 3261 on SIP, 19 Protocol) 3711 on Secure RTP, 181 Secure Sockets Layer (SSL). See SSL RJ-45 connector, phones with, 11 (Secure Sockets Layer) RSA authentication, in IAX, 94 securing VoIP, 179–187 RTCP (Real Time Control firewalls, 186 Protocol), 73 Session Border Controller RTCP Bye, for RTP Denial of (SBC), 11, 50, 187, 188 Service attack, 89–91 SIP over SSL/TSL (SIPS), RTP (Real-time Transport 180–181 Protocol), 9, 10, 73 ZRTP and Zfone, 183–185 basics, 73–75 security, landline home phone vs. entropy, audit program, 192 VoIP, 154 packet exchange, 24 Security Denial Message, 65–66 payload encryption, 181 sequence number ports, 186 for RTP, 74 security attacks, 75–91 in Vonage injection attack, RTP security attacks 162–163 servers active eavesdropping, 82–87 Asterisk, 26, 93, 132 audio insertion, 82–86 configuring, 4 audio replacement, 87 connecting SIP client to, 142 Denial of Service, 88–91 for free calls, 138 message flooding, 88–89 for IVR services for users, 136 RTCP Bye, 89–91 man-in-the-middle attack of, passive eavesdropping, 76–82 102–103 Cain & Abel for man-in-the- to send pre-recorded middle attacks, 78–80 messages, 148–150 man-in-the-middle attack, SRTP implementation 76–77 steps, 183 with Wireshark, 80–82 DNS server voice injection, 162–165 audit program, 197 RTPInject, 84–86, 163, 175 hard phone configuration, 118 S lookup by Proxy server, 23 S/MIME (Secure Multipurpose impersonation, 126–128 Internet Mail Exchange), redirecting H.323 SIP with, 30–31 gatekeepers, 127–128 spoofing SIP proxies and salted MD5 hashes, 60 registrars, 126–127 SAS (Short Authentication String), SIP/IAX/H.323 server for ZRTP, 184 concurrent sessions, audit SBC (Session Border Controller), program, 191 11, 50, 187, 188 configuring, 4 Secure Multipurpose Internet Mail SIP Proxy, 11 Exchange (S/MIME), SIP spoofing, 126–127 with, 30–31 Hacking VoIP SIP server, configuring, 5 (C) 2008 by Himanshu Dwivedi I N D EX 207

services, on Cisco and Avaya password retrieval, 33–37 products, 120–121 registration hijacking, 38–41 Session Border Controller (SBC), spoofing proxy servers and 11, 50, 187, 188 registrars, 41 Session Initiation Protocol (SIP). tools to perform, 36–37 See SIP (Session Initiation username enumeration, Protocol) 31–33 setup, for VoIP call, 10 server configuration, 5 Short Authentication String (SAS), VoIP deployments with for ZRTP, 184 devices, 12 Shulman, Jay, 147 for Vonage, 166 signature file, in phisher’s email SIP client, 4 client, 135 for caller ID spoofing, 142–143 Simple Network Management Pro- configuring, 5 tocol (SNMP). See SNMP SIP/IAX/H.323 server (Simple Network Manage- concurrent sessions, audit ment Protocol) program, 191 Single Sign-On (SSO) token, configuring, 4 for Google Talk SIP over SSL/TSL (SIPS), 180–181 authentication, 170 SIP Proxy servers, 11 SIP (Session Initiation Protocol), spoofing, 126–127 9, 10 SIP Registrar, 11 authentication, 27–29 sip.conf file, 4 audit program, 190 backup, 132 basics, 19–21 and caller ID spoofing, 144 buffer overrun attacks, vs. for Zfone, 184 IAX, 94 SIPS (SIP over SSL/TSL), 180–181 default authentication type, 13 SIP.Tastic tool, 36, 167, 168 encryption, 29–31 SiVuS tool, 32, 40 with S/MIME, 30–31 Skype, 13, 153, 173 with TLS, 29–30 icon to initiate outgoing VoIP enumerating devices on calls, 133–135 network, 25–26 lightweight SPIT with, 150–151 making VoIP call with, 22–25 SkypeOut, 138 INVITE request, 23–25 Sniffer Pro, 61 registration, 22–23 for RTP packet creation, 88 messages, 21–22 sniffing network registration with identified enumerating SIP usernames devices, 26–27 with, 32–33 security attacks, 31–47 and IAX registration traffic, 105 Denial of Service via BYE vendor-specific VoIP, 114–115 message, 42–43 SNMP (Simple Network Manage- Denial of Service via ment Protocol), 195 REGISTER, 44 exploiting weaknesses, 119 Denial of Service via security issues, 121 un-register, 44–45 social engineering, 132 fuzzing SIP, 45–47 soft phones, 11, 13, 20 man-in-the-middle attack,VoIP Hacking 38 Zfone and, 187 (C) 2008 by Himanshu Dwivedi 208 I ND EX

SOHO phone solutions, 173–175 subscriber number (SN), in E.164 Sox for Linux, 85, 164 alias, 14 spam attack, 131 Swift, 136–137 spammer, voicemail from, 147 switches, sniffing on, 76 SPIT (Spam Over Internet symmetric encryption, for H.323 Telephony), 147–151 protocol, 52–53 spoofing synchronization, RTCP for, 89 caller ID, 139–146 synchronization source for RTP with iaxComm and VoIPJet, (SRRC), 74 140–142 impact, 146 T on internal network with targeted attack, 146 VoIP and SIP, 144–146 with IAXHangup, 109 from services on websites, for testing IAXAuthJack, 105 143–144 for testing vnak, 102 with SIP client, 142–143 telephone. See hard phones; soft endpoint for H.323 protocol, phones 63–65 telephone audio key tones, conver- REJECT packet, 107 sion to text, 137–138 SIP message, 40 telephone infrastructure, attacks, 7 SIP proxy servers and registrars, telnet, security issues, 121 41, 126–127 TFTP (Trivial File Transfer user identity, 39 Protocol), as cleartext SRTP (Secure Real Time Transfer protocol, 116 Protocol), 15, 75 timestamp with HMAC-SHA1, 182–183 for audio replacement, 87 key distribution method, 183 audit program, 195 key exchange, audit for H.323 authentication, 67 program, 192 for MD5 hashing, 60 media protection with AES for RTP, 74 cipher, 182 in Vonage injection attack, SSL (Secure Sockets Layer), 15 162–163 attacks on Google Talk, 170–171 TLS (Transport Layer Security) audit program, 191 for Google Talk audit program for authentication, 170 certificates, 197 for Microsoft Live certificates, 121 Messenger, 172 SSO (Single Sign-On) token, for SIP, 29–30, 180 for Google Talk Yahoo! Messenger use of, 168 authentication, 170 To field (SIP), 21 SSRC number Trammel, Dustin T., 96 for RTP packet replacement, 87 Transport Layer Security (TLS). See in Vonage injection attack, TLS (Transport Layer 162–163 Security) Stunnel, 15 Trivial File Transfer Protocol subnet, enumerating MAC (TFTP), as cleartext addresses on, 159 protocol, 116 Hacking VoIP (C) 2008 by Himanshu Dwivedi I N D EX 209

U voicemail passcode, 124 VoIP (Voice over IP), 7. See also UDP (User Datagram Protocol), home VoIP services; infra- Denial of Service via, structure VoIP attacks 68–69 auditing for security best UDP port practices, 189–197 for IAX, 93 basics, 9–13 for RTP, 73 deployments, 11–13 unconditional call forwarding, hard protocols, 9–11 phone configuration, 118 commercial solutions, 154–167 un-register impact of DoS attack, 106 audit program, 191 OSI model with, 10 for Denial of Service attack, PC-based solutions, 167–173 44–45 Google Talk, 170–171 URI (Uniform Resource Identifier) Microsoft Live in E.164 alias, 14 Messenger, 172 for SIP, 22 Skype, 173 User Agents, 13 SOHO phone solutions, response packet from, 166 173–175 for SIP, 20 Yahoo! Messenger, 168–170 registration, 26, 39 VoIP (Voice over IP) security username enumeration attack vectors, 15–16 for H.323 protocol, 56–57 basics, 13–15 in IAX, 96–97 authentication, 13–14 in SIP attack, 31–33 authorization, 14 username retrieval, from Vonage, availability, 14–15 166–167 encryption, 15 importance, 8–9 V unconventional threats, 131–132 Verizon, 172 anonymous eavesdropping vishing, 133–135 and call redirection, VLANs 146–147 audit program, 194 caller ID spoofing, 139–146 for VoIP network, 114 making free calls, 138–139 VMware Player, 4, 26 phishing, 133–137 vnak utility, 36, 101–102 receiving calls, 136–137 voice calls, sensitivity, 9 SPIT (Spam Over Internet voice injection, in Vonage, 162–165 Telephony), 147–151 voice network, separating data net- VoIP Security Audit Program work from, 15 (VSAP), 190–197 audit program, 194 downloading, 190 voicemail VoIPBuster, for free calls, 138 for mobile phones, access to, 146 VoIPJet, 140–142, 150 from spammer, 147 VoIPonCD-appliance, 132 Hacking VoIP (C) 2008 by Himanshu Dwivedi 210 I ND EX

Vonage, 153 X security attacks, 154–161 X-Lite, 4, 5, 26–27 call eavesdropping, 157–161 connecting SIP client to Asterisk probabilities, 156 server, 142 username/password for free calls, 138 retrieval, 166–167 for targeted attack, 147 voice injection, 162–165 using Zfone with, 184–185 VSAP (VoIP Security Audit XEP (XMPP Extension Program), 190–197 Protocols), 170 downloading, 190 XMPP (Extensible Messaging and Presence Protocol), for W Google Talk, 170 .wav files decoding RTP packets to, 78, 80 Y RTPInject transcoding of, 85 Yahoo! Messenger, 13 website services, for caller ID audio insertion, 170 spoofing, 143–144 eavesdropping on, 168–170 WEP (Wired Equivalent Privacy), 157, 174–175 Wi-Fi Protected Access (WPA), 157, Z 174–175 Zfone, 183–185 wildcard attack ZRTP, 183–185 with IAXHangup, 109 for testing IAXAuthJack, 105 Windows Sound Recorder, 85, 164 Wired Equivalent Privacy (WEP), 157, 174–175 wireless technology, 16 attack surface on home devices, 156 Wireshark, 33 to capture RTP packets, 158 dialedDigits line for destination E.164 alias, 65 for H.225.0 RAS entry, 61 and MD5 hash with H.225 packet, 62 to reassemble RTP packets, 80–82 for sniffing H.323-ID, 56–57 stream analysis, 81 WPA (Wi-Fi Protected Access), 157, 174–175 Hacking VoIP (C) 2008 by Himanshu Dwivedi I N D EX 211

I N D E X

by Catharine24

Accessibility

Upload Details

Usage Rights

Statistics

I N D E X Document Transcript