VoIP Vulnerabilities - Internetwork Security | ECE 4112, Lab Reports of Electrical and Electronics Engineering

Material Type: Lab; Class: Internetwork Security; Subject: Electrical & Computer Engr; University: Georgia Institute of Technology-Main Campus; Term: Spring 2007;

Typology: Lab Reports

Pre 2010

Uploaded on 08/05/2009

koofers-user-e09-1
koofers-user-e09-1 🇺🇸

3

(1)

10 documents

1 / 18

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ECE4112 Internetwork Security
Lab: VoIP Vulnerabilities
Group Number: _________
Member Names: ______________________ _______________________
Date Assigned:
Date Due:
Last Edited:
Last Authored By: Patrick Hamilton and James Michaels
Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so
that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you
turn in ALL materials listed in the Turn-in Checklist on or before the Date Due.
Goal: The goal of this lab is to introduce you to the functionalities of VoIP and VoIP exploitation
tools. You will discover VoIP vulnerabilities and learn methods to harden a network against these
exploits.
Summary: You will initialize a VoIP call using SJPhone under two different signaling protocols
(SIP and H.323) in order to obtain a diverse understanding of VoIP’s general functionalities. Using
Wireshark (Ethereal) to sniff the network traffic, you will gather information about the data packets
distributed by the VoIP call. You will then conduct a man-in-the-middle attack to audibly eavesdrop on
the VoIP call by using Cain & Abel. You will conclude by analyzing methods of network hardening for
VoIP calls.
Equipment Needed:
Red Hat 4.0 WS physical machine
Red Hat 4.0 WS physical machine (TA setup)
Windows XP Pro virtual machine
Prelab Questions: None
Lab Scenario: This lab is broken up into five sections; the first section provides
general background information, the second section is comprised of setting up the lab
components, the third section consist of establishing the VoIP call and network sniffing, the
fourth section incorporates Cain & Abel to exploit the VoIP call, and the fifth section
encompasses the hardening of the network against VoIP attacks.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12

Partial preview of the text

Download VoIP Vulnerabilities - Internetwork Security | ECE 4112 and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity!

ECE4112 Internetwork Security

Lab: VoIP Vulnerabilities

Group Number: _________ Member Names: ______________________ _______________________ Date Assigned: Date Due: Last Edited: Last Authored By: Patrick Hamilton and James Michaels Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due.

Goal: The goal of this lab is to introduce you to the functionalities of VoIP and VoIP exploitation

tools. You will discover VoIP vulnerabilities and learn methods to harden a network against these exploits.

Summary: You will initialize a VoIP call using SJPhone under two different signaling protocols

(SIP and H.323) in order to obtain a diverse understanding of VoIP’s general functionalities. Using Wireshark (Ethereal) to sniff the network traffic, you will gather information about the data packets distributed by the VoIP call. You will then conduct a man-in-the-middle attack to audibly eavesdrop on the VoIP call by using Cain & Abel. You will conclude by analyzing methods of network hardening for VoIP calls.

Equipment Needed:

Red Hat 4.0 WS physical machine Red Hat 4.0 WS physical machine (TA setup) Windows XP Pro virtual machine

Prelab Questions: None

Lab Scenario: This lab is broken up into five sections; the first section provides

general background information, the second section is comprised of setting up the lab components, the third section consist of establishing the VoIP call and network sniffing, the fourth section incorporates Cain & Abel to exploit the VoIP call, and the fifth section encompasses the hardening of the network against VoIP attacks.

Section 1: VoIP (Voice over Internet Protocol)

1.1 Introduction

VoIP (voice over IP - that is, voice delivered using the Internet Protocol) is a term used in IP telephony for a set of facilities for managing the delivery of voice information using the Internet Protocol (IP). Voice over IP uses Internet Protocol (IP) to carry voice as packets over a packet-switched data network. Voice information is then sent in digital form in discrete packets rather than in the traditional circuit-switched protocols of the public switched telephone network (PSTN). A major advantage of VoIP and Internet telephony is that it increases operating efficiency, avoiding expensive communication costs and reducing unnecessary expenses that occur with ordinary telephone service.

1.2 VoIP Security

VoIP uses the Internet for phone service, bypassing expensive long-distance communication providers, which results in significant savings. However, as with most technology advancements, if not set up and deployed correctly, a VoIP solution can expose an organization to security breaches (Figure 1). For instance, when VOIP is used externally, gateway technologies convert data packets from the IP network into voice before sending them over a public switched telephone network. When VOIP is used internally, the gateways basically route packetized voice data between the source and the destination. A potential issue is that VOIP gateways can be hacked into by malicious attackers in order to make free telephone calls. In addition, attackers can infiltrate phone conversations and steal confidential data in the same way they would hack an IT system. Spammers can also use denial of service attacks to render the phone system useless. To deploy a VoIP solution, one needs to assure that the solution is safe, secure and protected from outside threats. Below is a list of typical attacks that a VoIP system might face. Toll Fraud: The IP version of the classic attack by a person pretending to be an employee or Console Cracking (asking the operator for an outside trunk) to make long distance calls. However, the attacker impersonates a valid user and IP address by plugging in their phone or spoofing the MAC Ethernet address. Eavesdropping: The attacker sniffs (taps into the LAN wireline or WiFi connection) to intercept voice messages. Available tools such as VOMIT-Voice Over Misconfigured Internet Telephony allow performing this function. Call Hijacking: Attacker spoofs a SIP Response redirecting the caller to a rogue SIP address and intercepts the call. Resource Exhaustion: Also Known As DOS [Denial Of Service] attack. This attack reduces the number of available IP addresses, bandwidth, processor memory, and other router/server functions. Message Integrity: MIM [Man-In-the-Middle] attack to intercept, alter, or redirect call.

Section 2: VoIP Lab Set-Up

2.1 Lab Setup

There is a computer already setup with the speakers and software needed for this lab. You will need to download SJPhone on your hard drive to be able to establish a VoIP phone call. You will need to get the microphone from a TA to plug into the computer using your HD. The VoIP testbed is diagramed below:

2.2 Installing SJPhone

  1. From the NAS copy SJphoneLnx-299a.tar.gz to /home/ on your main WS4 machine using: #cp SJphoneLnx-299a.tar.gz /home/
  2. Extract the tarball: #tar xvfz SJphoneLnx-299a.tar.gz
  3. Cd into directory: #cd SJphoneLnx-299a
  4. Now let’s test the tool: #./sjphone This will launch SJPhone and a GUI will pop up.
  1. Close the application.

2.3 Installing Cain & Abel

  1. From the NAS copy cain_and_abel_setup.exe to your virtual Windows desktop.
  2. Double click the icon and following installation instructions.
  3. When asked to install WinPCap, select INSTALL and continue with default options.
  4. To ensure proper installation click the icon, this will launch Cain & Abel and a GUI will pop up.
  5. Close the application.

Screenshot 1: SJPhone receiving phone call on the TA RedHat WS4 machine.

  1. On the TA RedHat WS4 machine click the accept button and test the connection by speaking into the provided microphone. Have your TA check you of for the VoIP conversation accomplished.

TA CHECKOFF: ______________________ DATE:___________

3.2 Sniffing VoIP Call Packets

Vomit Vomit, just in case you were wondering, stands for Voice Over Misconfigured Internet Telephones. Vomit converts a captured package into a wave file. The utility can be downloaded at: http://vomit.xtdnet.nl/ The description from the web site says: “The vomit utility converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players. Vomit requires a tcpdump output file. Vomit is not a VoIP sniffer also it could be but the naming is probably related to H.323.” On the TA WS4 machine (57.35.6.xxx), open VMWare and start the Red Hat WS 4 virtual machine. When this starts, open ethereal and begin capturing packets in promiscuous mode on eth0.  Establish a VoIP connection again just like you did before. Have a (one-way) conversation and then hang-up.  Now, back on the virtual machine, stop capturing packets and save it to your home directory (/root) in a file named <group-#>.dump  Get a screen shot of Ethereal displaying the connection Invite and ACK.

Screenshot 2: Ethereal displaying SIP Invite and Ack.

On the virtual Windows machine (57.35.6.x), open a shell and cd in to the directory where vomit is located: #cd /root/vomit/vomit-0.2c/ Now run vomit with the following command: #vomit –r /root/<group-#>.dump |/root/waveplay-20010924/waveplay – S8000 –B16 –C Listen to the output.

Question 1 : Was vomit and waveplay able to playback the file? Question 2 : How is the quality of the playback compared to that of the actual conversation?

Section 4: VoIP Call Exploitation

4.1 Cain & Abel for VoIP Call Eavesdropping

Cain & Abel is a very powerful tool with varies exploiting capabilities. It is currently only supported on Windows operating systems. The utility can be downloaded at: http://www.oxid.it/cain.html The description from the web site says: “Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.” You will be using Cain & Abel to eavesdrop on the VoIP conversation. Establish a VoIP connection again just like you did before. On the virtual Windows machine start Cain & Abel and click on the Sniffer tab. On Cain & Abel’s toolbar click the “Start/Stop Sniffer” button (it is to the right of the folder button). Begin having a one-way conversation and take a screenshot of the Cain & Abel recording the VoIP call, then hang up.

Screenshot 3: Cain & Abel recording the VoIP conversation.

Question 3: What information did Cain & Abel find about the VoIP connection? Question 4: What codec did Cain & Abel report the VoIP connection was using? Now right click on Cain & Abel’s recording, and select the play option. Question 5: Is sound quality better than the earlier Vomit recording?

Perform this task on both RedHat WS4 machines and then initiate a call. On the virtual Windows machine start Cain & Abel and click on the Sniffer tab. On Cain & Abel’s toolbar click the “Start/Stop Sniffer” button (it is to the right of the folder button). Begin having a one-way conversation and then hang up. Question 7: Was Cain & Abel able to eavesdrop on the VoIP call with H.323? Now right click on Cain & Abel’s recording, and select the play option. Question 8: When you played the wave file was it blank or did it play back the recorded call? Was the call quality better, worst, or the same as the SIP recording(if it was blank then the quality is obviously worst)?

Section 5: Network Hardening for VoIP

5.1 VoIP Security Hardening

VoIP security doesn't just happen. A VoIP network is susceptible to the usual attacks that plague all data networks: viruses, spam, phishing, intrusions, mismanaged identities, Denial of Service (DoS) attacks, lost and stolen data, voice injections, data sniffing, hijacked calls, toll fraud, eavesdropping, and on and on. You need careful planning to create a system that is both safe and reliable. VoipLowDown.com provided the following 25 methods an administrator can

use to harden a VoIP network:

1. Restrict all VoIP data to one Virtual Local Area Network (VLAN): Cisco recommends separate VLANs for voice and data; this helps prioritize voice over data and also keeps traffic on the voice network hidden from those connected to the data network. VLANs are also useful in protecting against toll fraud, DoS attacks, and eavesdroppers listening in and taking over conversations. A VLAN is an effective closed circle of computers that does not allow any other computer access to its facilities; with the lack of a PC to launch attacks, your VoIP network is quite safe. Even in the case of an attack, the disruption caused is a minimum. 2. Monitor and track traffic patterns on your VoIP network: Monitoring tools and intrusion detection systems can help identify attempts to break into your VoIP network. Scrutinizing your VoIP logs can bring to light irregularities such as international calls made at odd hours or to countries your organization has no ties with (toll fraud), multiple log-on attempts like in a brute- force attempt to crack a password, or a surge in voice traffic during off-peak hours (voice spam). 3. Lock down your VoIP servers: Servers should be secured physically against both internal and external intruders who can intercept data using sniffing techniques, either within the LAN or at the ISP when data travels over the Internet. Since VoIP phones have fixed IP and MAC addresses, it’s easier for attackers to try to worm their way in. Which is why Gary Miliefsky, founder and CTO of NetClarity, recommends locking down IP and MAC addresses that allow access to the administrative interfaces of VoIP systems, and putting up another firewall in front of the SIP gateway. This will restrict incoming access to IT administrators and prevent hackers from getting in. 4. Use multiple layers of encryption: It’s not enough to just encrypt the data packets that are sent out, you have to encrypt call signaling too. Encrypting voice packets prevents voice injections where interceptors can insert their own words into the conversation, giving it a whole new meaning. Steve Mank, CEO of Qovia, cites two common methods of encryption - the Secure Real Time Protocol (SRTP) which encrypts communication between endpoints, and Transport Level Security (TLS) which encrypts the whole call process. Encryption of voice traffic should be supported by providing strong protection at gateways, networks and hosts. 5. Build redundancy into VoIP networks: Be prepared for the day DoS attacks or viruses threaten to bring your network crashing down – create a network that tolerates failures by setting up multiple nodes, gateways, servers, power sources, and call routers, and hooking up with more than one provider. Don’t stop with just putting the infrastructure in place; run frequent trials to ensure that they are working well and are ready to take over when the primary network fails. 6. Put your equipment behind firewalls: Create separate firewalls so that traffic crossing VLAN boundaries is restricted only to applicable protocols. This will prevent the spread of viruses and Trojans to servers in case clients are infected. The maintenance of security policies also becomes simpler when each firewall is considered separately. Choose networking and security vendors who support both the Session Initiation Protocol (SIP) and the International Telecommunication Union’s H.323 protocol. Firewall configurations have to be created so that the appropriate ports open and close when necessary. 7. Update patches regularly: The security of a VoIP network depends on both the underlying operating system and the applications that run on it. Maintaining patch currency for both the OS and VoIP applications is imperative in protecting against threats from malware 8. Keep your network away from the Internet: The University of Houston is a pioneer in this security approach – the institution has put its call manager and network out of direct access from

19. Run only applications that are necessary to provide and maintain VoIP services: The very fact that VoIP applications use data that is encrypted could lead to them being used to launch DoS attacks. Attackers can hide behind the cloak of encryption to avoid their activities from being monitored. 20. Configure applications against misuse: Prevent your network from being used to perpetrate toll fraud, phishing scams, and illegal calls by preparing a list of permitted caller destinations. 21. Add endpoint security layers: Use network admission techniques and IEEE 802.1X port- based network access controls to keep out devices that are not authorized on your LAN or WLAN. Network Access Control (NAC) applications are available from Cisco - Network Admission Control (NAC), Microsoft - Network Access Protection (NAP), and TCG - Trusted Network Connect (TNC). 22. Restrict access according to certain criteria: VoIP network administrators can set up strict admission criteria to prevent access to devices that are potentially unsafe – when they are found to be infected with viruses or worms, when they do not have the latest patches, or when they do not have the right firewalls. These devices can be redirected to a disparate network that makes them compliant and then lets them onto the main network. 23. Avoid remote management: If possible, it is better to stay away from remote management and audits; but when necessary, use Secure Shell (SSH) or IPsec (IP Security) for the purpose. Access your IP PBX from a system that’s physically secure. 24. Use IPsec tunneling rather than IPsec transport: Tunneling and transport are two different encryption modes that support secure exchange of packets at the IP layer. The use of IPsec transport encrypts only the data while hiding the source and destination IP addresses. This prevents administrators from finding out who initiated the call when they analyze traffic. 25. Secure your VoIP platform: VoIP platforms that support the clients are built on operating systems that should be “hardened” to protect the integrity of the networks that run on it and keep out cyber attacks. Disable services that are not absolutely necessary and use host-based methods to detect intrusion. Question 9: What is the biggest problem for organizations that have voice and data on the same network? What is one way to address this issue?

ECE4112 Internetwork Security

Lab #: VoIP Vulnerabilities

Group Number: _________

Member Names: ___________________ _______________________

Answer Sheet

Section 3:

Screenshot 1: SJPhone receiving phone call on the TA RedHat WS4 machine.

TA CHECKOFF: ______________________ DATE:___________

Screenshot 2: Ethereal displaying SIP Invite and Ack.

Question 3 : Was vomit and waveplay able to playback the file? Question 4 : How is the quality of the playback compared to that of the actual conversation?

Question 7: Was Cain & Abel able to eavesdrop on the VoIP call with H.323? Question 8: When you played the wave file was it blank or did it play back the recorded call? Was the call quality better, worst, or the same as the SIP recording (if it was blank then the quality is obviously worst)?

Section 5:

Question 9: What is the biggest problem for organizations that have voice and data on the same network? What is one way to address this issue?