VoIP security?

[Chris_786]

Hi all, for my final year project at uni I will be creating a network for a medium size enterprise business, installing VoIP and then trying to explain/expose security threats.

So basically anyone have any ideas for me? Where to start? What attacks VoIP is most susceptible to? YouTube tutorials? Any online resources I can make use of?


Oh and any super geeks fancy helping me feel free


Edit: any good programmers in here I might need your help to for my programming module which I'm a cert to fail

 

[*JimmyJ*]

I'll like to know this as well

 

[cava83]

One of the main issues with VoIP is when people don't use secure credentials.

A hacker could therefore figure out their credentials, use their "account" to make calls and therefore the "host" gets charged and not the hacker.

Some famous hackers did this, by stealing credentials, selling discounted call rates to people/businesses for x amount of minutes, where they were actually stolen from many "hosts". They made an absolute mint, one of them was the first to get convicted and that was in 2009.

There is a lot of information on the internet about this, just spend some hours googling.

Ideas, depends what you are looking for. At the end of the day, the solution needs to meet the business requirements and also their own SLA's ! For some businesses the phones might no be as crucial as others, so make sure you do a good requirements capture. Remember to analyse their requirements properly and break it down to the following;

What they currently have (i.e digital PBX with IVR)
What they need (IP PBX, increased flexibility, remote workers, voicemail for main number)
What they would like to have, but is not business critical. (individual voicemails, instant messaging, linking the PBX to LDAP)

I'm currently looking at redoing all our telephone systems [been saying this for a while now, getting bored of it myself] , so many products to choose out there and the worst thing is, that researching gets you even more lost as in one place you could hear that product X is amazing, but somewhere else that it's crap.

 

[Chris_786]

Thanks great help.

 

[Chris_786]

Anyone else know of any "ready to go" VoIP labs? configs etc? tutorials?
Idealy a network that I can straight upload onto GNS3....

 

[ChrisR]

Lots and lots of info on VOIP security online, have a look at some of the articles and if you have any questions post up here

I've been working in security for a while now and whilst I've not got any 'specialist' knowledge of VOIP systems as such I should be able to explain the issues if you're stuck with any in particular.

 

[ChrisR]

Also with security think about what it is you are actually trying to do, remember the CIA (confidentiality, integrity, availability) security triad and where VOIP would fit in with each item.

That should help you then look at the risks and threats you would face, then you can look at how you can mitigate them.

Rather weighty NIST article here on VOIP security, http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf.

From 2005 but should still be reasonably relevant.

As with all security it needs to be appropriate, there's no point implementing ultra high encryption at the sacrifice of call quality when a lower encryption type would be sufficient in line with whatever the policies of the company are.

 

[Chris_786]

Thanks chris, I'm still trying to build a VoIP network in labs ATM having trouble with configs and getting ip phones to communicate across a network with dial-peer. Phone communicate on individual networks but not inter network which I can't understand! :-\

 

[Macester]

If I was going to do a pentest on a VoIP network, I'd walk into the company, and firstly find a VoIP phone. I'd then disconnect the phone from the network and plug my laptop into that LAN port.

From here, I would get wireshark out (packet inspection on the wire) and look for CDP packets that are beiong broadcast on the network. Held within these packets are the VLAN number for the VoIP network, normally looks similar to this:
'VoIP VLAN Reply: 200'

Then finally, I would jump onto VLAN 200 (plenty of tools out there to VLAN hop) man in the middle devices on the network in an effort to record phone conversations and sniff configs.

Therefore i'd look into 802.1x on the ports attached to the VLAN network. just my 2 cents.

 

[ChrisR]

Who is it you work for Macester, used to do pen testing for a brief period and have worked with a few of the big companies on jobs

 

[Macester]

PricewaterhouseCoopers, I work as a pen tester there. How did you find pen testing?

 

[ChrisR]

For the very brief period I was doing it I enjoyed it, would have liked to carry on but personal circumstances meant I left to take a job closer to home (won't bore with the details).

I was an in house tester for a large company but used third parties sometimes when resource requirements meant that just me and my boss wasn't enough (we were the only 2 testers in the business). Whilst the majority of the job was testing based still did quite a bit of other security stuff there.

Still got one of the big testing companies after me, had a couple of interviews before taking my current job and even though they know I started somewhere new in November they are still calling lol. Am going to say give me a call in 6 months as the new job is good and is still in security for a massive company, but it's not testing

 

[Chris_786]

Thanks for the input guys
Will be continuing in labs on tuesday after a failed day on friday getting zero progress

 

[Macester]

For the very brief period I was doing it I enjoyed it, would have liked to carry on but personal circumstances meant I left to take a job closer to home (won't bore with the details).

I was an in house tester for a large company but used third parties sometimes when resource requirements meant that just me and my boss wasn't enough (we were the only 2 testers in the business). Whilst the majority of the job was testing based still did quite a bit of other security stuff there.

Still got one of the big testing companies after me, had a couple of interviews before taking my current job and even though they know I started somewhere new in November they are still calling lol. Am going to say give me a call in 6 months as the new job is good and is still in security for a massive company, but it's not testing

Yeah there are alot of boutiques doing pen testing nowadays, alot more than there was 5 years ago. Testing is ver interesting and the industry is booming, probably one of the best for job prospects at the minute especially if you are free to move around the country.

 

[ChrisR]

Yeah there are a lot of testing companies out there, the ones I worked with and who have been to see are about the biggest.

It's certainly not a bad living, especially once you get to CREST Certified Tester levels. Not sure I'd want to be doing it forever but has been a good stepping stone, and the money is good

Sadly I was fed up of being away from home 4 days a week, every week (as the office I was working in was in Swindon, too far to commute). Even though mine wasn't a travelling round job as I was always in the same office really was still away all the time. So if I'd have taken the job on offer I'd be away working a lot again which at the moment I didn't really want to do.

Hopefully can get back into in the current company (global it services company).

 

[Macester]

cool stuff mate, you're right about the travelling, they are few and far between so abit difficult to get an ideal set up! I was lucky enough to only live around 20 miles away from my office, so i just jump on the train each morning. CREST Certified Testers are well sought after, you can guarantee a well paid job if you pass that exam. Im currently a CREST Registered Tester, hopefully work towards Certified Tester later on this year/early next year. If I was in your shoes, I'd get back into it within your company now but thats just me

 

[ChrisR]

That's the plan anyway, the role I'm in now is more assurance based in that I pick it up after the report is issued and take it from there. Luckily having done the job before I can see where the reports they do get need improving and how it generally can be done better.

Also in my favour is that the company is large (IT services/outsourcing) as said, and the guys doing the testing for us are actually normally working on another big and more security focused account so they would probably welcome someone who is actually paid to be on my account doing the testing

We will see though, end of day can't complain doing what I do for the location and money!