VoIP Security Testing Tools
VoIP security testing is not only about fuzzing. Therefore, I will next give you a brief overview of different security auditing tool categories listed in the VOIPSA web pages ( http://www.voipsa.org/Resources/tools.php ). All these tools look at different aspect of security in VoIP. Some of them are really just proof-of-concept exploitation tools, only good for customer demonstrations where the seriousness of the issues needs to be explained.
VoIP Sniffing Tools are just that, network analyzers that understand VoIP protocols. The tools will discover use of bad password handling, providing you with pairs of user-names and passwords of VoIP users. Some of these tools will re-construct media streams into audio files, enabling you to easily eavesdrop the on-going calls. These are mainly useful only for demo purposes, as any VoIP aware security engineer will immediately catch the same weakness by just looking at the traffic captures.
VoIP Scanning and Enumeration Tools will scan a VoIP network detecting VoIP enabled devices, and sometimes automatically performing some simple attacks such as password brute-force attacks. Some of these tools will try to enumerate details of the found VoIP devices, including some known vulnerabilities based on the version details.
VoIP Packet Creation and Flooding Tools will send VoIP messages to the end-points either trying to cause a denial of service, or to just annoy the recipients of the messages. These can actually be a very good option to expensive stress-testing or performance testing frameworks. Some of these tools can help in crafting specific test cases or message sequences.
VoIP Fuzzing Tools will either automatically generate huge amount of tests to crash a VoIP device, or they can act as modeling frameworks that will let you design your own fuzzers for VoIP. An intelligent fuzzer will systematically go through all VoIP and IMS specifications, augmenting each protocol element with inputs that are known to cause problems. A random fuzzer will just mutate a captured VoIP stream, and with luck (a lot of it), breaking it in unexpected ways.
VoIP Signaling Manipulation Tools are simple tools that re-create common mistakes in message signaling. They typically either blindly inject brute-forced messages into existing calls, or based on captured VoIP traffic will send spoofed messages (impersonating either calling party) to reach the desired result. With these tools, calls can be redirected, disconnected, or the quality of the call can be impacted.
VoIP Media Manipulation Tools are similar as above, but target the media streams. Audio streams can be injected into existing calls. Media protocols can also be used to transfer files, or even provide shell access to the target system (the unauthorized stream would look like a valid VoIP call to anyone analyzing it).
Other tools in the Miscellaneous category include password brute-forcing tools, which try a range of passwords attempting to guess the correct password. In this category you can also find specific exploitation tools for some vulnerabilities, and tools that help you through questions and answers against a predefined security policy.
Word of warning
Building a VoIP penetration test around availability of tools only will limit the scope of the assessment. Although tools such as those listed above are easily available, the used tools need to be chosen based on the assignment, not the other way around. In the past, security assessment almost always required that the consultant built proprietary tools. Today you can find a range of tools for almost every need, and often you will also find commercial options for many of the open source proof-of-concept tools. Note that the tools will often blind you. Let's look at two examples.
A packet crafting tool can make it easy to create SIP message sequences, and enable you to change the packet structures in each message. Still, other protocols also need evaluation. A security assessment built around SIP mutations will leave a wide number of other protocols outside the scope. The tool should be used to make tests faster to create, not to limit the tests. Thorough analysis of the target system is always required, and even if you decide to focus in only one or two protocols with deeper analysis, you should let the customer know also what was not tested. This can actually give you new consulting opportunities for the future.
Both fuzzing tools and scanning tools are always snapshots in time. A tool that was developed years ago might not be the right choice for your current task. Understanding the limitations of the tools can help you pick the right tool for each task. A free tool such as PROTOS can be the right choice if the goal is to find one flaw as a proof-of-concept, whereas a commercial solution can provide much better test coverage, but with a price. Give the customer some choices, and let them decide what they really need, instead of getting stuck of using a standard toolkit for every assignment.
Complexity killed the consultant
Don't be scared of VoIP assessments. VoIP is really interesting and simple to understand. There is nothing complex in a carefully built VoIP infrastructure (well, IMS is a different story, I promise to talk about that later).
The know-how for VoIP security is easily available. There are several good books about VoIP security, written by numerous experts in both breaking the networks and securing them. I am a bit biased having authored one of them, but (if asked) I could do a quick analysis of the different books and their pros and cons later here in this blog.
The tools are there. VoIP security testing tools have been developed by both the security community and also by commercial security companies. And they are extremely easy to use. Again, if some of you so desire, I could do a more detailed analysis of one or two tool categories here later on.
VoIP security is both a business opportunity for consultancies, but also an enabling aspect that will speed up the adoption of VoIP. Without building security into the VoIP deployments, the end-users will stay away from the technology. We are still at a phase where we need to build customer confidence in VoIP.
VoIP solutions are really bad quality still. It is extremely easy to crash most VoIP solutions with even the simplest fuzzers. What does this tell you? It just means that some poor manufacturer STILL does not use any form of fuzzing in their quality assurance process. A simple flaw like the one shown above should be caught in all penetration testing assignments. We still need to educate the vendors in proactive security practices, and what is better way than arming their end-customers with information on the real reliability of the used devices.