CEHv6 module 38 VoIP hacking

VoIP HackingModule XXXVIII Page | 2974 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council EC-Council All Rights Reserved.. VoIP HackingModule XXXVIII Page | 2976 Ethical Ha

VoIP Hacking

Module XXXVIII Page | 2972 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

Module XXXVIIIVoIP Hacking

Ethical Hacking and CountermeasuresVersion 6

Ethical Hacking and Countermeasures v6

Module XXXVIII: VoIP Hacking

Exam 312-50

VoIP technology does not yet have proper security measures VoIP security is still falling short

due to various reasons The use of Unified Communications and Session Initiation Protocol (SIP)

trunking will cause Denial of Service (DoS) and Distributed Denial of Service attacks (DDoS)

attacks The other kinds of attacks are eavesdropping and the launch of botnets due to Microsoft

Office Communication Server (OCS) 2007 The main threats to VoIP are vishing and phreaking

When hackers set up their own IP PBXs, they can perform attacks such as VoIP phishing

(vishing) Another attack, phreaking, is when a call is made illegally and without payment Hackers can also take advantage of voice infrastructures like PBX, voicemail platforms, modems,

and fax lines

VoIP Hacking

Module XXXVIII Page | 2974 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

• Exploiting The Network

• Covering The Tracks

This module will familiarize you with:

Module Objective

This module will familiarize you with VoIP Hacking

The topics discussed in this module are:

Exploiting The Network

Covering The Tracks VoIP Hacking Steps

Module Flow

VoIP Hacking

Module XXXVIII Page | 2976 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

What is VoIP

Voice Over Internet Protocol (VoIP) refers to transmission of voice over IP based networks Also known as “packet telephony”

Uses IP protocol to route voice traffic

Voice is compressed using CODECS-hence bandwidth is utilized efficiently

Renowned for its low cost and advantageous to customers

in case of long distance calls

Voice over Internet Protocol (VoIP) is a technology that provides telephonic services over the

Internet It uses the Internet Broadband connection for applications, such as:

Voice transmission becomes very easy using the IP protocol For data transmission, the analog

voice signal is converted into digital signal using CODECS, which compresses the voice

Compressing the voice makes its transmission over the Internet easy and fast Also, the

bandwidth used is comparatively less when compared to transmission without the compression of

voice VoIP is widely used due to its low charges, especially for long distance calls

VoIP is also known as packet telephony because the analog voice signal is first digitized and

packetized The packets transmitted over the Internet take different paths to reach the target

where they are rearranged with the help of headers, and decompressed to extract the original message This proves to be more economical and fast when compared to the conventional circuit

switching used in Public Switched Telephone Network (PSTN)

VoIP is also known as:

VoIP contains many other value added features absent in the traditional telephone technologies

It supports converged networking This is one of its major advantages as this enables voice, video,

and data to be transmitted simultaneously This technology is useful in conferencing Such

technique is called V/V/D (Voice/Video/Data) convergence, which makes the network less

complex by allowing just one network for transmitting voice and data traffic, hence saving money

VoIP Hacking

EC-Council Copyright © by

EC-Council All Rights Reserved Reproduction is Strictly Prohibited

VoIP Hacking Steps

VoIP Hacking

Module XXXVIII Page | 2978 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

VoIP Hacking Steps Footprinting

Scanning

Enumeration

Exploiting the Network

Because VoIP hacking is a threat to many corporations and households, upgrades to a new

version of the existing traditional phone network are available However, there are instances

when upgrading should be delayed due to the threat posed

Additionally, VoIP is vulnerable to hacking because data transfer from analog voice data to a

digital form over the Internet presents a risk for attacks from viruses, worms, and other bugs A

hacker may also possess potentially destructive tools

VoIP hacking techniques include:

 Audio Spam: It is similar to email spam, but it distributes spam to the convergence of

voice and data

 Caller ID spoofing: In this attack, a hacker pretends to be a person the intended victim

knows, in order to retrieve sensitive information

 Voice phishing: It is a form of social engineering that has the capability to convince a

person to reveal private information It can also drive out mass recordings over the

Internet via VoIP

and relays it to someone else Generally, hackers use this technique in conjunction with some form of social engineering

enter a network from a remote location via the Internet, without directly entering the

local phone network

If VoIP systems are not secured enough, the techniques mentioned above can make it easy to

perform a "hack" There are many ways to hack the system by simply shutting down a telephone

network through brute-force attacks or launching DoS or DDoS attacks Worms and Trojans can

also use spoofing to masquerade within a voice packet If the companies’ business critical systems

are hacked, there would be a disruption that can cost up to millions of dollars In most cases, a

disgruntled employee can cause such situations trying to launch many attacks to extract

information

Reconnaissance refers to the preparatory phase where a hacker gathers as much information as

possible about a target prior to actually launching an attack

VoIP Hacking

The exact methodology that a hacker adopts while approaching a target can vary immensely

Some may randomly select a target based on a vulnerability that can be exploited Others may try

their hand at a new technology or skill level Still others may be methodologically preparing to

attack a particular target for a number of reasons For the purpose of study, these activities are

categorized as:

A hacker gains most information from foot printing and scanning and then he/she tries to use

enumeration, and thus exploits the network

VoIP Hacking

Module XXXVIII Page | 2980 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

Footprinting

In footprinting, it is possible to obtain a company’s URL by using any search engine such as

www.google.com or www.yahoo.com If you do not know the URL of a particular company, you

can use any search engine to retrieve it by typing the company’s name in the text box and clicking

the search button The search engine displays a list of related links or URLs related to the

company Click on any of the links to gain access to the company’s information

Archived websites can be used to gather information on a company’s web page since their

creation A website such as www.archive.org, keeps track of web pages from the time of their

inception, so it is easy for an attacker to obtain the latest updates made to a targeted site

VoIP Hacking

Module XXXVIII Page | 2982 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

Public Website Research:

Any company can maintain both public and private websites for different levels of access Public

websites look like the standard URLs For example:

Anyone can access these websites

Companies can maintain sub-domain URLs or private URLs that only the organization accesses These websites are not revealed to outsiders since they contain company’s personal information

that should not be exploited For example, a private URL looks like:

Where intranet and partners are sub domains

Google VoIP Hacking:

Google Search for Company’s Info:

learn various details of the company For instance, you can learn about the company, the

merchandise or services it offers, its location, its board of directors, and so on

2 From this information, you can get the company’s infrastructure details These details

would include information about various business solutions of the company, the specific

infrastructure needed to carry out those solutions, and the technology appropriate to

those solutions

While footprinting a VoIP network, there are numerous ways where a hacker can use search

engines by means of an advanced feature of a service such as Google You can target categories

such as VoIP vendor press releases and case studies, web-based VoIP logins, and so on and use the search results that often provide loaded details about an organization's VoIP deployment

VoIP Hacking

Whois and DNS Analysis:

Open source footprinting is the process of detecting and extracting information about a company

Some other forms of footprinting are requests, and searching DNS tables Most of this

information is fairly easy to get, and within legal limits One easy way to check for sensitive

information is to check the HTML source code of the website to look for links, comments, and

Meta tags Typing the company name in any search engine can retrieve its domain name (such as

targetcompany.com) The categories of information that can be available from open sources

include general information about the target, employee information, business information,

information sourced from newsgroups (such as postings about systems themselves), links to

company/personal websites, and HTML source code

Without visiting the websites, an attacker can carry out the following:

The attacker may choose to source the information from:

at http://www.tenmax.com/teleport/pro/home.htm), Yahoo! or other directories (Tifny

is a comprehensive search tool for USENET newsgroups The quality of experience can be

improved by the program by keeping track of previous usage and utilities

searching large numbers of news group archives without using a tool

VoIP Hacking

Module XXXVIII Page | 2984 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

enables enumeration of prefixes for URL addresses

For running this program:

You will need Perl (install active Perl from www.activestate.com)

Open command prompt and run:

perl sp-dns-mine.pl microsoft.com

The code used to run this program is as follows:

@randomwords= ("site","web","document", $company);

my $service = SOAP::Lite->service ('file: /GoogleSearch.wsdl');

my $numloops=2; #number of pages - max 100

#########################################################

## Loop through all the words to overcome Google's 1000 hit limit

foreach $randomword (@randomwords){

print "\nAdding word [$randomword]\n";

## Remove duplicates

VoIP Hacking

@allsites=dedupe(@allsites);

print STDOUT "\n -\nDNS names:\n -\n";

foreach $site (@allsites){

print STDOUT "$site\n";

}

## Check for subdomains

foreach $site (@allsites){

}

}

print STDOUT "\n -\nSub domains:\n -\n";

@allsubs=dedupe(@allsubs);

foreach $sub (@allsubs){

print STDOUT "$sub\n";

if ($re !=10){last;}

}

return @GoogleDomains;

}

VoIP Hacking

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

Unearthing InformationInformation includes:

Organizational structure and corporate locations Help and tech support

Job listings Domain name lookup Phone numbers and extensions VoIP vendor press releases and case studies Resumes

Mailing lists and local user group postings Web-based VoIP logins

A wealth of information is available by simply looking out for an organization’s corporate website

Such information found helps to support, educate, or market to the external clients But then this

information in turn helps the hackers that provide the credential information to social engineer

the VoIP network

The following information provides valuable hints and preliminary points for a hacker to initiate

an attack:

VoIP Hacking

Module XXXVIII Page | 2988 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

Organizational Structure and Corporate Locations

Hacker can guess names of employees working in an organization

Check for the location information for branch offices and corporate headquarters to know the traffic flow between two VoIP call participants

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

Help Desk

• Phone type

• Default PIN numbers for voicemail

• Links to web administration

Check the sites that hold information from the help desks:

Another method of footprinting is done by searching job sites, which may reveal information

about a company’s infrastructure Depending upon the posted requirements for job openings,

attackers may be able to learn about the software, hardware, and other network-related

information that the company uses For example, if a company wants to hire a person for the post,

“Network Administration,” it posts the requirements related to position such as “VoIP Systems

Architect", VoIP Systems Engineer, Communication Infrastructure Developer, and so on For example, a job description could look like the below:

Minimum 3-5 years experience in the management and implementation of telephone

systems/voicemail and advanced programming knowledge of the Cisco Communication Servers

and voicemail is required

VoIP Hacking

Module XXXVIII Page | 2990 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

Phone Numbers and Extensions

Identify internal workings numbers and extensions

An attacker must surf the site for contact information such as phone numbers, their internal

extensions email addresses, people’s contact information, recent mergers and acquisitions, partners, and alliances

VoIP vendors issue press releases when a product is designed that include information regarding

case studies, which give a detailed description of specific products they offer and versions

installed for a customer For example, in a Google search, type:

Site: alcatel.com case study (Or) Site: alcatel.com [company name]

VoIP Hacking

Module XXXVIII Page | 2992 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

Resumes also give useful information necessary to a hacker Below is an example of creative

search terms that provide useful information from resumes:

Phase I: designed and set up a sophisticated SIP-based VoIP production Asterisk PBX with

headsets and X-Lite softphones

installation with Cisco 7920 IP Phones

VoIP Hacking

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

WHOIS and DNS Analysis

DNS is the distributed database system used to map IP addresses to hostnames

Every organization with an online presence relies on DNS in order to route website visitors and external email to the correct places

WHOIS search reveals the IP address ranges that an organization owns

Based on this information, hackers can determine which servers are running DNS and SMTP services

Whois clients also provide a reverse query This allows a known IP address to be traced back to its

domain The authoritative resources for Whois databases are listed on the map below

There are five Regional Internet Registries (RIRs), each maintaining a Whois database holding

details of IP address registrations in their regions An organization’sRIR provides the IP address

and oversees registration

The RIR Whois databases are located at:

If an address is out of ARIN's region, that database will provide a reference to either APNIC or

RIPE NCC www.allwhois.com is also considered as a comprehensive Whois interface

There are tools available to aid a Whois lookup Some of them are Sam Spade (downloadable from

(downloadable from www.netscantools.com), and GTWhois (Windows XP compatible)

(www.geektools.com) Whois client is available in most versions of UNIX For users with UNIX X

and GUI + GTK toolkit, Xwhois (available at http://c64.org/~nr/xwhois/) can be used

VoIP Hacking

Module XXXVIII Page | 2994 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

Readers are encouraged to read the RFCs and standards related to the discussion Readers may

refer to std/std13—Internet standard for Domain Names—Concepts and Facilities and RFCs 1034,

1035

By using www.DNSstuff.com, it is possible to extract DNS information about IP addresses, mail

server extensions, DNS lookup, Whois lookups, and so on If you want information about a target

company, it is possible to extract its range of IP addresses, by utilizing the IP routing lookup of

DNS stuff It is easy to footprint this information via DNSstuff.com

VoIP Hacking

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

Steps to Perform Footprinting

Analyze company’s infrastructure details from job postings Use people search for personal information of employees Google search for company’s news and press releases Extract archives of the website

Mirror the entire website and look up names Extract DNS information

Perform whois lookup for personal details Find companies’ external and internal URLs

The steps for Footprinting as covered in Module 03 are as follows:

8 Find the physical location of the web server using the tool, “NeoTrace”

10 Track email using “readnotify.com”

VoIP Hacking

Module XXXVIII Page | 2996 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council Copyright © by

EC-Council All Rights Reserved Reproduction is Strictly Prohibited

Scanning

Ping large number of IP addresses and check for any responses

Methods to ping IP addresses:

ICMP ping sweeps ARP pings TCP ping scans SNMP sweeps

In scanning, the initial step is to check for active targets list, such as what devices are accessible

on the VoIP network, and so on Thus, it helps to find information useful for tracking down rogue

or infected systems using inventory mapping

The hacker tries to ping numerous IP address and waits for the response if he/she gets any The

tool ping, a network diagnostic tool, uses the ICMP protocol and lets an administrator to

determine quickly if another host is active:

Microsoft Windows XP [Version 5.1.2600]

C:\>ping www.yahoo.com

Pinging www.yahoo.akadns.net [68.142.197.68] with 32 bytes of data:

Reply from 68.142.197.68: bytes=32 time=20ms TTL=54

Reply from 68.142.197.68: bytes=32 time=21ms TTL=54

Reply from 68.142.197.68: bytes=32 time=22ms TTL=55

Reply from 68.142.197.68: bytes=32 time=21ms TTL=54

Ping statistics for 68.142.197.68:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 20ms, Maximum = 22ms, Average = 21ms

C:\>

If the administrator blocks ICMP, a hacker tries various types of scanning techniques that helps

you to build a comprehensive list of active IP addresses

VoIP Hacking

Module XXXVIII Page | 2998 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

ICMP Ping Sweeps

Easy way to identify active hosts by sending ICMP ECHO REQUEST packets

Send ICMP ECHO REPLAY packets if ICMP is unblocked by firewalls

• fping

• Nmap

• super scan

• Nessus

• Ping and port sweep utility

Tools for ICMP Ping Sweeps:

ICMP ping sweeps provide an easy way to find active hosts Pinging sends ICMP type 8 packets

(ICMP ECHO REQUEST) to an IP address If ICMP is unblocked by the router or firewall, the

hosts will reply with an ICMP type 0 packet (ICMP ECHO REPLY)

There are many tools for running ICMP ping sweeps such as fping, a *nix command-line tool that

parallelizes ICMP scanning for multiple hosts It can read a range of target addresses either from

a file or from the command line For example: the command line option -g , is used to specify the

range of hosts to scan You can use the -a option to return the results from live hosts

SuperScan is a graphical tool that can quickly ping sweep a range of hosts The other powerful

command-line scanning tool used is Nmap (http://www.insecure.org/nmap) This tool has

many options The -sP option designates a ping sweep

VoIP Hacking

[root@attacker]# nmap -sP 192.168.1.1-254

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-19

20:51 CST

Host 192.168.1.1 appears to be up

MAC Address: 00:13:10:D4:AF:44 (Cisco-Linksys)

Host 192.168.1.21 appears to be up

MAC Address: 00:04:13:24:23:8D (Snom Technology AG)

Host 192.168.1.22 appears to be up

MAC Address: 00:0F:34:11:80:45 (Cisco Systems)

Host 192.168.1.23 appears to be up

MAC Address: 00:15:62:86:BA:3E (Cisco Systems)

Host 192.168.1.24 appears to be up

MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology)

Host 192.168.1.25 appears to be up

MAC Address: 00:0B:82:06:4D:37 (Grandstream Networks)

Host 192.168.1.27 appears to be up

MAC Address: 00:04:F2:03:15:46 (Polycom)

Host 192.168.1.51 appears to be up

MAC Address: 00:04:13:23:34:95 (Snom Technology AG)

Host 192.168.1.52 appears to be up

MAC Address: 00:15:62:EA:69:E8 (Cisco Systems)

Host 192.168.1.53 appears to be up

MAC Address: 00:04:0D:50:40:B0 (Avaya)

Host 192.168.1.54 appears to be up

MAC Address: 00:0E:08:DA:24:AE (Sipura Technology)

Host 192.168.1.55 appears to be up

MAC Address: 00:E0:11:03:03:97 (Uniden SAN Diego R&D Center)

Host 192.168.1.56 appears to be up

MAC Address: 00:0D:61:0B:EA:36 (Giga-Byte Technology Co.)

Host 192.168.1.57 appears to be up

MAC Address: 00:01:E1:02:C8:DB (Kinpo Electronics)

Host 192.168.1.103 appears to be up

MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.)

Host 192.168.1.104 appears to be up

Nmap finished: 254 IP addresses (17 hosts up) scanned in 5.329 seconds

VoIP Hacking

Module XXXVIII Page | 3000 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

ARP Pings

ARP ping requests MAC address through a large range of IP addresses

It identifies live hosts on the network

• Arping

• MAC address discovery tool

Tools:

The Address Resolution Protocol (ARP) marries the IP and Ethernet networking layers together

Ethernet-aware switches and hubs are not aware of the upper layer IP addressing schemes that

are bundled in the frames IP-aware devices and OSs are correspondingly required to

communicate on the Ethernet layer ARP provides the method for hosts and devices to maintain

mappings of IP and Ethernet addressing

While scanning on a local Ethernet subnet, it is an easy task to compile mapping of MAC

addresses to IP addresses, like network man-in-the-middle and hijacking attacks On the local

LAN, using an ARP broadcast frame to request MAC addresses through a large range of IP

addresses enables you to tell whether the hosts are alive on the local network This is the best way

to get a hold of blocked ICMP rules on a local network Besides being a built-in feature of Nmap,

there are many tools that can perform ARP pings, including the MAC address discovery tool from

SolarWindsarping

Arping is a command-line tool for ARP pinging IP addresses It can also ping MAC addresses

directly as well:

root@attacker]# arping -I eth0 -c 2 192.168.100.17

ARPING 192.168.100.17 from 192.168.100.254 eth0

Unicast reply from 192.168.100.17 [00:80:C8:E8:4B:8E] 8.419ms

Unicast reply from 192.168.100.17 [00:80:C8:E8:4B:8E] 2.095ms

Sent 2 probes (1 broadcast(s))

Received 2 response(s)

VoIP Hacking

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

TCP Ping Scans

Sends TCP SYN or ACK flagged packets to TCP port on the target host

RST packet that comes as a response indicate that a host is alive

• Nmap

• hping2

Tools:

A TCP ping scan sends a TCP SYN-or ACK-flagged packet to a commonly used TCP port on the

target host A returned RST packet indicates that a host is alive on the target IP address ACK

packets are more useful and used to bypass the stateless firewalls that monitor only for incoming

SYNs as it acts as an indication of a new connection to block Nmap, by default, uses a SYN packet

on port 80 to probe; however, from the command line, you can customize it to use an ACK packet

on a different port(s) using the –PT option:

[root@attacker]# # nmap -P0 -PT80 192.168.1.23

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-19 21:28 CST

Interesting ports on 192.168.1.23:

(The 1671 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE

80/tcp open http

MAC Address: 00:15:62:86:BA:3E (Cisco Systems)

Nmap finished: 1 IP address (1 host up) scanned in 2.144 seconds

Another tool used for TCP pinging is hping 2 From the command line, type hping2 –help to show

all the options:

VoIP Hacking

Module XXXVIII Page | 3002 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

len=40 ip=192.168.1.103 ttl=64 DF id=3 sport=80 flags=R seq=3 win=0 rtt=0.1 ms

len=40 ip=192.168.1.103 ttl=64 DF id=4 sport=80 flags=R seq=4 win=0 rtt=0.0 ms

len=40 ip=192.168.1.103 ttl=64 DF id=5 sport=80 flags=R seq=5 win=0 rtt=0.0 ms

len=40 ip=192.168.1.103 ttl=64 DF id=6 sport=80 flags=R seq=6 win=0 rtt=0.0 ms

The output above shows that you received RST TCP packets from the target (flags=R) from port

80, which indicates a live host

VoIP Hacking

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

SNMP Sweeps

Scan to return sensitive information because the default “public”

community string is always used

Tools:

SNS Scan snmpwalk Nomad Cheops snmpenum snmp-audit

Simple Network Management Protocol (SNMP) scanning is another effectual way to determine

active network equipment It is an application layer protocol that can monitor and control the

network devices The three versions of SNMP are SNMP v1 (RFC 1067), SNMP v2 (RFCs 1441–

1452), and SNMP v3 (RFCs 3411–3418)

SNMP v1 and v2 are based on a very simple form of authentication called community strings

(essentially a cleartext password), but SNMP v3 is based on stronger encryption such as AES and 3DES

Many administrators tend to forget to modify the default community strings on their network

devices providing the hacker to gather sensitive information using numerous SNMP clients

Usually, SNMP scans return abundance information, since the default "public" community string

is almost always used

SNMP scanning tools used are SNMP Sweep, SNScan, and also some command line tools for

*nix-based systems such as snmpwalk, Nomad, Cheops, snmpenum, and snmp-audit

VoIP Hacking

Module XXXVIII Page | 3004 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

Port Scanning and Service

Method to scan active services:

With the host discovery techniques, the hacker holds a list of active IP addresses; now he/she can

start investigating each address further for its corresponding listening services TCP and UDP

ports are the primary protocols that support VoIP Port scanning is the technique of connecting

to TCP and UDP ports on a target in order to search for active services This is a vital step in

hackers’ hold for determining the vulnerabilities present on the target host or device Thus, by determining an active service on the target, hacker can try to interact with the associated

application to enumerate the sensitive details about VoIP deployment Some of the popular TCP

services are WWW, FTP, and SMTP (TCP ports 80, 20/21, and 25), while DNS, SNMP, and DHCP

(UDP ports 53, 161/162, and 7/68) are common UDP services

The Nmap tool is a port scanner that supports different types of scans in one utility The other two

effective scan types are TCP SYN scanning and UDP scanning The Nmap manual describes it as:

TCP SYN scan: In this type of scan, a hacker sends a TCP SYN packet to a specific port pretending

to establish a TCP connection with the target host A returned SYN/ACK-flagged TCP packet

indicates the port is open and an RST indicates a closed port A "filtered" port indicates there is

no response from the packet sent

An example of a simple TCP SYN scan appears as follows:

% nmap [X.X.X.X]

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-24 09:12 CST

Interesting ports on [X.X.X.X]:

(The 1662 ports scanned but not shown below are in state: filtered)

PORT STATE SERVICE

VoIP Hacking

Module XXXVIII Page | 3006 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

Interesting ports on [X.X.X.X]:

(The 1662 ports scanned but not shown below are in state: filtered)

PORT STATE SERVICE VERSION

22/tcp closed ssh

23/tcp closed telnet

80/tcp open http Microsoft IIS webserver 5.0

443/tcp open ssl/http Microsoft IIS webserver 5.0

1720/tcp open tcpwrapped

2000/tcp open callbook?

2001/tcp open dc?

2002/tcp open globe?

Service Info: OS: Windows

Nmap finished: 1 IP address (1 host up) scanned in 112.869 seconds

Using Nmap scans with the default options facilitates critical VoIP services untouched, as follows:

[root@attacker]# nmap –P0 -sV 192.168.1.103

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-19 21:49 CST

Interesting ports on 192.168.1.103:

(The 1666 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 1.2.1

22/tcp open ssh OpenSSH 3.6.1p2 (protocol 1.99)

80/tcp open http Apache httpd 2.0.46 ((CentOS))

111/tcp open rpcbind 2 (rpc #100000)

113/tcp open ident authd

3306/tcp open mysql MySQL (unauthorized)

MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.)

Service Info: OS: Unix

Nmap finished: 1 IP address (1 host up) scanned in 6.437 seconds

If it responds, it indicates an active service is listening

It is unused, if you get an ICMP port unreachable error

In this type of scan, a hacker sends an empty UDP header to each UDP port on the target If a port

responds with a UDP packet, an active service is listening If you get an ICMP port unreachable

error, it indicates that the port is unused or filtered In Nmap, a UDP scan can identify the other

ports running on the network:

Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-20 05:26 EST

(The 1473 ports scanned but not shown below are in state: closed)

Port State Service

67/udp open|filtered dhcpserver

69/udp open|filtered tftp

111/udp open|filtered rpcbind

123/udp open|filtered ntp

784/udp open|filtered unknown

5060/udp open|filtered sip

32768/udp open|filtered omad

Nmap finished: 1 IP address (1 host up) scanned in 1.491 seconds

Here in the UDP scan, from the above results it is revealed that this server supports both DCHP

and TFTP services (UDP ports 67 and 69, respectively)

The open UDP 5060 port (SIP) found in the above result does not provide any useful information

that can determine the exact type of VoIP device

VoIP Hacking

Module XXXVIII Page | 3008 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council

EC-Council All Rights Reserved Reproduction is Strictly ProhibitedCopyright © byEC-Council

Host/Device Identification

Determines the type of devices, hosts by OS and firmware types

• Stack Fingerprinting:

• A technique for further identifying the innards of a target host or device

Method to identify the host/device:

Once the TCP and UDP ports have been listed on a range of targets, the next step is to further

classify the types of devices and hosts by operating system and firmware type, for example:

Windows, IOS, Linux, and so on

Stack Fingerprinting

Stack fingerprinting is an effective method for further identifying the innards of a target host or

device It observes the unique habitat present in most OSs and firmware while responding to

(The 1670 ports scanned but not shown below are in state: closed)

Port State Service

80/tcp open http

443/tcp open https

MAC Address: 00:04:13:24:23:8D (Snom Technology AG)

Device type: general purpose

Running: Linux 2.4.X|2.5.X

OS details: Linux 2.4.0 - 2.5.20

Uptime 0.264 days (since Sun Feb 19 18:43:56 2006)

Interesting ports on 192.168.1.22:

(The 1671 ports scanned but not shown below are in state: filtered)

Port State Service

VoIP Hacking

23/tcp open telnet

MAC Address: 00:0F:34:11:80:45 (Cisco Systems)

Device type: VoIP phone

Running: Cisco embedded

OS details: Cisco IP phone (POS3-04-3-00, PC030301)

Interesting ports on 192.168.1.23:

(The 1671 ports scanned but not shown below are in state: closed)

Port State Service

80/tcp open http

MAC Address: 00:15:62:86:BA:3E (Cisco Systems)

Device type: VoIP phone|VoIP adapter

Running: Cisco embedded

OS details: Cisco VoIP Phone 7905/7912 or ATA 186 Analog Telephone Adapter

Interesting ports on 192.168.1.24:

(The 1671 ports scanned but not shown below are in state: closed)

Port State Service

80/tcp open http

MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology)

Device type: VoIP adapter

Running: Sipura embedded

OS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway

Interesting ports on 192.168.1.25:

(The 1670 ports scanned but not shown below are in state: filtered)

Port State Service

(The 1670 ports scanned but not shown below are in state: closed)

Port State Service

80/tcp open http

5060/tcp open sip

MAC Address: 00:04:F2:03:15:46 (Polycom)

Device type: X terminal|load balancer

Running: Neoware NetOS, HP embedded, Cisco embedded

OS details: Cisco 11151/Arrowpoint 150 load balancer, Neoware (was HDS)

NetOS V 2.0.1 or HP Entria C3230A

Interesting ports on 192.168.1.51:

(The 1670 ports scanned but not shown below are in state: closed)

Port State Service

80/tcp open http

443/tcp open https

MAC Address: 00:04:13:23:34:95 (Snom Technology AG)

Device type: general purpose

Running: Linux 2.4.X|2.5.X

OS details: Linux 2.4.0 - 2.5.20

Uptime 0.265 days (since Sun Feb 19 18:43:55 2006)

Interesting ports on 192.168.1.52:

VoIP Hacking

(The 1671 ports scanned but not shown below are in state: filtered)

Port State Service

23/tcp open telnet

MAC Address: 00:15:62:EA:69:E8 (Cisco Systems)

Device type: VoIP phone

Running: Cisco embedded

OS details: Cisco IP phone (POS3-04-3-00, PC030301)

All 1672 scanned ports on 192.168.1.53 are: closed

MAC Address: 00:04:0D:50:40:B0

Many fingerprints match this host that provide specific OS details

Interesting ports on 192.168.1.54:

(The 1671 ports scanned but not shown below are in state: closed)

Port State Service

80/tcp open http

MAC Address: 00:0E:08:DA:24:AE (Sipura Technology)

Device type: VoIP adapter

Running: Sipura embedded

OS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway

All 1672 scanned ports on 192.168.1.55 are: closed

MAC Address: 00:E0:11:03:03:97 (Uniden SAN Diego R&D Center)

Aggressive OS guesses: NetJet Version 3.0 - 4.0 Printer (94%), Cray

UNICOS/mk 8.6 (93%), Intel NetportExpress XL Print Server (93%), Kyocera

IB-21 Printer NIC (93%), Kyocera Printer (network module IB-21E 1.3.x)

(93%), OkiData 20nx printer with OkiLAN ethernet module (93%), Okidata 7200

Printer (93%), Okidata OKI C5100 Laser Printer (93%), Okidata OKI C7200

Printer (93%), Zebra Technologies TLP2844-Z printer (93%)

No exact OS matches for host (test conditions non-ideal)

Interesting ports on 192.168.1.56:

(The 1669 ports scanned but not shown below are in state: closed)

Port State Service