VoIP is a critical real-time service with many complex moving parts. Without the proper precautions, VoIP protocols and systems can become vectors for misuse or attack—affecting not only voice services but your entire IP network. In the ‘prequil’ to this investigation, we discussed common vulnerabilities that can impact SIP-based VoIP installations. Here, we take you on a guided tour of freely-available VoIP vulnerability test tools.
Forewarned is forearmed
Vulnerability assessment is the process of finding and fixing your own weaknesses before hackers get a chance to exploit them. When it comes to VoIP, this involves locating and scrutinizing all of your VoIP handsets, softphones, call managers, signaling servers, and media servers for implementation flaws, missing patches, and configuration mistakes.
| Figure 1.
Click to see full size image
Why conduct a VoIP vulnerability assessment? To reduce your exposure to VoIP security threats, including network/service break-ins, voice service disruption, caller impersonation, eavesdropping, and toll fraud. For example, unencrypted signaling protocols and weak passwords leave you vulnerable to spoofed SIP signaling messages that can be used to place fraudulent calls, break into voice mailboxes, or tear down calls in progress.
Finding those weak passwords and observing the impact of spoofed SIP signaling messages is a good start. However, a vulnerability assessment does not by itself eliminate those VoIP threats—it provides the empirical data needed to evaluate risk and determine potential courses of action. In fact, conducting a vulnerability assessment involves using many of the same tools that attackers might otherwise use against you.
Building a toolbox
Click to see full size image
Dozens of open-source and shareware tools have been developed to capture, manipulate, replay, and generate SIP and RTP messages. Before attempting to conduct your own VoIP vulnerability assessment, you might want to browse the VOIPSA Security Tools list, the Hacking VoIP Exposed Security Tools list, or the iSEC Partners VOIP Security Tools list, following links to download software and create your own VoIP security toolbox.
Of course, it’s always faster to start by downloading an existing toolbox that someone else has compiled. For example, check out the SecureLogix VoIP Assessment Tools archive (above, right)—a zip file containing source code for dozens of tools developed by Mark O’Brien and Mark Collier, authors of Hacking Exposed: VoIP (ISBN: 0072263644). Or download and burn a LiveCD of a general-purpose penetration test toolkit like BackTrack3—a bootable Linux environment that includes roughly 30 VoIP and Telephony analysis tools (below, left).
Starting with an open-source toolbox is a good way to learn about VoIP security tools, what they can and can’t do, and how to run them. Over time, you will probably add to that ‘starter’ toolbox, creating a custom portfolio of tools that reflects your personal preferences and finds all vulnerabilities of importance to your VoIP deployment. To give you a headstart, let’s illustrate a few common SIP and RTP security test tools and discuss how you might use them for vulnerability assessment.