Marco, List, There are many things to test on a VOIP gateway indeed. 1/ Check if you can access any service on the voip gw TCP UDP (MGCP, SIP, ...) SCTP I've been developping audit tool that was lacking, like a SCTP portscanner - network scanner, fuzztesting, ask me if you want details on this, the security of this protocol is very interesting). There was not so much advisory published regarding this kind of equipment, this might be an interesting area to do some research for some undisclosed vulnerabilities. Depending on your customers' request for the pentest (ie. known vulnerabilities & configuration / architecture errors OR criticial infrastructure protection needs), you might find interesting to work with a vulnerability researcher. 2/ Check if you can intercept traffic and decode either signalling or content. A router might help you on the route. Check phoenelit.de for remote capture, i think they are the ones. (also, 'gaius' from HERT wrote a paper in Phrack on how to intercept traffic from a Cisco) 3/ Also, I've seen examples of VoIP that come with specific defaults and thus can be compromised by simple knowledge of the install defaults. 4/ These gateway are often at the boundaries of several 'worlds', maybe there are entry points in other perimeter than IP that can be considered 'external': X25 connection or SS7 link (this would be "not so external"), as well as standard remote modem access potentiality. What kind of VoIP gateway are you pentesting? (Signalling gateway? Media gateway? Media control gateway? What vendor?) Someone who made conferences about this is Ofir Arkin who was working for Sys Security Group and At Stake at that time. http://www.sys-security.com/html/projects/VoIP.html He published some advisories about Pingtel softphones. Also there is one associate of TSTForce who has been involved with several large scale telco pentest with IP/X25/Mobile/SS7 perimeters, he may have been exposed to such request, contact me directly if you want to get in touch. Best regards, Philippe Langlois WaveSecurity - wlan security products Telecom Security Task Force - security consulting On Thu, Sep 12, 2002 at 01:23:33PM +0200, Marco van Zanten wrote: >Experts, > >I'm asked to do a external pen test on a VOIP gateway. > >To my opinion this is nearly impossible. (maybe if you use a gateway >youself, or softphone application >to attack ?) >I can't find any info on this subject. >There is enough info on securing the VOIP env. internally, but that is >not the problem here. > >Can anyone argue or confirm my thoughts. > >Any help is appreciated. > >Thansk in advance, > >MM > >-- >**************************************************************************** >This message contains information that may be privileged or confidential and >is the property of the Cap Gemini Ernst & Young Group. It is only intended >for the person to whom it is addressed. If you are not the intended >recipient, you are not authorized to read, print, retain, copy disseminate, >distribute, or use this message or any part thereof. If you receive this >message in error, please notify the sender immediately and delete all copies >of this message. >**************************************************************************** > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 09:30:55 PDT