FOOTPRINTING A UC NETWORK - CASING THE ESTABLISHMENT - Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)

Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)

PART I. CASING THE ESTABLISHMENT

CHAPTER 2. FOOTPRINTING A UC NETWORK

An investment in knowledge pays the best interest.

—Benjamin Franklin

We should all be familiar with the principles of investing as pertaining to money, but investing in knowledge about a UC network prior to an attack can provide the information necessary to hack successfully. Although making investments and hacking a UC network are very different activities, success in each will depend on solid reconnaissance and research well before either ever begins. By their very nature, unified communications and the Voice over Internet Protocol illustrate the convergence of the phone network and the Internet. Within this intersection of voice and computer networking we are seeing the exploitation of vulnerabilities particular to UC as well as the traditional avenues of attack. Much like Internet technology, UC devices by technical necessity are advertised and exposed on IP networks in many ways, thus allowing hackers an easier time of finding and exploiting them.

All well-executed hacking projects begin with “footprinting” the target (also known as profiling or information gathering), and UC hacking is no different. A footprint is the result of compiling as much information about the target’s UC deployment and security posture as possible. This initial approach can be easily compared to the way a modern military studies intelligence reports and satellite imagery before launching a major offensive against an enemy. Leveraging all of the available intelligence allows a general to maximize his troops’ effectiveness by strategically aiming at holes in his enemy’s defenses the same way leveraging all available data about a specific network can maximize a hacker’s effectiveness.

This chapter focuses on a variety of simple techniques and publicly available tools used for gathering information about an organization’s UC security posture from the perspective of an external hacker. Footprinting is the first step in the hacker methodology that feeds activities such as scanning and enumeration, which are described in the next chapters.

Why Footprint First?

Most enterprises are amazed at the volume of sensitive details available in the public domain, waiting for any resourceful hacker who knows how and where to look for them. As the amount of enterprise UC installations adopted increases, the hacker’s potential targets (such as phones, UC gateways, call centers using UC, and enterprises using SIP trunks) also increases. It is not just larger enterprises that are deploying UC solutions; hosted UC is also making inroads into small and medium-sized businesses. With the proliferation of UC, one thing is certain: As the number of installations increase, the available targets for potential attackers also increase.

Footprinting is one of the most important parts of the assessment methodology in that it provides the baseline research necessary to determine what you are examining, how you might be able to gain access, and whether there are any other areas where your target network is exposed. One of the best things about footprinting is that because you are not actually touching the network, you can take as much time as necessary to find the information you need. One consideration in the footprinting phase is that you can easily become overwhelmed with the amount of information you uncover due to the volume of data available. You will have to determine what is or isn’t valuable, which can be hard to do in the beginning. The first step in assessing your own external security posture is finding out what information potential attackers may already know about you.

It’s clearly in a hacker’s best interest to gain as much information about the supporting infrastructure as possible before launching an attack. Often, the easiest way to compromise a UC enterprise system is not to go directly for the UC application itself, but instead for a vulnerable component in the supporting infrastructure, such as a voice gateway or web server. Why would an attacker bother spending time brute forcing a password in the UC voicemail system’s web interface when the Linux system it runs on still has a default root password? Simply researching the nuances of a UC deployment and its dependent technologies ahead of time can drastically save a hacker time and effort.

UC Footprinting Methodology

The 2011 CSI/FBI Computer Crime and Security Survey indicated that although insider abuse is declining,1 it is still a considerable threat to the enterprise. Insiders are typically those people who already have some level of trusted access to an organization’s network, such as an employee, contractor, partner, or customer. Obviously the more trust an organization places in someone on the inside, the more damaging the impact any malicious actions will have.

For the purposes of this chapter on footprinting, the UC hacker’s perspective will be completely external to the targeted organization. In other words, he is neither a disgruntled employee who has intranet access nor an evil system administrator who already has full run of the network. You can safely assume, though, that the hacker’s first order of business is to remotely gain internal access in order to launch some of the more sophisticated attacks described later in this book. Although it can often be trivial for a hacker to gain inside access, footprinting still reaps rewards by helping to fuel some of the more advanced UC attacks discussed in later chapters.

Scoping the Effort

UC deployments vary significantly in how and where they can be deployed. Whether located at one site or multiple locations, using centralized SIP or TDM trunks, or even spread across multiple regions with users making calls from the office, home, and the road, a deployment has UC security as an important factor. UC technology has the flexibility to deploy in multiple scenarios, and the goals of your assessment efforts must be defined well before any work begins.

Defining the scope of assessment will designate what will be examined and provide a way to measure the assessment’s success or failure based on whether the criteria described in the scope has been met. When defining the scope, ensure that all of the infrastructure appropriate to the UC assessment is covered. If the goal of these hacking simulations is to secure the UC services at your main headquarters’ UC PBX, it would be a pointless exercise if you completely overlook the security holes in your branch offices because they could provide a backdoor to the headquarters.

A task related to defining the scope of the assessment is ensuring that you have written authorization to perform all of the tasks defined as part of the assessment. Written authorization provides a clear definition of the scope of the assessment in addition to providing the necessary permission to the person doing the assessment to perform the related tasks. Although written authorization is not as important in the footprinting phase of the assessment (because you’re not actually touching the targeted network), it can be critical during the scanning and enumeration phase, where these actions can be considered illegal and subject to prosecution.

It’s often hard to discern UC security dependencies ahead of time. Footprinting will often paint no more than a partial network picture despite the time and effort put into the research. It can also raise more questions than answers, but can still provide information vital to the assessment. The goal of the footprinting phase is to become an expert on the target enterprises’ external facing information. Remember, assessing a UC network is a process, and each part of the process is designed to build a more complete picture, one step at a time.

Image Public Website Research

Image

A corporation’s website can often provide a wealth of information. This information is typically regarded as benign because its main purpose is to help promote, educate, or market to external visitors. Unfortunately, this information can also aid attackers by providing important contextual information required to social engineer their way into your network. The following classes of data can provide useful hints and starting points for a hacker to launch an attack:

• Organizational structure and enterprise locations

• Help and tech support

• Job listings

• Phone numbers and extensions

Organizational Structure and Enterprise Locations

Identifying the names of high-ranking people in an organization may prove helpful in guessing usernames, social engineering for other bits of information, or even providing potential targets for TDoS attacks later in the assessment. Most enterprises and universities provide a “Corporate Information” or “Faculty” section on their website, like the one shown in Figure 2-1, which provides contact information for everyone in the Office of the President. The enterprise website is also a target-rich environment for Google hacking techniques, which will be discussed later in this chapter.

Image

Figure 2-1 A few names to get started

In addition to the targeted corporation’s own website, there are other websites specifically for providing information on an organization. Hoover’s Online is a paid service and provides data about an organization, including location, address, phone numbers, website, and customer information. Hoover’s also provides additional information that is available for a subscription fee. Other sites such as Business.com and Superpages.com can also provide basic information about an organization. If those sites can’t produce the information needed, there are many others that can.

Publicly traded enterprises are required to disclose specific information as required by the Sarbanes-Oxley Act of 2002. Financial statements are typically issued on a routine schedule (every quarter, for example). These statements contain other financially specific information and may contain information such as the names of executive staff or shareholders who could be useful later in the assessment. In addition to financial statements, there are of course websites that provide information about publicly traded enterprises. One site is the Security and Exchange Commission’s (SEC’s) Electronic Data Gathering, Analysis, and Retrieval system (EDGAR) website. EDGAR has a searchable database of financial and operations’ information seen in registration statements for the enterprises, prospectuses, and periodic reports and other recent enterprise events reported to the SEC.

News and periodical articles can also be a useful source of information and can indicate partnerships, major organizational purchases (such as a UC phone system, for example), and other news about what is happening within an organization. Websites such as Google News, Dogpile, and the Business Journal Tracker can provide articles about the targeted organization with data that can aid in gaining access. These articles can contain information on partnerships, equipment sales, pending products, or essentially anything that can be useful further in the assessment.

Location information for branch offices and enterprise headquarters is useful in understanding the flow of traffic between UC call participants. This information is also useful for finding locations to get within range of an office building to attack the UC traffic going over wireless networks. Numerous online satellite imaging tools are available from multiple online sources. Most search engines, such as Google, Yahoo!, and Bing, also provide mapping services to aid even the most directionally challenged hacker. An example of the satellite imaging tools from Google is shown inFigure 2-2.

Image

Figure 2-2 Google (http://local.google.com) can help locate targets in any town.

Help and Tech Support

Some sites—typically larger enterprises and universities—will offer an online knowledgebase or FAQ for their UC users. The FAQs often contain gems of information, including phone type, default PIN numbers for voicemail, and remotely accessible links to web administration, as seen inFigure 2-3.

Image

Figure 2-3 Here, a hacker can figure out where the online voicemail system is installed.

After performing some simple searches, it is easy to find UC-related FAQs on the Web, like in Figure 2-4. You can see that a Cisco IP Phone 7960 is being used throughout the Harvard campus community.

Image

Figure 2-4 A brief overview of Harvard’s UC offering

As an administrator, you may ask yourself, “Why should I care?” The answer is, because a hacker can cross-reference this juicy bit of information against several free online vulnerability databases to find any security holes. Sure enough, under the listing for Cisco IP Phone 7960, SecurityFocus.com tells us about several previously discovered vulnerabilities for this device with information on how to exploit each issue (see Figure 2-5).

Image

Figure 2-5 SecurityFocus catalogs a good collection of vulnerabilities for a variety of products, including the Cisco IP Phone 7960.

Even though the university makes sure to patch all of these phones with the latest firmware, it’s possible that a hacker may encounter the device that escaped an administrator’s attention. The ongoing challenge of keeping UC devices and infrastructure updated with the latest firmware is covered in Part III of this book.

Job Listings and Social Networking Websites

Job listings on enterprise websites contain a treasure trove of information on the technologies used within an organization. For instance, the following snippet from an actual job posting for a “Senior UC Network Engineer - UC Engineer - Avaya” shows Avaya UC systems are in use at this company.

Required Technical Skills:

UC Engineer, Routing/Switching/Firewalls, UC/SIP, Avaya, Avaya Contact Center Applications, Avaya Communications Manager, Avaya Session Manager, Avaya G860, TDM/PSTN networks, Call Routing Analysis

Social networking websites are an additional source of information on enterprises and the people who work for them. It’s quite easy to go to a professional networking site such as LinkedIn, search for a company’s name and some keyword such as “UC,” and then examine the resumes in the results to find out what equipment is in use within the organization. Results on one site can be easily cross-referenced on another. If you are able to find employee information on a professional networking site about the targeted organization, social networking sites such as Facebook and Twitter may have additional information if some of the employees have an account. When you have compiled a list of employees, you can examine the information they have shared about themselves, which can then be used to create phishing or vishing attacks with enough personal information that the user won’t be able to resist. There are many social and professional networking sites, and it is amazing what kind of information people will share about themselves and where they work.

Phone Numbers and Extensions

Finding phone numbers on the enterprise website won’t reveal much about any potential UC systems in use. However, compiling a profile of the internal workings of numbers and extensions will be helpful later in the assessment, especially for voice application attacks. Discovering the toll-free, contact center, help desk, and executive numbers as well as fax numbers and perhaps even a user directory will yield targets for social engineering, TDoS, vishing/phishing, SPIT, toll fraud, and/or other attacks. Finding these numbers requires a little creativity while performing some web searches. For instance, some branch offices typically have the same one- or two-number prefix that is unique to that site. An easy way to find many of the numbers you’re looking for on the website is to use Google with the following search parameters:

Image

This search returns multiple pages with a telephone number in the format XXX-XXXX. To further refine your search, you can simply add an area code if you’re looking for a main switchboard or the prefix for a toll-free number, as seen here:

Image

After the modification is made to the search for a toll-free number in a specific website, only three hits are returned. Finding the toll-free number may not be significant by itself, but using the toll-free number in conjunction with an automated TDoS attack will create a significant negative impact on the enterprise.

Public websites generally have contact information readily available, depending on the industry. Most enterprises within the financial and service industries will prominently display all of the ways customer service can be reached, as shown in Figure 2-6. Politicians, elected officials, enterprise executives, and other people in the public eye may have contact information available in order to stay close to the people they represent. This need for easy availability can also make them targets of TDoS, social engineering, and harassing call attacks.

Image

Figure 2-6 A few simple web searches provide all of the customer service numbers at a popular bank.

Some enterprises may not want voice contact information other than email available for communication, but creative searches on an enterprise’s website and on the Web will eventually yield some results. For example, one way you can locate a hard-to-find customer support number is to perform a Google search like this one:

Image

If this search doesn’t provide what you’re looking for, try replacing “customer service” with “contact” or other terms that may be appropriate for the targeted site.

Direct inward dial (DID) numbers allow voice users within an organization to have their own line routed directly to their desk. DID numbers also provide ways to target specific individuals directly at their desk, thus facilitating voice application attacks such as vishing and harassing calls. Finding the range for DID numbers can be as easy as looking at the contact information on the enterprise website and being able to determine that the exchange parts of the phone numbers are similar (say, for example, all of them use “222”) or by searching with the following parameters:

Image

Enterprise fax numbers provide another juicy target for attackers. Fax numbers are often listed in the contact information for the website, but if they are not, it’s often very easy to find them. Performing the following search will list every page where “fax” is mentioned in the site on which the search is performed:

Image

We performed this search using a well-known financial institution as the targeted website and got over 100 numbers that can be used for application-level attacks.

ImageOnce you have what appears to be a few main switchboard numbers, you can then try calling them after normal business hours. Most UC systems include an automated attendant feature that can answer calls during or after hours with a prerecorded message. Although not an exact science, many of these messages are unique to each UC vendor in wording and voice. Simply by listening to the factory default main greeting, hold music, or voicemail messages, a hacker can sometimes narrow down the type of system running. We have included some recorded transcripts and messages on the book’s website (www.voipsecurityblog.com) to assist you. For instance, the open-source Trixbox project built on Asterisk (www.trixbox.org) will respond to a missed call by default with a female voice that says, “The person at extension X-X-X-X is unavailable. Please leave your message after the tone. When done, please hang up or press the pound key. [Beep.]”

Image Public Website Countermeasures

As discussed earlier, most of the information on a public website is likely benign in nature until a hacker starts to connect the dots. In practice, the preceding information is often very difficult and unreasonable to police, especially because website authors update this information frequently. The best advice is to limit the amount of technical system information in job descriptions and online help pages (including default passwords).

Image Google UC Hacking

Image

One of the greatest benefits and biggest security risks of Internet search engines is their massive potential for unearthing the most obscure details on the Internet. There have been entire books written on the subject of hacking using search engine technology, including Google Hacking for Penetration Testers, Volume 2, by Johnny Long and published by Syngress.2 There are also tools such as SearchDiggity by Stach & Liu as well as websites such as the Google Hacking Database (www.exploit-db.com/google-dorks/), all of which are devoted to the art of leveraging search engines to provide information that can be used for hacking. When footprinting a UC network, a hacker can utilize search engines in many ways by simply exercising the advanced features offered by a service such as Google. Other search engines, such as Yahoo! and Bing, may yield different results and are always worth checking. Targeting the following categories of search results often provides rich details about an organization’s UC deployment:

• UC vendor press releases and case studies

• Resumes

• Mailing lists and local user group postings

• Web-based UC logins

UC Vendor Press Releases and Case Studies

When UC vendors have obtained permission to do so, some of them will issue a press release about a big sales win, usually including a quote from the customer. Additionally, many UC vendor sites include case studies that sometimes go into detail about the specific products and versions that were deployed for a customer. Confining your search to the UC vendor’s site might hit pay dirt with such a case study. In Google, for example, try typing the following:

Image

or

Image

Resumes

In the same way that job descriptions are chock full of potentially useful information for a hacker, so too are resumes. Some creative search terms can unearth particularly useful bits of information from resumes, such as:

Over 5 years’ experience in Design, Deployment, and Management of Cisco Unified Network Infrastructure, including Data, Voice, and Wireless Technologies.

Operate and maintain CS2100 network for Avaya’s Hosted UC solution, including user configuration, call routing, and trunking.

A Microsoft Most Valuable Professional (MVP) and a Senior Infrastructure Consultant for Microsoft Messaging, Unified Communications, and Cloud Computing (Virtualization) solutions, with more than 8 Years of Information Systems Planning, Designing, Implementing, and Managing experience.

Mailing Lists and Local User Group Postings

Today’s technical mailing lists and user support forums are invaluable resources to a network administrator trying to learn about UC technology for the first time. Often, an administrator with the best of intentions will reveal too many details in order to elicit help from the online community. In some cases, a helpful administrator may even share his configuration files publicly in order to teach others how to enable a certain hard-to-tune feature. For instance, the following example reveals what type of UC PBX is in use, as well as the type of handsets being employed:

We’ve just installed a BCM450 with 1220 and 1230 handsets. According to the manual, there should be a nice large range of options and sub menus when you press the services key. All we see though are the list of features setup in the BCM450 under “telephony/global settings/IP terminal features”. The button is programmed with “F*900”. What can I do to bring it back to show all of the menus that are in the user guide? Also, is there a list provided somewhere from Avaya of possible feature codes? I can’t find it anywhere.

National and local user conferences are typically attended by enterprises using those vendors’ systems. Although the conference proceedings are often restricted to paying members of the group, sometimes free online materials and agendas are available that may help with footprinting. As a starting point, aim your search engine at one of the following good user-group sites:

Image

Web-based UC Logins

Most UC devices provide a web interface for administrative management and for users to modify their personal settings (voicemail, PIN, and forwarding options, among others). These systems should generally not be exposed to the Internet in order to prevent password brute-force attacks—or, worse yet, exposing a vulnerability in the underlying web server. Since the first edition of this book, the number of UC installations exposed to the web has decreased; however, search engines still make it easy to find these types of sites. For instance, many Cisco Unified Communications Manager (CUCM) installations provide a user options page that is accessible at https://<Unified CM-server-name>:{8443}/ccmadmin/showHome.do.3

Typing the following into Google will uncover some CUCM installations exposed to the Internet:

Image

And here’s how to refine your search to a particular target type:

Image

Many Cisco IP phones come installed with a web interface that is also handy for administration or diagnostics. Type the following into Google:

Image

Some of these web interfaces are also exposed to the Internet and reveal extremely useful information (such as non-password-protected TFTP server addresses) when clicking the Cache link, as shown in Figure 2-7.

Image

Figure 2-7 The network settings for a phone exposed to the Internet, including IP addresses for TFTP servers, the CallManager server, and the router

The popularity of video conferencing has increased significantly over the last several years. This is due in part to the proliferation of high-speed data networks and the lowered cost of equipment and the cost savings related to minimizing travel. As use of any specific technology increases, the potential to find and exploit it also increases. Here are some sample Google searches for finding video:

Image

Note
Image

Some more general search terms for network devices can be found in the Google Hacking Database (GHDB) project mentioned previously or at www.exploit-db.com/google-dorks/. We have also uploaded a collection of popular Google UC hacking terms to our website, www.voipsecurityblog.com.

In addition, here is a sampling from our online collection of other web-based UC phone and PBXs that can be found with Google:

Image

Snom phones include a potentially dangerous “feature” called PCAP Trace, available on several of the IP phones. If the phone is left in a non-password-protected state, anyone can connect with a web browser and start to sniff traffic. This is especially dangerous if the phone is connected to a hub with other users!

Another search engine worth noting is Shodan (www.shodanhq.com). Shodan was developed by John Matherly and can be very useful to security researchers by providing information about exposed systems. The tool limits searches based on membership but can provide substantial results on specific queries. Whereas Google searches URLs, Shodan searches IP addresses and finds all the devices connected to the Internet such as routers, traffic cameras, or, best of all, UC devices.

Try some popular searches and you will be astounded with the number of devices that are returned, or you can try your own search criteria. You can also filter the results based on the exposed service and geographic location. For example, searching for “snom” produced 11,393 results, and searching for “snom 320” produced 94. Searching for “cisco 7940” produced 441 results, although searching for “cisco 7940” in the United States only returned 149. The tool’s output includes the IP address of the device and sample header information from the connection.

Image Google Hacking Countermeasures

All of the previous Google hacking examples can be confined to your organization simply by adding your company name to the search or adding a site search directive to your search space (for example, site:mycompany.com). Being able to find exposed web logins proactively for UC devices can remove a lot of low-hanging fruit from hackers. At the very least, you should change the default passwords for any UC web logins that need to be Internet accessible. For the most part, however, there’s no good reason why a phone or PBX has to be exposed to the Internet.

There are even services that will monitor this for you. Organizations such as Cyveilance (www.cyveilance.com) send daily, weekly, or monthly reports of your online public presence, including your “Google hacking” exposure.

Image WHOIS and DNS Analysis

Image

Every organization with an online presence relies on DNS in order to route website visitors and external email to the correct places. DNS is the distributed database system used to map IP addresses to hostnames. In addition to DNS, the following regional public registries manage IP address allocations:

Image

Most of these sites support WHOIS searches, revealing the IP address ranges that an organization owns throughout that region. For instance, going to ARIN’s website and searching for “Tulane” produces the following results:

Image

Notice that several IP address ranges are listed toward the bottom of the query results that can offer a hacker a starting point for scanning, which is mentioned in the next chapter. The more interesting range seems to be 129.81.x.x. WHOIS searches won’t always provide all of the IP ranges in use by an organization, especially if they outsource their web and DNS hosting. Instead, you can do a WHOIS lookup on a DNS domain itself rather than the organization name. Most *nix systems support the use of the whois command:

Image

Alternatively, several websites offer a free WHOIS domain lookup service that will resolve the correct information regardless of country or the original DNS registrar. Going to www.allwhois.com gives us the following:

Image

Image

After performing some WHOIS research, hackers can start to lay out the external network topology of the organization they wish to target. For the purposes of this example, you have two main DNS servers to focus on for Tulane.edu based on the search performed in the previous section. By using simple queries, hackers can glean important information about many hosts that may be exposed to the Internet without even scanning them directly.

Hackers are bound to find informative DNS names such as vpn.example.com, callmanager.example.com, router.example.com, and even voicemail.example.com, which will likely warrant a closer investigation. Most of these DNS interrogation attacks can be scripted or automated easily using public website DNS search tools.

Image WHOIS and DNS Analysis Countermeasures

WHOIS information is, by its very nature, meant to be publicized. Administrative contact email addresses, however, can be generic (webmaster@example.com) rather than using a personal address (billy2@pegasus.mail-mx.example.com).

DNS interrogation can reveal a lot about an organization, simply by the way certain servers are named. For instance, instead of naming a server “callmanager.example. com,” consider something a little more discreet, such as “cm.example.com,” or something even more obscure.

It is important to disable anonymous zone transfers on your DNS servers so that hackers can’t simply download your entire DNS database anonymously. Enabling transaction signatures (TSIGs) allows only trusted hosts to perform zone transfers. You also shouldn’t use the HINFO information record within DNS—this comment field can provide much information about a target’s IP address.

Also, most hosting providers now offer anonymous DNS service options that hide your personal details from curious eyes (for a price).

Summary

A wealth of information is sitting in plain view for an attacker to use to case your establishment. It is a good idea to monitor proactively for sensitive information that may be leaking through seemingly innocuous paths such as mailing lists, job postings, and general search-engine indexing. By becoming aware of what outside hackers know about your internal network, you can better prepare your defenses accordingly, as we’ll illustrate in the chapters that follow.

References

1. CSI/FBI Computer Crime and Security Survey, www.gocsi.com/.

2. Johnny, Long, Google Hacking for Penetration Testers, Volume 2, Syngress, 2007; and “Google Hacking Mini-Guide,” May 7, 2004, www.informit.com/articles/article.asp?p=170880&rl=1.

3. Cisco Unified Communications Manager Administration Guide, Release 8.6(1), www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/8_6_1/ccmcfg/b01intro.html#wp1037259.