Super Phreaky VoIP System Hack – Part I

26 Jul 2016

Every day I hear reports of systems being hacked; extensions or voicemail boxes being hijacked and used to make thousands of dollars of calls; system administration being compromised allowing for any change to be made to a system, and denial of service attacks that only cease once a ransom has been paid.

Security is a pretty foreign concept to many traditional voice installers. It used to be that as long as a voicemail box had a decent PIN code that systems were relatively safe. Phreaking was popular in the 60s and 70s (and in some cases still is) as a way of making free calls and exploring a telecommunications network, but generally required physical access to wires/exchanges to do anything.

Then along came IP and much to the horror of many data experts we decided to put voice across it and uncover all the flaws in a network. While it is a cost effective means of sending voice from one location to another it opened the door for many attacks a PABX installer had never heard of and they can all be carried out without physical access to a system.

With that in mind, I wanted to find out just how easy it was to compromise a system. To be clear, my talent has always been for making phones ring when they are supposed to, not when they aren’t. I don’t have a security background and that’s what makes the results of the post quite concerning. This is the first in a three part series. First, I’m going to learn the basics. Then in Part 2 I’ll take those skills and see if I can apply them to an IP Office Server Edition. In the final instalment I’ll take a look at best practices for securing your IP Office installations.

I decided to start easy by downloading and installing VulnVOIP. This is an intentionally wide open Asterisk system with the aim to locate users, crack their passwords and get access to a mailbox. There’s also a nice bonus of being able to get root access to the system and do anything you like to it. I ran this on a network with a 1-to-1 NAT and no firewall. Again, I’m trying to make this as easy as possible for me and for those of you laughing at the simplicity of this set up, I know that some of you reading this have done this in the past as an easy way to get a SIP trunk working!

Next I needed the hackers best friend, Kali Linux. I’ve only scratched the surface of what it can do and while at this point I’m definitely just a “script kiddie” it really has changed the way I think about the things I give internet access to. I joked recently on Twitter about your Internet connected toothbrush choking you to death. There is a serious point behind that that makes IoT a scary prospect, but that’s for another day.

Anyone who has ever opened up port 5060 to get a SIP trunk working or to get a remote handset/softphone working has probably seen that system bombarded with requests from SIPVicious. I know many people wonder who this is and the answer is sadly not a 70s punk rocker but in fact a bunch of scripts whose sole purpose is to make a SIP attack as simple as possible. I’ll be using this as my main means of attempting to get in.

The first step in any attack is to uncover as much information about a network as possible. It’s my network so I’ll skip this, but know that many IP phones out there have HTTP access which incorrectly configured can be exposed to the Internet and everything a hacker needs to know about a business, from phone numbers to email addresses to mail servers is available through Google searches and public DNS lookups.

Once a network of interest has been found, a tool like nmap can be used to see what ports are open that might be fun to play with. A scan of mine shows port 22 and port 80 are open.

Avaya-Open-ports

Avaya-Open-ports

The first thing I’ll try then is browsing to the system, and there we see the administration interface is on the Internet for anyone to try and access. Had I not known what was installed on this network, I now would. It’s safe to assume this probably has SIP running and I can also Google around for any known exploits related to the particular PABX I’ve discovered.

VulnVoIP 1.0

VulnVoIP 1.0

I try some common username and passwords (admin/admin) and a couple of other easy ones, but I can’t get in. Still, it’s not a great idea to have your administration interface available to all comers, even if you harden the password.

Next I try out SSH but get similar results.

Avaya Systems hack SSH

Avaya Systems hack SSH

To be absolutely sure that SIP is running on this server, I initiate a UDP scan and, yes, there it is port 5060 is open. My attempts to administer the system might have failed, but let’s see if the users of the system care as much about security as the administrator.

Avaya hack UDP scan

Avaya hack UDP scan

First up, let’s find out a bit more about the system that’s running. I use the first tool in my SIPVicious arsenal to fingerprint the system and find out what I’m dealing with.

Avaya hack SIPVicious

Avaya hack SIPVicious

A search of exploits for this particular version returns a few vulnerabilities, but they are beyond what I’m trying to achieve and don’t relate directly to logging in as a user.

Now it’s time to see if I can find some extensions. And there’s none found. Maybe this system has better security than the people over at VulnVOIP let on. Or perhaps there are no users configured. That seems unlikely though. It would be a bit boring to access a system that no one was using!

Avaya VulnVOIP

Avaya VulnVOIP

Maybe I can try a different SIP method to get a response from the system. By default, svwar uses REGISTER, so it’s time to be a bit less covert and send some INVITE’s. On a real system this could cause extensions to ring and potentially give away an enumeration attempt such as this. It’s a good idea to make your end users aware that if phones are ringing randomly and no one is there when they answer to give you a call to check the system logs.

Avaya svwar

Avaya svwar

Avaya svwar system

Avaya svwar system

Now we’ve got some extensions we can attempt to have some fun with. Let’s see if I can obtain a password. I’m going to ignore the “weird” ones and target the reqauth ones with a dictionary attack.

Avaya reqauth attack

Avaya reqauth attack

Well, that didn’t take very long! Some of the others are a bit tougher, but it only takes one user with a lazy approach to security.

I take all the details I’ve acquired and put them in to X-Lite. Just like that I’m now a registered user on the system. There’s even a voicemail for me to check.

Avaya X-Lite Hacked

Avaya X-Lite Hacked

X-Lite Hacked

X-Lite Hacked

There is still plenty more for me to try and do to this system. I know that Asterisk allows telnet connections to its administration interface and that open mysql port look interesting too. But I’ve succeeded with what I set out to do. Gain access to the system and make calls. And the scariest part of all, it took less than half a day to get to this point, and that includes setting up the two virtual machines! Many people take an approach of “if it ain’t broke don’t fix it” and don’t keep their systems up to date. Sure, new releases often mean new bugs but it also means security fixes. You leave yourself and your customers exposed by taking this approach.

Next time I’ll apply these methods to an IP Office Server Edition to see if it’s as simple.

Want to read PART 2 of this Super Phreaky VoIP System Hack? Click here.

Stuart Logan – Senior Systems Engineer

Stuart LoganStuart has over 10 years’ experience working on the Avaya IP Office product and is a Senior Systems Engineer in our Arrow ECS ANZ office.

Whilst he admits he didn’t wake up one day with the burning desire to make phones ring, his decision to quit his job at KFC in New Zealand, to move to Australia and put his degree in Web Based Information Systems to good use, turned out to be a pretty good decision.

If you have any burning questions for Avaya expert Stuart Logan, get in touch slogan@distributioncentral.com