ECE4112 Internetwork SecurityLab: VoIP Vulnerabilities

Group Number: _________Member Names: ______________________ _______________________

Date Assigned: Date Due: Last Edited: Last Authored By: Patrick Hamilton and James Michaels

Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due.

Goal: The goal of this lab is to introduce you to the functionalities of VoIP and VoIP exploitation tools. You will discover VoIP vulnerabilities and learn methods to harden a network against these exploits.

Summary: You will initialize a VoIP call using SJPhone under two different signaling protocols (SIP and H.323) in order to obtain a diverse understanding of VoIP’s general functionalities. Using Wireshark (Ethereal) to sniff the network traffic, you will gather information about the data packets distributed by the VoIP call. You will then conduct a man-in-the-middle attack to audibly eavesdrop on the VoIP call by using Cain & Abel. You will conclude by analyzing methods of network hardening for VoIP calls.

Equipment Needed:

Red Hat 4.0 WS physical machineRed Hat 4.0 WS physical machine (TA setup)Windows XP Pro virtual machine

Prelab Questions: None

Lab Scenario: This lab is broken up into five sections; the first section provides general background information, the second section is comprised of setting up the lab components, the third section consist of establishing the VoIP call and network sniffing, the fourth section incorporates Cain & Abel to exploit the VoIP call, and the fifth section encompasses the hardening of the network against VoIP attacks.

Section 1: VoIP (Voice over Internet Protocol)

1.1 IntroductionVoIP (voice over IP - that is, voice delivered using the Internet Protocol) is a term used in

IP telephony for a set of facilities for managing the delivery of voice information using the Internet Protocol (IP). Voice over IP uses Internet Protocol (IP) to carry voice as packets over a packet-switched data network. Voice information is then sent in digital form in discrete packets rather than in the traditional circuit-switched protocols of the public switched telephone network (PSTN). A major advantage of VoIP and Internet telephony is that it increases operating efficiency, avoiding expensive communication costs and reducing unnecessary expenses that occur with ordinary telephone service.

1.2 VoIP SecurityVoIP uses the Internet for phone service, bypassing expensive long-distance

communication providers, which results in significant savings. However, as with most technology advancements, if not set up and deployed correctly, a VoIP solution can expose an organization to security breaches (Figure 1). For instance, when VOIP is used externally, gateway technologies convert data packets from the IP network into voice before sending them over a public switched telephone network. When VOIP is used internally, the gateways basically route packetized voice data between the source and the destination. A potential issue is that VOIP gateways can be hacked into by malicious attackers in order to make free telephone calls. In addition, attackers can infiltrate phone conversations and steal confidential data in the same way they would hack an IT system. Spammers can also use denial of service attacks to render the phone system useless. To deploy a VoIP solution, one needs to assure that the solution is safe, secure and protected from outside threats.

Below is a list of typical attacks that a VoIP system might face.

Toll Fraud: The IP version of the classic attack by a person pretending to be an employee or Console Cracking (asking the operator for an outside trunk) to make long distance calls. However, the attacker impersonates a valid user and IP address by plugging in their phone or spoofing the MAC Ethernet address.

Eavesdropping: The attacker sniffs (taps into the LAN wireline or WiFi connection) to intercept voice messages. Available tools such as VOMIT-Voice Over Misconfigured Internet Telephony allow performing this function.

Call Hijacking: Attacker spoofs a SIP Response redirecting the caller to a rogue SIP address and intercepts the call.

Resource Exhaustion: Also Known As DOS [Denial Of Service] attack. This attack reduces the number of available IP addresses, bandwidth, processor memory, and other router/server functions.

Message Integrity: MIM [Man-In-the-Middle] attack to intercept, alter, or redirect call.

Message Type Attacks: Attacker bombards (repetitive) SIP server with BYE or CANCEL messages or ICMP [Internet Message Control Protocol] "port unreachable" messages.

One possible solution to these attacks is encryption. By encrypting data with complex algorithms and encapsulating VoIP packets in a protocol such as IPSEC, the integrity of both end-users’ data can be guaranteed. An example of secure VoIP is Skype.

Skype uses AES (Advanced Encryption Standard) – also known as Rijndael – which is also used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.

1.3 VoIP Session Initiation Routine

In VoIP, communication is established through a protocol called SIP. SIP (session initiation protocol), the protocol for VoIP is an application-layer control protocol for creating, modifying, and terminating sessions with one or more participants. When a user agent (UAC), a client wants to initiate a session with another user (UA), it sends an INVITE request to the SIP proxies sever, asking for a session creation. This server then forwards the request to the SIP proxy server (UAS) of the desired user agent. The UAS will in turn send an INVITE request to the user to determine if he wants to accept the invitation. If the callee accepts the invitation, it sends an ACK. The caller sends an ACK to indicate that the handshake is done and session is to be established. The SIP user agent – a combination of the UAC and the UAS – can also allow peer-to-peer calls to be made using a client-server protocol.

VoIP Session Initiation Routine.

Section 2: VoIP Lab Set-Up

2.1 Lab SetupThere is a computer already setup with the speakers and software needed for this lab.

You will need to download SJPhone on your hard drive to be able to establish a VoIP phone call. You will need to get the microphone from a TA to plug into the computer using your HD. The VoIP testbed is diagramed below:

2.2 Installing SJPhone

1. From the NAS copy SJphoneLnx-299a.tar.gz to /home/ on your main WS4 machine using:#cp SJphoneLnx-299a.tar.gz /home/

2. Extract the tarball:#tar xvfz SJphoneLnx-299a.tar.gz

3. Cd into directory:#cd SJphoneLnx-299a

4. Now let’s test the tool:#./sjphone

This will launch SJPhone and a GUI will pop up.

5. Close the application.

2.3 Installing Cain & Abel

1. From the NAS copy cain_and_abel_setup.exe to your virtual Windows desktop.2. Double click the icon and following installation instructions.3. When asked to install WinPCap, select INSTALL and continue with default options.4. To ensure proper installation click the icon, this will launch Cain & Abel and a GUI will pop up.

5. Close the application.

Section 3: VoIP Call and Network Sniffing

3.1 SJPhone

SJPhone is a free SIP and H.323 signaling protocol user agent for VoIP calls. It can be used in Linux, Windows, and OSX. The tool can be downloaded from:

http://www.SJLabs.com

The description from the website says:

“SJPhone® is a VOIP softphone that allows you to speak with any other softphone running on a PC/PDA, any stand-alone IP-phone, or using Internet Telephony Service Provider (ITSP) with any traditional wired or mobile phone. It supports both SIP and H.323 standards and is fully inter-operable with most major VOIP vendors and ITSPs.”

3.1 SJPhone Call Establishment

SJPhone will be configured to work as a P2P (peer-to-peer) VoIP service. This means that there will be no intermediary server that authenticate the user and tell each other IP address to accomplish the connection. Therefore previous knowledge of each other IP address is needed.

To accomplish this, the first step is to open SJPhone in your RedHat WS4 machine.1. Open SJPhone in your RedHat WS4 machine:# ./sjphone

2. Enter the TA RedHat WS4 machine’s IP address into the call to hit dial.

Screenshot 1: SJPhone receiving phone call on the TA RedHat WS4 machine.

3. On the TA RedHat WS4 machine click the accept button and test the connection by speaking into the provided microphone.

Have your TA check you of for the VoIP conversation accomplished.

TA CHECKOFF: ______________________ DATE:___________

3.2 Sniffing VoIP Call Packets

VomitVomit, just in case you were wondering, stands for Voice Over Misconfigured Internet

Telephones. Vomit converts a captured package into a wave file. The utility can be downloaded at:

http://vomit.xtdnet.nl/

The description from the web site says:

“The vomit utility converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players. Vomit requires a tcpdump output file. Vomit is not a VoIP sniffer also it could be but the naming is probably related to H.323.”

On the TA WS4 machine (57.35.6.xxx), open VMWare and start the Red Hat WS 4 virtual machine. When this starts, open ethereal and begin capturing packets in promiscuous mode on eth0.

Establish a VoIP connection again just like you did before. Have a (one-way) conversation and then hang-up.

Now, back on the virtual machine, stop capturing packets and save it to your home directory (/root) in a file named <group-#>.dump

Get a screen shot of Ethereal displaying the connection Invite and ACK.

Screenshot 2: Ethereal displaying SIP Invite and Ack.

On the virtual Windows machine (57.35.6.x), open a shell and cd in to the directory where vomit is located:

#cd /root/vomit/vomit-0.2c/

Now run vomit with the following command:#vomit –r /root/<group-#>.dump |/root/waveplay-20010924/waveplay –S8000 –B16 –C1

Listen to the output.

Question 1: Was vomit and waveplay able to playback the file?Question 2: How is the quality of the playback compared to that of the actual conversation?

Section 4: VoIP Call Exploitation

4.1 Cain & Abel for VoIP Call Eavesdropping

Cain & Abel is a very powerful tool with varies exploiting capabilities. It is currently only supported on Windows operating systems. The utility can be downloaded at:

http://www.oxid.it/cain.html

The description from the web site says:

“Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.”

You will be using Cain & Abel to eavesdrop on the VoIP conversation. Establish a VoIP connection again just like you did before. On the virtual Windows machine start Cain & Abel and click on the Sniffer tab. On Cain & Abel’s toolbar click the “Start/Stop Sniffer” button (it is to the right of the folder button). Begin having a one-way conversation and take a screenshot of the Cain & Abel recording the VoIP call, then hang up.

Screenshot 3: Cain & Abel recording the VoIP conversation.

Question 3: What information did Cain & Abel find about the VoIP connection?

Question 4: What codec did Cain & Abel report the VoIP connection was using?

Now right click on Cain & Abel’s recording, and select the play option.

Question 5: Is sound quality better than the earlier Vomit recording?

4.2 SIP vs. H.323

Session Initiation Protocol (SIP) is a standard introduced by the Internet Engineering Task Force in 1999 to carry voice over IP. Since it was created by the IETF, it approaches voice and multimedia from the Internet, or IP, perspective. H.323 emerged around 1996, and as an International Telecommunication Union standard was designed from a telecommunications perspective. Both standards have the same objective - to enable voice and multimedia convergence with IP protocols.

As the older standard, H.323 has been embraced by many of the early VoIP players, so it has the advantage of being implemented first. SIP more easily allows applications to be developed because of its origins and has been gaining in popularity, especially in North America and with new entrants into the VoIP market.

Many vendors argue which standard brings a higher level of security. H.323 defines security mechanisms and negotiation facilities via H.235(including SRTP, TLS, and IPSec) and can also use SSL for transport-layer security. SIP’s security is via HTTP (Digest and Basic), SSL, PGP, S/MIME, or various other means.

Question 6: Compare H.323. vs. SIP in terms of call set-up, codecs, multi-cast signaling, and reliability?

4.3 H.323

To test H.323 security vs. SIP you perform an attack similar to before this time using H.323 instead of SIP. On the SJPhone interface click on “Preferences” and then click on the “Profiles” tab. Select H.323 and click “Use.”

Perform this task on both RedHat WS4 machines and then initiate a call.

On the virtual Windows machine start Cain & Abel and click on the Sniffer tab. On Cain & Abel’s toolbar click the “Start/Stop Sniffer” button (it is to the right of the folder button). Begin having a one-way conversation and then hang up.

Question 7: Was Cain & Abel able to eavesdrop on the VoIP call with H.323?

Now right click on Cain & Abel’s recording, and select the play option.

Question 8: When you played the wave file was it blank or did it play back the recorded call? Was the call quality better, worst, or the same as the SIP recording(if it was blank then the quality is obviously worst)?

Section 5: Network Hardening for VoIP

5.1 VoIP Security Hardening

VoIP security doesn't just happen. A VoIP network is susceptible to the usual attacks that plague all data networks: viruses, spam, phishing, intrusions, mismanaged identities, Denial of Service (DoS) attacks, lost and stolen data, voice injections, data sniffing, hijacked calls, toll fraud, eavesdropping, and on and on. You need careful planning to create a system that is both safe and reliable. VoipLowDown.com provided the following 25 methods an administrator can

use to harden a VoIP network:

1. Restrict all VoIP data to one Virtual Local Area Network (VLAN): Cisco recommends separate VLANs for voice and data; this helps prioritize voice over data and also keeps traffic on the voice network hidden from those connected to the data network. VLANs are also useful in protecting against toll fraud, DoS attacks, and eavesdroppers listening in and taking over conversations. A VLAN is an effective closed circle of computers that does not allow any other computer access to its facilities; with the lack of a PC to launch attacks, your VoIP network is quite safe. Even in the case of an attack, the disruption caused is a minimum.2. Monitor and track traffic patterns on your VoIP network: Monitoring tools and intrusion detection systems can help identify attempts to break into your VoIP network. Scrutinizing your VoIP logs can bring to light irregularities such as international calls made at odd hours or to countries your organization has no ties with (toll fraud), multiple log-on attempts like in a brute-force attempt to crack a password, or a surge in voice traffic during off-peak hours (voice spam).3. Lock down your VoIP servers: Servers should be secured physically against both internal and external intruders who can intercept data using sniffing techniques, either within the LAN or at the ISP when data travels over the Internet. Since VoIP phones have fixed IP and MAC addresses, it’s easier for attackers to try to worm their way in. Which is why Gary Miliefsky, founder and CTO of NetClarity, recommends locking down IP and MAC addresses that allow access to the administrative interfaces of VoIP systems, and putting up another firewall in front of the SIP gateway. This will restrict incoming access to IT administrators and prevent hackers from getting in.4. Use multiple layers of encryption: It’s not enough to just encrypt the data packets that are sent out, you have to encrypt call signaling too. Encrypting voice packets prevents voice injections where interceptors can insert their own words into the conversation, giving it a whole new meaning. Steve Mank, CEO of Qovia, cites two common methods of encryption - the Secure Real Time Protocol (SRTP) which encrypts communication between endpoints, and Transport Level Security (TLS) which encrypts the whole call process. Encryption of voice traffic should be supported by providing strong protection at gateways, networks and hosts.5. Build redundancy into VoIP networks: Be prepared for the day DoS attacks or viruses threaten to bring your network crashing down – create a network that tolerates failures by setting up multiple nodes, gateways, servers, power sources, and call routers, and hooking up with more than one provider. Don’t stop with just putting the infrastructure in place; run frequent trials to ensure that they are working well and are ready to take over when the primary network fails.6. Put your equipment behind firewalls: Create separate firewalls so that traffic crossing VLAN boundaries is restricted only to applicable protocols. This will prevent the spread of viruses and Trojans to servers in case clients are infected. The maintenance of security policies also becomes simpler when each firewall is considered separately. Choose networking and security vendors who support both the Session Initiation Protocol (SIP) and the International Telecommunication Union’s H.323 protocol. Firewall configurations have to be created so that the appropriate ports open and close when necessary.7. Update patches regularly: The security of a VoIP network depends on both the underlying operating system and the applications that run on it. Maintaining patch currency for both the OS and VoIP applications is imperative in protecting against threats from malware8. Keep your network away from the Internet: The University of Houston is a pioneer in this security approach – the institution has put its call manager and network out of direct access from

the Internet; its IP PBXs are in a domain separate from its other servers and access is restricted.9. Minimize the use of softphones: VoIP softphones are prone to hacker attacks, even when they are behind corporate firewalls, because they are used with an ordinary PC, VoIP software, and a pair of headphones. Also, softphones do not separate voice and data, and are vulnerable to the viruses and worms that normally infect a PC.10. Perform security audits on a regular basis: Running checks on administrative and user sessions and service activities can help bring irregularities to light. Phishing attempts can be thwarted, spam can be filtered out so it doesn’t clog the network, and intruder attacks can be stopped.11. Evaluate physical security: Make sure that only devices and users who are authenticated and pre-approved gain access to your network by limiting access to the Ethernet ports. Administrators are often fooled into accepting softphone devices that are not permitted on the network because hackers can easily imitate IP and MAC addresses by plugging into an RJ44 port.12. Use vendors who provide digital security certificates: When IP phone vendors provide digital certificates to authenticate devices, users can ensure that the conversation is secure and is not being broadcast to other devices. The phones load digitally signed images to ensure that the software loaded is authentic. Verisign has been a pioneer in providing authentication certificates for wireless IP phones, in an effort to prevent “tapping” (illegal eavesdropping) and “spoofing” (illegal tampering) of conversations.13. Secure your gateways: Configure gateways so that only those who are allowed access can make and receive VoIP calls. Lists with authenticated and approved users can ensure that others are prevented from using the lines to make free calls. Protect gateways and the LANs behind them with a combination of an SPI firewall, application layer gateways (ALG), network address translation (NAT) tools, and SIP support for VoIP soft clients.14. Manage servers separately: VoIP call servers are often the targets for attackers because they are the heart of any VoIP network. Critical weaknesses inherent in the server include its operating system, and the services and applications it supports. To minimize the chance that hackers get at your VoIP servers, manage traffic to them separately from VoIP signaling and call traffic.15. Sort SIP traffic: Looking through your SIP traffic and checking for abnormal packets and traffic patterns that are different from the usual will help in cutting short sessions that are not genuine. Anomalies in the syntax and semantics of SIP and events that are irregular and out-of-sequence indicate that attacks are taking or likely to take place.16. Examine call setup requests at the application layer: VoIP calls are susceptible to hijacking by outsiders who gain access to the network. Set up appropriate security policies so that only those call setup requests that conform to them are accepted.17. Isolate voice traffic: For external communications, rely on a Virtual Private Network (VPN). Separate your voice and data traffic to prevent unwanted ears from listening in on your conversation. According to Kevin Flynn, senior manager of unified communications for Cisco, the biggest problem for organizations is “bad stuff from the data network getting on to the voice network.” He recommends blocking PC port access to the voice VLAN.18. Use proxy servers: Protect your network even beyond firewalls by using proxy servers to process data that comes in and goes out. Authentication and integrity are ensured when signaling messages travel between user agents and SIP proxies by integrating SSL tunnels with SIP proxies.

19. Run only applications that are necessary to provide and maintain VoIP services: The very fact that VoIP applications use data that is encrypted could lead to them being used to launch DoS attacks. Attackers can hide behind the cloak of encryption to avoid their activities from being monitored.20. Configure applications against misuse: Prevent your network from being used to perpetrate toll fraud, phishing scams, and illegal calls by preparing a list of permitted caller destinations.21. Add endpoint security layers: Use network admission techniques and IEEE 802.1X port-based network access controls to keep out devices that are not authorized on your LAN or WLAN. Network Access Control (NAC) applications are available from Cisco - Network Admission Control (NAC), Microsoft - Network Access Protection (NAP), and TCG - Trusted Network Connect (TNC).22. Restrict access according to certain criteria: VoIP network administrators can set up strict admission criteria to prevent access to devices that are potentially unsafe – when they are found to be infected with viruses or worms, when they do not have the latest patches, or when they do not have the right firewalls. These devices can be redirected to a disparate network that makes them compliant and then lets them onto the main network.23. Avoid remote management: If possible, it is better to stay away from remote management and audits; but when necessary, use Secure Shell (SSH) or IPsec (IP Security) for the purpose. Access your IP PBX from a system that’s physically secure.24. Use IPsec tunneling rather than IPsec transport: Tunneling and transport are two different encryption modes that support secure exchange of packets at the IP layer. The use of IPsec transport encrypts only the data while hiding the source and destination IP addresses. This prevents administrators from finding out who initiated the call when they analyze traffic.25. Secure your VoIP platform: VoIP platforms that support the clients are built on operating systems that should be “hardened” to protect the integrity of the networks that run on it and keep out cyber attacks. Disable services that are not absolutely necessary and use host-based methods to detect intrusion.

Question 9: What is the biggest problem for organizations that have voice and data on the same network? What is one way to address this issue?

ECE4112 Internetwork Security

Lab #: VoIP Vulnerabilities

Group Number: _________

Member Names: ___________________ _______________________

Answer Sheet

Section 3:

Screenshot 1: SJPhone receiving phone call on the TA RedHat WS4 machine.

TA CHECKOFF: ______________________ DATE:___________

Screenshot 2: Ethereal displaying SIP Invite and Ack.

Question 3: Was vomit and waveplay able to playback the file?

Question 4: How is the quality of the playback compared to that of the actual conversation?

Section 4:

Screenshot 3: Cain & Abel recording the VoIP conversation.

Question 3: What information did Cain & Abel find about the VoIP connection?

Question 4: What codec did Cain & Abel report the VoIP connection was using?

Question 5: Is sound quality better than the earlier Vomit recording?

Question 6: Compare H.323. vs. SIP in terms of call set-up, codecs, multi-cast signaling, and reliability?

Question 7: Was Cain & Abel able to eavesdrop on the VoIP call with H.323?

Question 8: When you played the wave file was it blank or did it play back the recorded call? Was the call quality better, worst, or the same as the SIP recording (if it was blank then the quality is obviously worst)?

Section 5:

Question 9: What is the biggest problem for organizations that have voice and data on the same network? What is one way to address this issue?

Turn-in checklistYou need to turn in:

Answer sheet. 3 screenshots Any corrections or additions to the lab.

General Questions

How long did it take you to complete this lab? Was it an appropriate length lab?

What corrections and/or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyz adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements. The lab addition section must start with the form “laboratory Additions Cover Sheet”.