Hacking Exposed™: Unified Communications & VoIP Security Secrets & Solutions, Second Edition

Mark Collier * Dave Endler

Praise for This Book:

“This book is a must-read for any security professional responsible for VoIP
or UC infrastructure. This new edition is a powerful resource that will help
you keep your communications systems secure.”
—Dan York
Producer and Co-Host
Blue Box: The VoIP Security Podcast “The original edition, Hacking
Exposed™: Voice over IP Secrets & Solutions, provided a valuable resource for
security professionals. But since then, criminals abusing VoIP and UC have
become more sophisticated and prolific, with some high-profile cases ringing up
huge losses. This book is a welcome update that covers these new threats with
practical examples, showing the exact tools in use by the real attackers.”
—Sandro Gauci
Penetration Tester and Security Researcher
Author of SIPVicious “Powerful UC hacking secrets revealed within. An
outstanding and informative book. Hacking Exposed™: Unified
Communications & VoIP Security Secrets & Solutions walks the reader through
powerful yet practical offensive security techniques and tools for UC hacking,
which then informs defense for threat mitigation. The authors do an excellent
job of weaving case studies and real-world attack scenarios with useful
references. This book is essential for not only IT managers deploying UC, but
also for security practitioners responsible for UC security.”
—Jason Ostrom
UC Security Researcher, Stora
SANS Institute co-author, SEC540 class
“After reading Hacking Exposed™: Unified Communications & VoIP Security
Secrets & Solutions, I was saddened to not have had this book published years
ago. The amount of time and money I could have saved myself, and my
clients, would have been enormous. Being a professional in an ITSP/MSP, I
know firsthand the complexities and challenges involved with auditing,
assessing, and securing VoIP-based networks. From the carrier level, right
down to the managed PBX level, and everything in between, Hacking
Exposed™: Unified Communications & VoIP Security Secrets & Solutions is a
de facto must-have book. For those learning VoIP security to those heavily
involved in any VoIP-related capacity, this book is worth its weight in gold.”
—J. Oquendo
Lead Security Engineer
E–Fensive Security Strategies
“I have used Hacking Exposed™: Voice over IP Secrets & Solutions as a
guideline for my security audits. The second edition, Hacking Exposed™:
Unified Communications & VoIP Security Secrets & Solutions, includes more
sophisticated attack vectors focused on UC and NGN. The authors describe in
depth many new tools and techniques such as TDoS and UC interception.
Using these techniques, you will learn how can you identify the security
problems of VoIP/UC. This book is a masterpiece.”
—Fatih Ozavci
Senior Security Consultant at Sense of Security
Author of viproy “This book provides you with the knowledge you need to
understand VoIP threats in reality. No doom and gloom, overhyped, never to
happen in the real-world scenarios. You will understand the vulnerabilities, the
risks, and how to protect against them.”
—Shane Green
Senior Voice Security Analyst

e-books shop
e-books shop
Purchase Now !
Just with Paypal



Book Details
 Price
 3.00 USD
 Pages
 656 p
 File Size
 26,911 KB
 File Type
 PDF format
 ISBN
 978-0-07179877-8
 Copyright   
 2014 by McGraw-Hill Education 

About the Author
Mark Collier is the Chief Technology Officer (CTO) and Vice President of
Engineering for SecureLogix Corporation. He is responsible for SecureLogix’s
technology direction, research/development, and engineering. Mark manages the
development of SecureLogix’s enterprise voice, Voice over IP (VoIP), and
unified communications (UC) security solutions.
Mark is actively performing research in the area of VoIP and UC security.
This includes research for evolving threats and development of custom security
assessment tools. He has recently been focused on ongoing telephony denial of
service (TDoS) attacks and defining countermeasures for these issues. Mark has
also been focusing on issues that affect large, critical financial contact centers.
In addition to writing this book, Mark is an author of the SANS VoIP and UC
security course, SecureLogix’s annual “State of Voice Security Report,” and
maintains his widely read blog at www.voipsecurityblog.com.
Mark has been working in the industry for almost 30 years, with the past 20
in networking, security, telecommunications, and VoIP/UC. He is a frequent
author and presenter on the topic of UC and VoIP security, and is a founding
member of the Voice over IP Security Alliance (VoIPSA).
Mark holds a BS degree from St. Mary’s University.
David Endler is the director of product development at AVAST software. David
co-founded Jumpshot, which was acquired by AVAST in 2013. Previously,
David was director of security research for 3Com’s security division,
TippingPoint, where he oversaw product security testing, the VoIP security
research center, and its vulnerability research team.
Prior to TippingPoint, David was the technical director at a security services
startup, iDefense, Inc., which was acquired by VeriSign. iDefense specializes in
cybersecurity intelligence, tracking the activities of cybercriminals and hackers,
in addition to researching the latest vulnerabilities, worms, and viruses. Prior to
iDefense, David spent many years in cutting-edge security research roles with
Xerox Corporation, the National Security Agency, and the Massachusetts
Institute of Technology.
As an internationally recognized security expert, David is a frequent speaker
at major industry conferences and has been quoted and featured in many top
publications and media programs including the Wall Street Journal, USA Today,
BusinessWeek, Wired Magazine, the Washington Post, CNET, Tech TV, and
CNN. David has authored numerous articles and papers on computer security
and was named one of the Top 100 Voices in IP Communications by IP
Telephony Magazine.
David founded an industry-wide group called the Voice over IP Security
Alliance (VOIPSA) in 2005.
David graduated summa cum laude from Tulane University where he earned
a bachelor’s and master’s degree in computer science.

About the Contributor
Brian Lutz is a UC Security Consultant/Senior Developer for SecureLogix. In
this role, Brian has performed UC security assessments on Cisco, Avaya, and
Nortel UC systems. These assessments provided Brian with a unique view into
what vulnerabilities are present in large enterprise UC deployments. Brian
contributed heavily to this book, by updating many chapters and running various
tools to demonstrate vulnerabilities.
Prior to SecureLogix Corporation, Brian spent two years performing security
assessments on emergent technologies for CSC, where he developed skills
related to open-source software and penetration testing. Brian also spent three
years with the Air Force Computer Emergency Response Team (AFCERT),
analyzing traffic and vulnerabilities for the Air Force. Brian started in
telecommunications in 1999 as an operations technician responsible for system
maintenance and performance.
Brian holds a Master of Science degree in Information Technology and a
Bachelor of Arts degree in Interdisciplinary Studies, both from the University of
Texas at San Antonio.

About the Technical Reviewer
Paul Henry is one of the world’s foremost global information security and
computer forensic experts with more than 20 years’ experience managing
security initiatives for Global 2000 enterprises and government organizations worldwide.
Paul is a principal at vNet Security, LLC, and keeps a finger on the pulse of
network security as the security and forensic analyst at Lumension Security.
Throughout his career, Paul has played a key strategic role in launching new
network security initiatives to meet an ever-changing threat landscape. Paul also
advises and consults on some of the world’s most challenging and high-risk
information security projects, including the National Banking System in Saudi
Arabia, the Reserve Bank of Australia, the Department of Defense’s Satellite
Data Project (USA), and both government and telecommunications projects
throughout Southeast Asia.
Paul is frequently cited by major and trade print publications as an expert in
computer forensics, technical security topics, and general security trends, and he
serves as an expert commentator for network broadcast outlets such as FOX,
NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership
articles on technical security issues, and his expertise and insight help shape the
editorial direction of key security publications, such as the Information Security
Management Handbook, for which he is a consistent contributor. Paul serves as a
featured and keynote speaker at seminars and conferences worldwide, delivering
presentations on diverse topics, including anti-forensics, network access control,
cybercrime, DDoS attack risk mitigation, firewall architectures, security
architectures, and managed security services.

Table of Contents
Acknowledgments
Introduction
Part I Casing the Establishment
Case Study: Is There Really Any SIP in the Internet?
Scanning the Entire Internet for SIP Servers
Using the Shodan Search Engine to Locate Internet SIP
Servers
1 VoIP Targets, Threats, and Components
Campus/Internal UC
Session Initiation Protocol and SIP Trunk Threats
Increased Threats from the Public Voice Network
Hosted UC
Summary
References
2 Footprinting a UC Network
Why Footprint First?
UC Footprinting Methodology
Scoping the Effort
Summary
References
3 Scanning a UC Network
Our VoIP Test Bed
Network Host/Device Discovery
ICMP Ping Sweeps
Other ICMP Ping Sweeps
Port Scanning and Service Discovery
Host/Device Identification
UC Phone Scanning and Discovery
Summary
References
4 Enumerating a UC Network
SIP 101
SIP URIs
SIP Architecture Elements
SIP Requests
SIP Responses
Typical Call Flow
Further Reading
RTP 101
Banner Grabbing
SIP User/Extension Enumeration
Enumeration of Other UC Support Services
UC Application-Level Enumeration
Summary
References
Part II Application Attacks
Case Study: A Real-world Telephony Denial of Service (TDoS)
Attack
The Payday Loan Scam
5 Toll Fraud and Service Abuse
Internal Abuse of Unmonitored Phones
Full-Scale Toll Fraud
Summary
References
6 Calling Number Spoofing
Calling Number 101
Spoofing/Masking the Calling Number with an IP PBX
Anonymous Calling
Network Services and Smartphone Apps
Summary
References
7 Harassing Calls and Telephony Denial of Service (TDoS)
Harassing and Threatening Calls
Social Networking TDoS
Automated TDoS
SIP Trunking
Getting Target Numbers
Audio Content
Call Generation
Attack Timing
TDoS Attack Demonstration
Using Virtual Queues
Using Automated DoS to Cover Fraud
Call Pumping
DTMF DoS and Fuzzing
Summary
References
8 Voice SPAM
Understanding Voice SPAM
The FTC Robocall Challenge
Other Types of UC SPAM
Summary
References
9 Voice Social Engineering and Voice Phishing
Voice Social Engineering
Voice Phishing
Anatomy of a Traditional Email-based Phishing Attack
Summary
References
Part III Exploiting the UC Network
Case Study: The Angry Ex-Employee
10 UC Network Eavesdropping
UC Privacy: What’s at Risk
TFTP Configuration File Sniffing
Number Harvesting
Call Pattern Tracking
Conversation Eavesdropping and Analysis
First, Gain Access to the UC Traffic
Compromising a Network Node
Now That We Have Access, Let’s Sniff!
Summary
References
11 UC Interception and Modification
ARP Poisoning
ARP Poisoning Attack Scenario
Application-Level Interception Techniques
How to Insert Rogue Applications
SIP Rogue Application
Summary
References
12 UC Network Infrastructure Denial of Service (DoS)
Call and Session Quality
Measuring UC Call Quality
Network Latency
Jitter
Packet Loss
UC Call Quality Tools
What Are DoS and DDoS Attacks?
Flooding Attacks
Network Availability Attacks
Supporting Infrastructure Attacks
Summary
References
13 Cisco Unified Communications Manager
Introduction to the Basic Cisco UC Components
IP PBX and Proxy
Hard Phones
Softphones
Voicemail
Switches and Routing
Communication Between Cisco Phones and CUCM with
SCCP
Basic Deployment Scenarios
Network Reconnaissance
Sniffing
Scanning and Enumeration
Exploiting the Network
Summary
References
Part IV UC Session and Application Hacking
Case Study: An Attack Against Central SIP
14 Fuzzing, Flooding, and Disruption of Service
Access to SIP and RTP
What Is Fuzzing?
Vulnerabilities 101
Who’s Fuzzing?
Flooding
Summary
References
15 Signaling Manipulation
Registration Manipulation
Registration Removal
Registration Addition
Registration Hijacking
Redirection Attacks
Session Teardown
SIP Phone Reboot
Other Signaling Manipulation Tools
Summary
References
16 Audio and Video Manipulation
Media Manipulation
Audio Insertion and Mixing
Video Dropping, Injection, and DoS with VideoJak and
VideoSnarf
Media “Steganophony”
Summary
References
17 Emerging Technologies
Other Enterprise UC Systems
Microsoft Lync
Over-the-Top (OTT)/Internet Softphone Applications
Skype
Mobility and Smartphones
Security
Other Forms of Communications
Video
Text Messaging
Messaging
Enterprise Messaging
Social Networking
Bring Your Own Device (BYOD)
Security
The Cloud
Hosted UC
Security
WebRTC
Security
Summary
References
Index


Bookscreen
e-book shop

Why This Book?
This book is written in the tradition of the Hacking Exposed™ series. Many
potential UC security threats and attack algorithms described here are little
known and were fine-tuned as the book was written. Even for those who read the
first edition, you will find eight entirely new chapters, with the other nine
updated with new tools, techniques, and results. A major focus of this book is on
application security issues, which are those that target “voice” and can occur on
any type of voice, VoIP, or UC network. These attacks all have a financial or
disruption incentive behind them and represent those that enterprises are really
experiencing on a day-to-day basis. This information was drawn from working
with hundreds of enterprise customers. Also, most of these attacks originate
from the untrusted voice network, so they are generally safe and anonymous to
execute. Why spend time securing an obscure vulnerability when you leave a
gaping hole that an attacker could exploit in your enterprise for hundreds of
thousands of dollars?
The book also covers many attacks that can be executed inside a UC network.
To demonstrate these attacks, we set up a robust lab consisting of commercial
and open-source IP PBXs and as many devices as we could get our hands on. 
We demonstrate the issues on a wide variety of network equipment and underlying
protocols, for both Cisco (the market leader in networking and UC) and SIPenabled systems.

Who Should Read This Book
Anyone who has an interest in UC and VoIP security should read this book. The
material in the book is especially relevant to enterprise IT staff responsible for
designing, deploying, or securing enterprise UC systems. IT staff responsible for
voice contact centers will also greatly benefit from reading this book, because
some of the attacks are unique and/or particularly disruptive for this part of the
enterprise. The information in the book is also applicable to service providers and

The Basic Building Blocks: Attacks and Countermeasures
As with Hacking Exposed™, the basic building blocks of this book are the
attacks and countermeasures discussed in each chapter. The attacks are
highlighted here as they are throughout the Hacking Exposed™ series.
Loading...
DMCA.com Protection Status