You are previewing Hacking VoIP.
O'Reilly logo
Hacking VoIP

Book Description

Voice over Internet Protocol (VoIP) networks have freed users from the tyranny of big telecom, allowing people to make phone calls over the Internet at very low or no cost. But while VoIP is easy and cheap, it's notoriously lacking in security. With minimal effort, hackers can eavesdrop on conversations, disrupt phone calls, change caller IDs, insert unwanted audio into existing phone calls, and access sensitive information.

Hacking VoIP takes a dual approach to VoIP security, explaining its many security holes to hackers and administrators. If you're serious about security, and you either use or administer VoIP, you should know where VoIP's biggest weaknesses lie and how to shore up your security. And if your intellectual curiosity is leading you to explore the boundaries of VoIP, Hacking VoIP is your map and guidebook.

Hacking VoIP will introduce you to every aspect of VoIP security, both in home and enterprise implementations. You'll learn about popular security assessment tools, the inherent vulnerabilities of common hardware and software packages, and how to:

  • Identify and defend against VoIP security attacks such as eavesdropping, audio injection, caller ID spoofing, and VoIP phishing

  • Audit VoIP network security

  • Assess the security of enterprise-level VoIP networks such as Cisco, Avaya, and Asterisk, and home VoIP solutions like Yahoo! and Vonage

  • Use common VoIP protocols like H.323, SIP, and RTP as well as unique protocols like IAX

  • Identify the many vulnerabilities in any VoIP network

  • Whether you're setting up and defending your VoIP network against attacks or just having sick fun testing the limits of VoIP networks, Hacking VoIP is your go-to source for every aspect of VoIP security and defense.

    Table of Contents

    1. Hacking VoIP Protocols, Attacks, and Countermeasures
      1. ACKNOWLEDGMENTS
      2. INTRODUCTION
        1. Book Overview
        2. Lab Setup
          1. SIP/IAX/H.323 Server
          2. SIP Setup
          3. H.323 Setup (Ekiga)
          4. IAX Setup
      3. 1. AN INTRODUCTION TO VOIP SECURITY
        1. Why VoIP
        2. VoIP Basics
          1. How It Works
          2. Protocols
          3. Deployments
        3. VoIP Security Basics
          1. Authentication
          2. Authorization
          3. Availability
          4. Encryption
        4. Attack Vectors
        5. Summary
      4. I. VOIP PROTOCOLS
        1. 2. SIGNALING: SIP SECURITY
          1. SIP Basics
          2. SIP Messages
          3. Making a VoIP Call with SIP Methods
            1. Registration
            2. The INVITE Request
          4. Enumeration and Registration
            1. Enumerating SIP Devices on a Network
            2. Registering with Identified SIP Devices
            3. Authentication
            4. Encryption
              1. SIP with TLS
              2. SIP with S/MIME
          5. SIP Security Attacks
            1. Username Enumeration
              1. Enumerating SIP Usernames with Error Messages
              2. Enumerating SIP Usernames by Sniffing the Network
            2. SIP Password Retrieval
              1. Data Collection for SIP Authentication Attacks
              2. An Example
              3. Tools to Perform the Attack
            3. Man-in-the-Middle Attack
            4. Registration Hijacking
            5. Spoofing SIP Proxy Servers and Registrars
            6. Denial of Service via BYE Message
            7. Denial of Service via REGISTER
            8. Denial of Service via Un-register
            9. Fuzzing SIP
          6. Summary
        2. 3. SIGNALING: H.323 SECURITY
          1. H.323 Security Basics
            1. Enumeration
            2. Authentication
              1. Symmetric Encryption
              2. Password Hashing
              3. Public Key
            3. Authorization
          2. H.323 Security Attacks
            1. Username Enumeration (H.323 ID)
            2. H.323 Password Retrieval
            3. H.323 Replay Attack
            4. H.323 Endpoint Spoofing (E.164 Alias)
            5. E.164 Alias Enumeration
            6. E.164 Hopping Attacks
            7. Denial of Service via NTP
              1. DoS with Authentication Enabled
            8. Denial of Service via UDP (H.225 Registration Reject)
            9. Denial of Service via Host Unreachable Packets
            10. Denial of Service via H.225 nonStandardMessage
          3. Summary
        3. 4. MEDIA: RTP SECURITY
          1. RTP Basics
          2. RTP Security Attacks
            1. Passive Eavesdropping
              1. Capturing Packets from Different Endpoints: Man-in-the-Middle
              2. Using Cain & Abel for Man-in-the-Middle Attacks
              3. Using Wireshark
            2. Active Eavesdropping
              1. Audio Insertion
              2. Audio Replacement
            3. Denial of Service
              1. Message Flooding
              2. RTCP Bye (Session Teardown)
          3. Summary
        4. 5. SIGNALING AND MEDIA: IAX SECURITY
          1. IAX Authentication
          2. IAX Security Attacks
            1. Username Enumeration
            2. Offline Dictionary Attack
            3. Active Dictionary Attack
              1. Targeted attack
            4. IAX Man-in-the-Middle Attack
            5. MD5-to-Plaintext Downgrade Attack
              1. Targeted attack-id001
              2. Wildcard attack
            6. Denial of Service Attacks
              1. Registration Reject
              2. Call Reject
              3. HangUP
              4. Targeted attack-id002
              5. Wildcard attack-id001
              6. Hold (QUELCH)
          3. Summary
      5. II. VOIP SECURITY THREATS
        1. 6. ATTACKING VOIP INFRASTRUCTURE
          1. Vendor-Specific VoIP Sniffing
          2. Hard Phones
            1. Compromising the Phone's Configuration File
            2. Uploading a Malicious Configuration File
            3. Exploiting Weaknesses of SNMP
          3. Cisco CallManager and Avaya Call Center
            1. Using Nmap to Scan VoIP Devices
            2. Scanning Web Management Interfaces with Nikto
            3. Discovering Vulnerable Services with Nessus
          4. Modular Messaging Voicemail System
          5. Infrastructure Server Impersonation
            1. Spoofing SIP Proxies and Registrars
            2. Redirecting H.323 Gatekeepers
          6. Summary
        2. 7. UNCONVENTIONAL VOIP SECURITY THREATS
          1. VoIP Phishing
            1. Spreading the Message
            2. Receiving the Calls
          2. Making Free Calls
          3. Caller ID Spoofing
            1. Example 1
            2. Example 2
            3. Example 3
            4. Example 4
          4. Anonymous Eavesdropping and Call Redirection
          5. Spam Over Internet Telephony
            1. SPIT and the City
            2. Lightweight SPIT with Skype/Google Talk
          6. Summary
        3. 8. HOME VOIP SOLUTIONS
          1. Commercial VoIP Solutions
            1. Vonage
              1. Call Eavesdropping (RTP)
            2. Voice Injection (RTP)
            3. Username/Password Retrieval (SIP)
          2. PC-Based VoIP Solutions
            1. Yahoo! Messenger
              1. Eavesdropping on Yahoo! Messenger
              2. Injecting Audio into Yahoo! Messenger Calls
            2. Google Talk
            3. Microsoft Live Messenger
            4. Skype
          3. SOHO Phone Solutions
          4. Summary
      6. III. ASSESS AND SECURE VOIP
        1. 9. SECURING VOIP
          1. SIP over SSL/TLS
          2. Secure RTP
            1. SRTP and Media Protection with AES Cipher
            2. SRTP and Authentication and Integrity Protection with HMAC-SHA1
            3. SRTP Key Distribution Method
          3. ZRTP and Zfone
          4. Firewalls and Session Border Controllers
            1. The VoIP and Firewall Problem
            2. The Solution
          5. Summary
        2. 10. AUDITING VOIP FOR SECURITY BEST PRACTICES
          1. VoIP Security Audit Program
          2. Summary
      7. About the Author
      8. COLOPHON