Overlooked VOIP Security Features

I am wanker when it comes to VOIP. I am not a huge VOIP fan. Nope. Not much at all. When I was growing up, phracking never really appealed to me. I remember tripping my first 5ESS and not thinking "that’s cool" but "so what". Kinda weird because VOIP possesses all the elements I like in engineering design. It has many parts, separate protocols, programming elements, high end user satisfaction, massive extensibility and lots and lots of tweakable elements. All a plus in the Jimmy Ray book of fun stuff to do on a weekend. But to me all I see is a large target to hack and embarrass right off on my data network. I am a wanker, Local 214. Voice is a great career path, most likely one of the absolute best for now. Although, I believe the real money/opportunity is going to be in Data Center. As a matter of fact with many of the resellers I meet with weekly they tell me they can not hire enough voice certified specialist. They are begging and trying to steal them for others all the time. So as a career path, Voice is top shelf. I know that and I hear that and I understand that, but while I study for my final CCVP exam my mind is drifting to the astral planes of double vlan tag hopping, eavesdropping and toll jacking. Toll jacking. Hmmm...(pinky finger to corner of mouth) seems like to me that is a fairly reasonable vector into a voice network. Taking human behavior into account here, I am going to assume (dangerous, I know) that many VOIP networks are config’ed by data folks interested in Voice and not the other way around. Some of the old school phracky-phrack stuff could come in handy here. This could mean I have a vector into the network to make free phone calls...If I would have only had this when Sanjaya was on Idol... So I grabbed my Blue Box and with permission (Note to Cisco Legal), I tested five VOIP networks and I was able to dial out get free calls through three networks! Here is how I did it: Hack 00x01: Cleaning Crew Phone Perk Hey let’s face it, I am 44, kinda fat and kinda fat. Climbing over fences, thru windows or suspension cables from a ceiling are long out of the question for me. I need to either go thru a door or network cable to get into a network. So I waited for the cleaning crew to arrive and I grabbed my red banged up tool box and heading in the front door with everyone else and just acted like I know where I am going and I belonged there. It helps to be walkin’ and talkin’ with someone as well because most folks will not want to interrupt your discussion. Oh, I also took an old hotel key, turned it sideways and wore it on a badge retractor so I looked the part. No questions asked! I walked right in, over to a far cubical picked up the phone dialed "9" and the two stage dial tone click of the PBX told me the victory was mine! 01149611...All too easy...(In my best Darth Vader voice) How we fixed the problem: Chances are not many folks are going to go to this length to dial a few numbers. But certainly an after hours crew could make a few calls every now and again to international numbers and slip right under the radar. The fix for this is simple, we config’ed up an After Hours Toll Restriction policy in the CM like this: telephony−service after−hours block pattern 1 91 after−hours block pattern 2 9011 after−hours day mon 20:00 07:00 after−hours day tue 20:00 07:00 after−hours day wed 20:00 07:00 after−hours day thu 20:00 07:00 after−hours day fri 20:00 07:00 after−hours day sat 10:00 07:00 after−hours day sun 12:00 12:00 This policy blocked outbound dialing of long distance calls with pattern 1 and international calls with pattern 2, Monday to Friday from 8PM to 7AM and on Saturday from 10AM to 7AM an all day on Sunday. This is low level logic blocking and worked just fine for this customer. You can get more detailed higher logic blocking with a Class of Restriction policy if need be. Hack 00x02: Rogue PBX Folks are looking for quicker ways to get the VOIP system to start paying for itself. VOIP savings are really like trying to justify the savings of being more secure. Oh sure we tech type folks know the real savings and true **** saving grace that security and in house managed VOIP provides. The problem is the Poindexter in Accounting doesn’t see it. Using the Internet as a trunk provider really provides some serious cash savings on the back end. The problem is many SIP/H323 trunks are incorrectly config’ed and will allow for unlimited access to your phone system. As a matter of fact there is a HUGE business in setting up rogue PBX’s to steal your service and then they resell trunk access to unsuspecting providers all over the world. This hack is super popular in Africa. First off, I scan your network with NMAP with the -sV switch and look for TCP or UDP ports 5060 for SIP and TCP port 1720 for H323. I also look for SIP REGISTER messages sent to 224.0.1.75 If I get a hit on one of those, then I run SIPScan to enumerate more info. I used to use SIPsak here, but SIPScan is really a better tool to me. Then I just take a simple SIP ready phone and try to connect it to the PBX. It is AMAZING how many times this works. If the PBX is outside of the firewall which in this case is exactly what the config was I have unlimited access. Other methods include relay SIP messages similarly to what is done on a open email relay for spam. SiVus is a great tool for crafting packets to do that. Of course you can also install and config a SIP B2BUA like SIP_Rogue but it is not for the faint at heart for sure. This tool was coded by VOIP ultra geek, Mark Collier. (check out his company and smokin' hot website http://www.voipsa.org/Resources/tools.php) The config is tough and a bit unstable but when it works, man alive it is a fantastic tool. How We Fixed it: Fortunately us Cisco type folks, CM is config’ed by default to not accept calls from anonymous sources and only from the pre-config’ed SIP Proxy server. However, if you want to double check or if you are on an older version then go to the CLI and enter the command set: interface serial 0/2 ip access−group 111 in access−list 111 permit udp host