VoIP Vulnerabilities - Internetwork Security | ECE 4112, Lab Reports of Electrical and Electronics Engineering

Download VoIP Vulnerabilities - Internetwork Security | ECE 4112 and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity! ECE4112 Internetwork Security Lab: VoIP Vulnerabilities Group Number: _________ Member Names: ______________________ _______________________ Date Assigned: Date Due: Last Edited: Last Authored By: Patrick Hamilton and James Michaels Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal: The goal of this lab is to introduce you to the functionalities of VoIP and VoIP exploitation tools. You will discover VoIP vulnerabilities and learn methods to harden a network against these exploits. Summary: You will initialize a VoIP call using SJPhone under two different signaling protocols (SIP and H.323) in order to obtain a diverse understanding of VoIP’s general functionalities. Using Wireshark (Ethereal) to sniff the network traffic, you will gather information about the data packets distributed by the VoIP call. You will then conduct a man-in-the-middle attack to audibly eavesdrop on the VoIP call by using Cain & Abel. You will conclude by analyzing methods of network hardening for VoIP calls. Equipment Needed: Red Hat 4.0 WS physical machine Red Hat 4.0 WS physical machine (TA setup) Windows XP Pro virtual machine Prelab Questions: None Lab Scenario: This lab is broken up into five sections; the first section provides general background information, the second section is comprised of setting up the lab components, the third section consist of establishing the VoIP call and network sniffing, the fourth section incorporates Cain & Abel to exploit the VoIP call, and the fifth section encompasses the hardening of the network against VoIP attacks. Section 1: VoIP (Voice over Internet Protocol) 1.1 Introduction VoIP (voice over IP - that is, voice delivered using the Internet Protocol) is a term used in IP telephony for a set of facilities for managing the delivery of voice information using the Internet Protocol (IP). Voice over IP uses Internet Protocol (IP) to carry voice as packets over a packet-switched data network. Voice information is then sent in digital form in discrete packets rather than in the traditional circuit-switched protocols of the public switched telephone network (PSTN). A major advantage of VoIP and Internet telephony is that it increases operating efficiency, avoiding expensive communication costs and reducing unnecessary expenses that occur with ordinary telephone service. 1.2 VoIP Security VoIP uses the Internet for phone service, bypassing expensive long-distance communication providers, which results in significant savings. However, as with most technology advancements, if not set up and deployed correctly, a VoIP solution can expose an organization to security breaches (Figure 1). For instance, when VOIP is used externally, gateway technologies convert data packets from the IP network into voice before sending them over a public switched telephone network. When VOIP is used internally, the gateways basically route packetized voice data between the source and the destination. A potential issue is that VOIP gateways can be hacked into by malicious attackers in order to make free telephone calls. In addition, attackers can infiltrate phone conversations and steal confidential data in the same way they would hack an IT system. Spammers can also use denial of service attacks to render the phone system useless. To deploy a VoIP solution, one needs to assure that the solution is safe, secure and protected from outside threats. Below is a list of typical attacks that a VoIP system might face. Toll Fraud: The IP version of the classic attack by a person pretending to be an employee or Console Cracking (asking the operator for an outside trunk) to make long distance calls. However, the attacker impersonates a valid user and IP address by plugging in their phone or spoofing the MAC Ethernet address. Eavesdropping: The attacker sniffs (taps into the LAN wireline or WiFi connection) to intercept voice messages. Available tools such as VOMIT-Voice Over Misconfigured Internet Telephony allow performing this function. Call Hijacking: Attacker spoofs a SIP Response redirecting the caller to a rogue SIP address and intercepts the call. Resource Exhaustion: Also Known As DOS [Denial Of Service] attack. This attack reduces the number of available IP addresses, bandwidth, processor memory, and other router/server functions. Message Integrity: MIM [Man-In-the-Middle] attack to intercept, alter, or redirect call. 5. Close the application. 2.3 Installing Cain & Abel 1. From the NAS copy cain_and_abel_setup.exe to your virtual Windows desktop. 2. Double click the icon and following installation instructions. 3. When asked to install WinPCap, select INSTALL and continue with default options. 4. To ensure proper installation click the icon, this will launch Cain & Abel and a GUI will pop up. 5. Close the application. Section 3: VoIP Call and Network Sniffing 3.1 SJPhone SJPhone is a free SIP and H.323 signaling protocol user agent for VoIP calls. It can be used in Linux, Windows, and OSX. The tool can be downloaded from: http://www.SJLabs.com The description from the website says: “SJPhone® is a VOIP softphone that allows you to speak with any other softphone running on a PC/PDA, any stand-alone IP-phone, or using Internet Telephony Service Provider (ITSP) with any traditional wired or mobile phone. It supports both SIP and H.323 standards and is fully inter-operable with most major VOIP vendors and ITSPs.” 3.1 SJPhone Call Establishment SJPhone will be configured to work as a P2P (peer-to-peer) VoIP service. This means that there will be no intermediary server that authenticate the user and tell each other IP address to accomplish the connection. Therefore previous knowledge of each other IP address is needed. To accomplish this, the first step is to open SJPhone in your RedHat WS4 machine. 1. Open SJPhone in your RedHat WS4 machine: # ./sjphone 2. Enter the TA RedHat WS4 machine’s IP address into the call to hit dial. Screenshot 1: SJPhone receiving phone call on the TA RedHat WS4 machine. 3. On the TA RedHat WS4 machine click the accept button and test the connection by speaking into the provided microphone. Have your TA check you of for the VoIP conversation accomplished. TA CHECKOFF: ______________________ DATE:___________ 3.2 Sniffing VoIP Call Packets Vomit Vomit, just in case you were wondering, stands for Voice Over Misconfigured Internet Telephones. Vomit converts a captured package into a wave file. The utility can be downloaded at: http://vomit.xtdnet.nl/ The description from the web site says: “The vomit utility converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players. Vomit requires a tcpdump output file. Vomit is not a VoIP sniffer also it could be but the naming is probably related to H.323.” On the TA WS4 machine (57.35.6.xxx), open VMWare and start the Red Hat WS 4 virtual machine. When this starts, open ethereal and begin capturing packets in promiscuous mode on eth0.  Establish a VoIP connection again just like you did before. Have a (one-way) conversation and then hang-up.  Now, back on the virtual machine, stop capturing packets and save it to your home directory (/root) in a file named <group-#>.dump  Get a screen shot of Ethereal displaying the connection Invite and ACK. Screenshot 2: Ethereal displaying SIP Invite and Ack. On the virtual Windows machine (57.35.6.x), open a shell and cd in to the directory where vomit is located: #cd /root/vomit/vomit-0.2c/ Now run vomit with the following command: #vomit –r /root/<group-#>.dump |/root/waveplay-20010924/waveplay – S8000 –B16 –C1 Listen to the output. Perform this task on both RedHat WS4 machines and then initiate a call. On the virtual Windows machine start Cain & Abel and click on the Sniffer tab. On Cain & Abel’s toolbar click the “Start/Stop Sniffer” button (it is to the right of the folder button). Begin having a one-way conversation and then hang up. Question 7: Was Cain & Abel able to eavesdrop on the VoIP call with H.323? Now right click on Cain & Abel’s recording, and select the play option. Question 8: When you played the wave file was it blank or did it play back the recorded call? Was the call quality better, worst, or the same as the SIP recording(if it was blank then the quality is obviously worst)? Section 5: Network Hardening for VoIP 5.1 VoIP Security Hardening VoIP security doesn't just happen. A VoIP network is susceptible to the usual attacks that plague all data networks: viruses, spam, phishing, intrusions, mismanaged identities, Denial of Service (DoS) attacks, lost and stolen data, voice injections, data sniffing, hijacked calls, toll fraud, eavesdropping, and on and on. You need careful planning to create a system that is both safe and reliable. VoipLowDown.com provided the following 25 methods an administrator can use to harden a VoIP network: 1. Restrict all VoIP data to one Virtual Local Area Network (VLAN): Cisco recommends separate VLANs for voice and data; this helps prioritize voice over data and also keeps traffic on the voice network hidden from those connected to the data network. VLANs are also useful in protecting against toll fraud, DoS attacks, and eavesdroppers listening in and taking over conversations. A VLAN is an effective closed circle of computers that does not allow any other computer access to its facilities; with the lack of a PC to launch attacks, your VoIP network is quite safe. Even in the case of an attack, the disruption caused is a minimum. 2. Monitor and track traffic patterns on your VoIP network: Monitoring tools and intrusion detection systems can help identify attempts to break into your VoIP network. Scrutinizing your VoIP logs can bring to light irregularities such as international calls made at odd hours or to countries your organization has no ties with (toll fraud), multiple log-on attempts like in a brute- force attempt to crack a password, or a surge in voice traffic during off-peak hours (voice spam). 3. Lock down your VoIP servers: Servers should be secured physically against both internal and external intruders who can intercept data using sniffing techniques, either within the LAN or at the ISP when data travels over the Internet. Since VoIP phones have fixed IP and MAC addresses, it’s easier for attackers to try to worm their way in. Which is why Gary Miliefsky, founder and CTO of NetClarity, recommends locking down IP and MAC addresses that allow access to the administrative interfaces of VoIP systems, and putting up another firewall in front of the SIP gateway. This will restrict incoming access to IT administrators and prevent hackers from getting in. 4. Use multiple layers of encryption: It’s not enough to just encrypt the data packets that are sent out, you have to encrypt call signaling too. Encrypting voice packets prevents voice injections where interceptors can insert their own words into the conversation, giving it a whole new meaning. Steve Mank, CEO of Qovia, cites two common methods of encryption - the Secure Real Time Protocol (SRTP) which encrypts communication between endpoints, and Transport Level Security (TLS) which encrypts the whole call process. Encryption of voice traffic should be supported by providing strong protection at gateways, networks and hosts. 5. Build redundancy into VoIP networks: Be prepared for the day DoS attacks or viruses threaten to bring your network crashing down – create a network that tolerates failures by setting up multiple nodes, gateways, servers, power sources, and call routers, and hooking up with more than one provider. Don’t stop with just putting the infrastructure in place; run frequent trials to ensure that they are working well and are ready to take over when the primary network fails. 6. Put your equipment behind firewalls: Create separate firewalls so that traffic crossing VLAN boundaries is restricted only to applicable protocols. This will prevent the spread of viruses and Trojans to servers in case clients are infected. The maintenance of security policies also becomes simpler when each firewall is considered separately. Choose networking and security vendors who support both the Session Initiation Protocol (SIP) and the International Telecommunication Union’s H.323 protocol. Firewall configurations have to be created so that the appropriate ports open and close when necessary. 7. Update patches regularly: The security of a VoIP network depends on both the underlying operating system and the applications that run on it. Maintaining patch currency for both the OS and VoIP applications is imperative in protecting against threats from malware 8. Keep your network away from the Internet: The University of Houston is a pioneer in this security approach – the institution has put its call manager and network out of direct access from the Internet; its IP PBXs are in a domain separate from its other servers and access is restricted. 9. Minimize the use of softphones: VoIP softphones are prone to hacker attacks, even when they are behind corporate firewalls, because they are used with an ordinary PC, VoIP software, and a pair of headphones. Also, softphones do not separate voice and data, and are vulnerable to the viruses and worms that normally infect a PC. 10. Perform security audits on a regular basis: Running checks on administrative and user sessions and service activities can help bring irregularities to light. Phishing attempts can be thwarted, spam can be filtered out so it doesn’t clog the network, and intruder attacks can be stopped. 11. Evaluate physical security: Make sure that only devices and users who are authenticated and pre-approved gain access to your network by limiting access to the Ethernet ports. Administrators are often fooled into accepting softphone devices that are not permitted on the network because hackers can easily imitate IP and MAC addresses by plugging into an RJ44 port. 12. Use vendors who provide digital security certificates: When IP phone vendors provide digital certificates to authenticate devices, users can ensure that the conversation is secure and is not being broadcast to other devices. The phones load digitally signed images to ensure that the software loaded is authentic. Verisign has been a pioneer in providing authentication certificates for wireless IP phones, in an effort to prevent “tapping” (illegal eavesdropping) and “spoofing” (illegal tampering) of conversations. 13. Secure your gateways: Configure gateways so that only those who are allowed access can make and receive VoIP calls. Lists with authenticated and approved users can ensure that others are prevented from using the lines to make free calls. Protect gateways and the LANs behind them with a combination of an SPI firewall, application layer gateways (ALG), network address translation (NAT) tools, and SIP support for VoIP soft clients. 14. Manage servers separately: VoIP call servers are often the targets for attackers because they are the heart of any VoIP network. Critical weaknesses inherent in the server include its operating system, and the services and applications it supports. To minimize the chance that hackers get at your VoIP servers, manage traffic to them separately from VoIP signaling and call traffic. 15. Sort SIP traffic: Looking through your SIP traffic and checking for abnormal packets and traffic patterns that are different from the usual will help in cutting short sessions that are not genuine. Anomalies in the syntax and semantics of SIP and events that are irregular and out-of- sequence indicate that attacks are taking or likely to take place. 16. Examine call setup requests at the application layer: VoIP calls are susceptible to hijacking by outsiders who gain access to the network. Set up appropriate security policies so that only those call setup requests that conform to them are accepted. 17. Isolate voice traffic: For external communications, rely on a Virtual Private Network (VPN). Separate your voice and data traffic to prevent unwanted ears from listening in on your conversation. According to Kevin Flynn, senior manager of unified communications for Cisco, the biggest problem for organizations is “bad stuff from the data network getting on to the voice network.” He recommends blocking PC port access to the voice VLAN. 18. Use proxy servers: Protect your network even beyond firewalls by using proxy servers to process data that comes in and goes out. Authentication and integrity are ensured when signaling messages travel between user agents and SIP proxies by integrating SSL tunnels with SIP proxies. Section 4: Screenshot 3: Cain & Abel recording the VoIP conversation. Question 3: What information did Cain & Abel find about the VoIP connection? Question 4: What codec did Cain & Abel report the VoIP connection was using? Question 5: Is sound quality better than the earlier Vomit recording? Question 6: Compare H.323. vs. SIP in terms of call set-up, codecs, multi-cast signaling, and reliability? Question 7: Was Cain & Abel able to eavesdrop on the VoIP call with H.323? Question 8: When you played the wave file was it blank or did it play back the recorded call? Was the call quality better, worst, or the same as the SIP recording (if it was blank then the quality is obviously worst)? Section 5: Question 9: What is the biggest problem for organizations that have voice and data on the same network? What is one way to address this issue?