Problem: VoIP and Unified Communications (UC) systems are vulnerable to the same threats as data networks, including viruses, theft, spam, fraud, privacy invasion, and denial of service attacks. The number of attacks continues to rise and the severity of threats and attacks increases as more and more enterprises have begun to deploy UC networks. The need to secure a UC system has turned from theory to reality as high-profile attacks are being documented every day.

Solution: Advanced VoIP: Securing UC Networks. In this course, you will cover a wide variety of techniques for assessing the security of Voice over IP (VoIP), video conferencing, and instant messaging implementations. You will cover UC security at the raw protocol level, concentrating on attack methodologies that are used against the most popular voice, video, and messaging protocols. You will learn to perform UC penetration testing and to implement countermeasures in intense hands-on labs.

What You'll Learn

• History of Hacking
• Overview of UC
• Overview of Network Security
• VoIP Service Provider Attacks
• UC Enterprise and Endpoint Attacks
• Signaling Security
• VoIP Firewall Traversal
• Session Border Controller
• Windows and Linux Penetration Testing Tools
• UC Attack Countermeasures

Who Needs to Attend

System administrator or telecomm managers who have deployed or are looking to deploy a UC network

Prerequisites

• Strong networking and telephony skills
• Voice over IP Foundations is highly recommended

• Voice over IP Foundations

Follow-On Courses

There are no follow-ons for this course.

Course Outline

1. A Brief History of Hacking

• Phreaking
  • Inband vs. Out-of-Band Signaling
  • Blue, Red, and Beige Boxes
  • Theft of Service
  • YIPL/TAP (Youth International Party Line/Technical Assistance Program)

2. Overview of Unified Communications

• UC Architecture
• Addressing
  • ENUM
  • SIP URI
• Signaling
  • SIP
  • MGCP
  • H.323
  • SCCP
• Media Channel
  • RTP
  • RTCP

3. Network Security Concepts

• Confidentiality, Integrity, Availability (CIA)
  • Network Attacks
    • Man In The Middle (MITM)
    • Replay
    • Denial of Service (DoS)
• Physical Perimeter
• Network Segmentation
  • Virtual Local Area Network (VLAN)
  • Firewalls
• Authentication
  • Port-Based Network Access Control (NAC)
  • 802.1x
  • Remote Authentication Dial-In User Service (RADIUS)
• Authorization
• Security Policies and Enforcement
• Intrusion Detection/Prevention Systems (IDS)
• Cryptography
  • Encryption Concepts
  • Shared Secret
  • Asymmetric Key
  • Secure Key Exchange
  • Public Key Infrastructure (PKI)
  • Digital Certificates
• VPN (Virtual Private Network) Protocols
  • IPSec (Internet Protocol Security)
  • TLS (Transport Layer Security)
  • DTLS (Datagram Transport Layer Security)
  • SSH (Secure Shell)

4. UC Threats and Attacks

• VoIP Service Provider Attacks
  • Service Disruption or Denial
  • Theft of Service
  • Infrastructure Attacks
  • Identity Fraud
  • Call Hijacking
  • Eavesdropping
  • Voice Mail Hacking
• VoIP Enterprise and Endpoint Attacks
  • OS Exploits
  • Signaling Attacks
  • Endpoint Admin Privilege Exploits
  • Proxy Impersonation
  • RTP Attacks
  • Wiretapping
  • VoWiFi Attacks
    • Wired Equivalent Privacy (WEP)
    • WiFi Protected Access (WPA)
  • DoS Attacks
  • Spam for Internet Telephony (SPIT)
  • IP PBX and Telephony Server Exploits
  • Vishing (VoIP Phishing)

5. Countermeasures

• Authentication
• Signaling Security
  • Secure SIP
  • TLS
• VoIP Firewall Traversal
  • Firewall Classifications
  • Network Address Translation (NAT)
  • Simple Traversal of UDP thru NAT (STUN)
  • Traversal of UDP via Relay NAT (TURN)
  • Interactive Connectivity Establishment (ICE)
• Session Border Controller
  • RTP Stream Conversion
  • Firewall Interoperability
  • Denial of Service Protection
  • Call Filtering
  • Bandwidth Management
• Media Encryption
  • SecureRTP (SRTP)
  • Virtual Private Network (VPN)
    • IPSec
    • SSL
  • Zfone

6. Penetration Testing

• Windows Tools
  • Cain & Abel
  • SIP Messenger
  • SiVuS VoIP Vulnerability Scanner
  • SIPScan
  • SIPProxy
  • WireShark
• Linux Tools
  • Nmap
  • Nessus
  • Registration Hijacker
  • Invite Flood
  • RTPMixSound
  • RTPInsertSound
  • UDPFlood
  • RTPFlood
  • RedirectPoison
  • SIPBomber
  • SIP_rogue
  • WireShark

7. Summary

• Related Standards
• VoIP Security Resources

Labs

EAVESDROPPING/WIRETAPPING LABS

Lab 1: Set Up and Configure Network

• Configuring Linksys SPA942 IP phones
• Configuring PC laptops
• Configuring switches and routers

Lab 2: Wiretapping in a Shared Topology Ethernet LAN

• Using a Network Protocol Analyzer to capture and decode RTP streams
• Using Cain to automatically capture and decode RTP streams

Lab 3: Wiretapping in a Switched Topology Ethernet LAN

• Using Cain to scan the network for VoIP equipment
• Using Cain to run a MITM attack via ARP Poisoning

Lab 4: BackTrack 4 Linux Live Security Distro

• Booting BackTrack 4
• Configuring Ethernet interface
• Using Wireshark in Linux
• Intercepting Instant Messaging
• Configure IM server and clients
• Using Cain and Wireshark to run a MITM attack via ARP Poisoning

Lab 5: Wiretapping with Linux in a Switched Ethernet LAN

• Using Ettercap to run a MITM attack via ARP Poisoning
• Using Wireshark to capture and decode RTP streams

Lab 6: Intercepting Instant Messaging

• Configure IM server and clients
• Using Cain and Wireshark to run a MITM attack via ARP Poisoning

Lab 7: Real-Time VoIP Eavesdropping in a Switched Ethernet LAN

• Using Viper VAST Linux Live Security Distro
• Using UCSniff to do real-time VoIP eavesdropping

Lab 8: Real-Time Video Eavesdropping in a Switched Ethernet LAN

• Configure softphones with video on Windows PCs
• Using UCSniff to do real-time video eavesdropping

Lab 9: Countermeasures Lab: G.729 CODEC: Using Licensed CODEC to Deter Wiretapping

• Capture and decode G.729 with Wireshark
• Capture and decode G.729 with Cain
• Capture and decode G.729 with UCSniff

Lab 10: Call Pattern/Pen Trace in a Switched Topology Ethernet LAN

• Using Cain to run a MITM attack via ARP Poisoning
• Using Wireshark to capture signaling messages
• Using Wireshark for Number Harvesting
• Using Wireshark for Call Pattern Tracking

Lab 11: Countermeasures Lab: ARP Poisoning Detection

• Using Xarp to detect ARP Poisoning

SCANNING AND NETWORK DOS LABS

Lab 12: Network Vulnerability Scanning

• Using Nmap to scan the network
• Using Zenmap to scan the network
• Using AutoScan to scan the network
• Using SIPviscious to scan the network

Lab 13: VoIP Scanning

• Using SiVus to scan the network
• Using SIPScan to scan the network
• Using smap to scan the network

Lab 14: DoS: Flooding Attacks

• Using RTPflood to attack an IP Phone
• Using RTPflood to attack a SIP Proxy
• Using SIPSAK to attack a SIP Proxy

Lab 15: Metasploit Framework

• Using Metasploit Framework for various exploits

Lab 16: Countermeasures Lab: Using Access Lists to Secure UC

• Configure Access List on Ethernet switch
• Using SMAC to spoof MAC address
• Using MACchanger to spoof MAC address

Lab 17: Countermeasures Lab: Using VLANs to Secure UC

• Configure VLANs on Ethernet switch
• Using VoIP Hopper to set VLAN ID
• Using VoIP Hopper to set VLAN ID and spoof MAC address
• Configure separate VLANs for voice and data

SIGNALING MANIPULATION LABS

Lab 18: Signaling Manipulation: SIP Invite

• Using Inviteflood to attack a SIP UA
• Using Inviteflood to attack a SIP UA with spoofed CID
• Using Inviteflood to attack a SIP Proxy
• Using SiVuS to attack a SIP UA with spoofed CID

Lab 19: Signaling Manipulation: Delete SIP Registration

• Using Erase_registration to delete SIP UAs from SIP Proxy

Lab 20: Signaling Manipulation: SIP Registration Authentication

• Configure SIP UA and SIP Proxy for Authentication
• Using Cain to crack SIP Registration Authentication
• Using SIPdump and SIPcrack to crack SIP Registration Authentication

Lab 21: Signaling Manipulation: Add SIP Registration

• Using Add_registrations to fork calls

Lab 22: Signaling Manipulation: Hijack SIP Registration

• Using SIP forking to direct calls to an additional UA
• Hijacking calls to the hacker UA

Lab 23: Signaling Manipulation: SIP Redirect Attack

• Using Redirectpoison to redirect calls to another UA
• Using Redirectpoison to redirect calls to nowhere
• Using SIPSAK to redirect calls

Lab 24: Signaling Manipulation: SIPp

• Using SIPp to DoS attack SIP UA
• Using SIPp to DoS attack SIP Proxy

Lab 25: Signaling Manipulation: SIP DoS

• Using SIPbomber to DoS attack SIP UA
• Using SIPbomber to DoS attack SIP Proxy

Lab 26: Asterisk IP PBX

• Configure Asterisk IP PBX
• Test various attack tools against Asterisk

Lab 27: Countermeasures Lab: TCP

• Using TCP for SIP
• Configure Servers and UAs for TCP

MEDIA MANIPULATION LABS

Lab 28: Media Manipulation: RTP Insertion

• Use Ohrwurm to add noise to a conversation
• Using RTP_mixer to add audio

Lab 29: Media Manipulation: Audio Morphing

• Using MorphVOX to manipulate the audio

Lab 30: Media Manipulation: VideoJacking

• Using VideoJak to replace video stream

Lab 31: Countermeasures Lab: RTP Encryption

• Using ZRTP to encrypt RTP stream

Lab 32: Countermeasures Lab: RTP Encryption

• Using SRTP to encrypt RTP stream

Lab 33: Countermeasures Lab: VoIP Steganography

• Using VoIP to create a hidden voice channel

Lab 34: Countermeasures Lab: VPN Secure Tunnels

• Using TLS to encrypt SIP signaling

Lab 35: Countermeasures Lab: VoIP Honeypot

• Using Artemisa VoIP Honeypot

Lab 36: Countermeasures Lab: Intrusion Detection System

• Using Snort IDS for intrusion detection