I am ****** when it comes to VOIP. I am not a huge VOIP fan. Nope. Not much at all. When I was growing up, phracking never really appealed to me. I remember tripping my first 5ESS and not thinking “that’s cool” but “so what”. Kinda weird because VOIP possesses all the elements I like in engineering design. It has many parts, separate protocols, programming elements, high end user satisfaction, massive extendibility and lots and lots of tweakable elements. All a plus in the Jimmy Ray book of fun stuff to do on a weekend. But to me all I see is a large target to hack and embarrass right off on my data network. I am a ******, Local 214.
Voice is a great career path, most likely one of the absolute best. As a matter of fact with many of the resellers I meet with weekly they tell me they can not hire enough voice certified specialist. They are begging and trying to steal them for others all the time. So as a career path, Voice is top shelf. I know that and I hear that and I understand that, but while I study for my final CCVP exam my mind is drifting to the astral planes of double vlan tag hopping, eavesdropping and toll jacking.
Toll jacking. Hmmm… (pinky finger to corner of mouth) seems like to me that is a fairly reasonable vector into a voice network. Taking human behavior into account here, I am going to assume (dangerous, I know) that many VOIP networks are config’ed by data folks interested in Voice and not the other way around. Some of the old school phracky-phrack stuff could come in handy here. This could mean I have a vector into the network to make free phone calls…If I would have only had this when Sanjaya was on Idol…
So I grabbed my Blue Box and with permission (Note to Cisco Legal), I tested five VOIP networks and I was able to dial out get free calls through three networks! Here is how I did it:
Hack 00x01: Cleaning Crew Phone Perk.
Hey let’s face it, I am 43, fat and out of shape. Climbing over fences, thru windows or suspension cables from a ceiling are long out of the question for me. I need to either go thru a door or network cable to get into a network. So I waited for the cleaning crew to arrive and I grabbed my red banged up tool box and heading in the front door with everyone else and just acted like I know where I am going and I belonged there. It helps to be walkin’ and talkin’ with someone as well because most folks will not want to interrupt your discussion. Oh, I also took an old hotel key, turned it sideways and wore it on a badge retractor so I looked the part. No questions asked! I walked right in, over to a far cubical picked up the phone dialed “9” and the two stage dial tone click of the PBX told me the victory was mine! 01149611…All too easy...(In my best Darth Vader voice)
How we fixed the problem: Chances are not many folks are going to go to this length to dial a few numbers. But certainly an after hours crew could make a few calls every now and again to international numbers and slip right under the radar. The fix for this is simple, we config’ed up an After Hours Toll Restriction policy in the CM like this:
after−hours block pattern 1 91
after−hours block pattern 2 9011
after−hours day mon 20:00 07:00
after−hours day tue 20:00 07:00
after−hours day wed 20:00 07:00
after−hours day thu 20:00 07:00
after−hours day fri 20:00 07:00
after−hours day sat 10:00 07:00
after−hours day sun 12:00 12:00
This policy blocked outbound dialing of long distance calls with pattern 1 and international calls with pattern 2, Monday to Friday from 8PM to 7AM and on Saturday from 10AM to 7AM an all day on Sunday. This is low level logic blocking and worked just fine for this customer. You can get more detailed higher logic blocking with a Class of Restriction policy if need be.
Hack 00x02 Rogue PBX
Folks are looking for quicker ways to get the VOIP system to start paying for itself. VOIP savings are really like trying to justify the savings of being more secure. Oh sure we tech type folks know the real savings and true **** saving grace that security and in house managed VOIP provides. The problem is the Poindexter in Accounting doesn’t see it. Using the Internet as a trunk provider really provides some serious cash savings on the back end. The problem is many SIP/H323 trunks are incorrectly config’ed and will allow for unlimited access to your phone system. As a matter of fact there is a HUGE business in setting up rogue PBX’s to steal your service and then they resell trunk access to unsuspecting providers all over the world. This hack is super popular in Africa.
First off, I scan your network with NMAP with the -sV switch and look for TCP or UDP ports 5060 for SIP and TCP port 1720 for H323. I also look for SIP REGISTER messages sent to 220.127.116.11 If I get a hit on one of those, then I run SIPScan to enumerate more info. I used to use SIPsak here, but SIPScan is really a better tool to me. Then I just take a simple SIP ready phone and try to connect it to the PBX. It is AMAZING how many times this works. If the PBX is outside of the firewall which in this case is exactly what the config was I have unlimited access. Other methods include relay SIP messages similarly to what is done on a open email relay for spam. SiVus is a great tool for crafting packets to do that. Of course you can also install and config a SIP B2BUA like SIP_Rogue but it is not for the faint at heart for sure. This tool was coded by VOIP ultra geek, Mark Collier. The config is tough and a bit unstable but when it works, man alive it is a fantastic tool.
How We Fixed it: Fortunately us Cisco type folks, CM is config’ed by default to not accept calls from anonymous sources and only from the pre-config’ed SIP Proxy server. However, if you want to double check or if you are on an older version then go to the CLI and enter the command set:
interface serial 0/2
ip access−group 111 in
access−list 111 permit udp host <SIP PROXY IP> eq 5060 any
access−list 111 permit udp host <SIP PROXY IP> any eq 5060
access−list 111 permit udp any any range 16384 32767
You SIP trunk provider needs to also work with your team to let you know when any changes have occurred on their end. Sounds simple, but truthfully, many hacks results in poor communication between the provider and the customer at the CPE end.
Toll fraud is huge and growing faster then weeds in a garden. Take a read at Cisco’s Toll Fraud prevention paper at: http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml One of the best defenses for toll fraud is looking at your call records. Telephony systems keep better records then a mad spouse. Things that should immediately trigger suspicion are outbound calls to Cuba. Those are very expensive and very desired for hackers to resell. Incoming calls from Brazil are also a trigger of auto dialers looking for IVRs (since many do not hang up) and use of DNIS codes on your end.
Jimmy Ray Purser
Trivia File Transfer Protocol
Famous South American General Simon Bolivar was not only a serious liberator, he also had the coolest name around; Simon Jose Antonio de la Santisima Trinidad Bolivar y Palacios.