Skip to main content
Sandro Gauci

Sandro Gauci, Enable Security

BruCON Training: A crashcourse in pentesting VOIP networks (update)

Published on Aug 30, 2010 in , ,

We just updated the outline of the 2 day crashcourse on the main BruCON training website! In the coming days I’ll be highlighting the modules to explain what each consist of. Training registration is from this page, and for any questions get in contact with Sn0rky or myself.

This is what it looks like:

Module 1: Introduction to VoIP technology, security threats and solutions

  1. Introduce the protocols
  2. Mitigation technologies
  3. How confidentiality / integrity / availability applies to VoIP
    1. fraud
    2. spying on phone calls
    3. modification of phone data
    4. denial of service

Module 2: Attacking signaling protocols

  1. SIP
    1. introduction to the protocol
    2. scanning for SIP
    3. attacking SIP
    4. exercises include:
      1. sniffing SIP
      2. scanning SIP
      3. SIP extension enumeration and online password cracking
      4. Avoiding toll / fraudulent calls
      5. INVITE floods
      6. Fuzzing SIP
      7. Using John the ripper to crack SIP passwords
  2. IAX2
    1. introduction to the protocol
    2. scanning for IAX2
    3. attacks on IAX2
    4. exercises include:
      1. online and offline password cracking
      2. scanning IAX2
  3. SCCP
    1. introduction to the protocol
    2. scanning for Cisco PBX / SCCP
    3. Attacks on SCCP
    4. exercises include:
      1. MiTM attacks using SCCP proxy
      2. Capture FAC code
      3. Callmanager hijack
  4. MGCP
    1. introduction to the protocol
    2. scanning for MGCP
    3. attacks on MGCP
    4. exercises include:
      1. Call fraud
      2. DoS on MGCP
      3. RTP redirection
  5. H.323
    1. introduction to the protocol
      1. H.225
      2. H.245
    2. scanning for H323
    3. attacks on H323
      1. Frames Injection
      2. DoS on H323

Module 3: Attacking the media

  1. Wiretapping
    1. Understanding the basics, ARP poisoning and other MiTM attacks
    2. exercises include using various tools, including Wireshark, for tapping VoIP calls
  2. RTP stream modification
    1. how it works
  3. Convert channels
    1. how it works, concepts and reality

Module 4: Attacking Unified Communications

  1. Trixbox / Elastix vulnerabilities
    1. default passwords are common
    2. TFTP abuse
    3. Spying on phone calls using your phone
    4. Privilege escalation
    5. Exercises include:
      1. spying on phone calls
      2. abusing Trixbox features
      3. exploitation of weak permissions
  2. Asterisk
    1. Dialplan injection
    2. Setting up a backdoor
  3. Hardware information gathering
    1. physical bridging
    2. passive ethernet tap
    3. bypassing lock / restrictions on the phone
    4. exercises include:
      1. hardware for tapping
      2. hardware phone abuse
  4. Cisco Unified Communications vulnerabilities
    1. Extension mobility abuse
    2. Webdialer
    3. CCMuser SQL injection
    4. Billing system
    5. Jailbreaking CUCM
    6. Exercises include:
    7. Jailbreaking CUCM
    8. Webdialer abuse

Sandro Gauci

Sandro Gauci

CEO, Chief Mischief Officer at Enable Security

Sandro Gauci leads the operations and research at Enable Security. He is the original developer of SIPVicious OSS, the SIP security testing toolset. His role is to focus on the vision of the company, design offensive security tools and engage in security research and testing. Therefore, he is the proud owner of the title of Chief Mischief Officer at Enable Security.

He offers public office hours and is reachable here.