Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Vigilar, Inc. All rights reserved worldwide. Contents are property of Vigilar, Inc. www.vigilar.com VoIP Penetration Testing: Lessons Learned, Tools.

Published byLeslie Kelly Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2006 Vigilar, Inc. All rights reserved worldwide. Contents are property of Vigilar, Inc. www.vigilar.com VoIP Penetration Testing: Lessons Learned, Tools."— Presentation transcript:

1 © 2006 Vigilar, Inc. All rights reserved worldwide. Contents are property of Vigilar, Inc. www.vigilar.com VoIP Penetration Testing: Lessons Learned, Tools and Techniques Jason Ostrom Sr. Security Consultant John Kindervag, CISSP, QSA Sr. Security Architect

2 Agenda  Security and the Converged Network  The Business Risk  VoIP Attack Vectors  VoIP Hopping Attacks  The VoIP Hopper Tool  Live Demonstration

3 Security and the Converged Network  Convergence – Multiple Types of Information on same Pipe  Voice  Data  Video  Less Cabling  Simplify Moves/Adds/Changes  Toll Bypass  You can get your Voice Mail in you Inbox!  But what about Security?

4 The Business Risk  Low Awareness as to Security Threats  Publicly Accessible IP Phones  Waiting Areas  Conference Rooms  Hotel Rooms  Can an Attacker Gain Privileged Access?

5 The Business Risk  The Voice VLAN  Allows IP Phones to auto-configure  Phones easily associate to a logically separate VLAN  Allow simultaneous access for a regular PC

6 Voice VLAN

7 VoIP Assessment  “You can’t access our corporate data network from the IP Phones."  VoIP Vulnerability Assessment  Controls Validation  Gained Administrator access to servers in the data center  Remote, physically isolated location where the IP Phones were located and believed to be “secure”.

8 The VoIP Hopper Tool

9 © 2006 Vigilar, Inc. All rights reserved worldwide. Contents are property of Vigilar, Inc. www.vigilar.com Live Demonstration

10 Customer VoIP Network

11 How this happens

12 Create a new VLAN Interface on the PC

13 Clarify Risks  This is about:  Network Infrastructure Security  Poor Network Design  Not About:  Exploiting Cisco Unified Communication Manager platform  Exploiting Avaya platform

14 VLAN Hopping Risks  DoS against IP Phones  Attacking open ports/services on CallManager platform  Gaining access to internal network resources when no firewall is in place  VoIP Hopper doesn’t enable Sniffing / Eavesdropping on calls

15 Demo Setup and IP Addressing

16 Cisco 802.1x Voice Enabled Ports Credit: Jamal Pecou

17 Mitigation of VLAN Hop from Port 2 of IP Phone

18

19 Lobby Phone Deployment Cisco Recommendations

20 Hiding & Filtering MAC Address?  Placing a hub between the IP Phone and wall, an attacker can sniff the MAC Address. This bypasses Administrator attempts to hide the MAC Address by removing the sticker or locking the Phone settings.  Physical Security of the IP Phone switchport

21 Phone CDP Security: Is it the Answer?  A new Cisco IOS Feature available in 12.2.36 SE and later  Uses Line Power, CDP, and Full Duplex to only allow the Cisco Unified IP Phone Voice VLAN traffic  Port goes into err-disable when a PC is attached directly to the port.

22 Can be bypassed  Scenario 1: With only Phone CDP Security enabled, plug into PC Port on IP Phone and run VoIP Hopper.  Scenario 2: Customer has disabled PC Port on their IP Phones and Phone CDP Security is enabled. When MAC Address filtering is not implemented, a rogue IP Phone can be brought into the environment, and used to gain access to Voice VLAN.

23 Mitigate VLAN Hopping (Cisco)  1. Phone CDP Security  2. MAC Address filtering to only allow MAC of IP Phone on switchport  3. Disable PC Port, and/or PC Voice VLAN Access

24 VoIP Hopper future  Ethernet card supporting PoE  Fix DHCP code  New DHCP Option for Avaya  Alcatel support for DHCP Option  Trunk port encapsulation features

25 VoIP Hopper Information  Project Download – http://voiphopper.sourceforge.net http://voiphopper.sourceforge.net  Included in BackTrack3  http://remote-exploit.org – thanks Martin Muench http://remote-exploit.org  Security Focus Article  http://www.securityfocus.com/infocus/1892 http://www.securityfocus.com/infocus/1892

26 Contact Information Jason Ostrom, CCIE Security #15239 Sr. Security Consultant jostrom@vigilar.com John Kindervag, CISSP, QSA Sr. Security Architect jkindervag@vigilar.com If you would like a copy of this presentation please contact: marketing@vigilar.com

27 VoIP Hacker Clowns

28 VHC (VoIP Hacker Clowns)

29 Q&A

Download ppt "© 2006 Vigilar, Inc. All rights reserved worldwide. Contents are property of Vigilar, Inc. www.vigilar.com VoIP Penetration Testing: Lessons Learned, Tools."

Similar presentations

Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
BAI613 Module 2 - Voice over IP Technology. Module Objectives 1. Describe the benefits of IP Telephony/Packet Telephony/VoIP over traditional telephone.

BAI613 Module 2 - Voice over IP Technology. Module Objectives 1. Describe the benefits of IP Telephony/Packet Telephony/VoIP over traditional telephone.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.
© 2008 Cisco Systems, Inc. All rights reserved.CIPT1 v6.0—1 Implementing Cisco Unified Communications IP Telephony Part 1.

© 2008 Cisco Systems, Inc. All rights reserved.CIPT1 v6.0—1 Implementing Cisco Unified Communications IP Telephony Part 1.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 2: Cisco VoIP Implementations.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 2: Cisco VoIP Implementations.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.
Chapter 2: Introduction to Switched Networks

Chapter 2: Introduction to Switched Networks
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
© 2008 Cisco Systems, Inc. All rights reserved.CIPT1 v6.0—3-1 Enabling Single-Site On-Net Calling Configuring Cisco Catalyst Switches for Endpoints.

© 2008 Cisco Systems, Inc. All rights reserved.CIPT1 v6.0—3-1 Enabling Single-Site On-Net Calling Configuring Cisco Catalyst Switches for Endpoints.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Packet Tracer 6 Building a VoIP Network (Part 3)

Packet Tracer 6 Building a VoIP Network (Part 3)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
Virtual Data Systems, Inc. Value Proposition of IP Telephony Voice over IP Technologies.

Virtual Data Systems, Inc. Value Proposition of IP Telephony Voice over IP Technologies.
VoIP Security Assessment Service Mark D. Collier Chief Technology Officer

VoIP Security Assessment Service Mark D. Collier Chief Technology Officer
17 th Jan 06 IP40 Sales Brief. 2Plantronics, Inc. Contact Center Desktop – The changes Infrastructure in the contact center is now following the trends.

17 th Jan 06 IP40 Sales Brief. 2Plantronics, Inc. Contact Center Desktop – The changes Infrastructure in the contact center is now following the trends.

Similar presentations

Ads by Google