Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
| ||
| ||
|
This section covers discovery, scanning, and enumeration steps you can take to locate and identify Avaya components .
Attack Google Hacking Avaya Devices
Popularity: | 8 |
Simplicity: | 9 |
Impact: | 6 |
Risk Rating: | 8 |
Companion Web Site As you saw in Chapter 1, it is fairly easy to use search engines such as Google to find exposed VoIP devices with web interfaces. We maintain a fairly up-to-date VoIP Google Hacking Database on our website at http://www.hackingvoip.com. Removing the site:yourcompany.com from the query will reveal all exposed devices on the Internet that Google has archived.
For Google Hacking Avaya Communication Manager, type the following in Google:
Inurl:"enter_pwd" avaya
Countermeasurs Google Hacking Countermeasures
Obviously, the easiest way to ensure that your VoIP devices don't show up in a Google hacking web query is to disable the web management interface on most of those devices. There's honestly no good reason why any of your phones should be exposed externally to the Internet.
Scanning and Enumeration
We tested a Communication Managerbased system, consisting of a G350 Media Gateway with an integral S8300 Media Server. The system included several IP phones, including models 4602SW, 4610, and 9630. For the purposes of this section, we consider the S8300 Media Server and the G350 Media Gateway to comprise the IP PBX. This section describes vulnerabilities associated with these components. Figure 8-10 illustrates the test bed we used for this section.
Attack UDP/TCP Port Scanning
Popularity: | 10 |
Simplicity: | 8 |
Impact: | 4 |
Risk Rating: | 7 |
A first step in exploiting a VoIP system is to determine which IP addresses and ports are open to support basic voice services and applications. Table 8-1 from Appendix B, "Access List" of the Avaya Application Solutions: IP Telephony Deployment Guide lists ports used by C-LAN, MedPro, and other devices.
Action | From | TCP/UDP Port or Protocol | To | TCP/UDP Port or Protocol | Notes |
---|---|---|---|---|---|
Permit | Any C-LAN | UDP 1719 | Any endpoint | UDP any | The C-LAN uses UDP port 1719 for endpoint registration (RAS). |
Permit | Any endpoint | UDP any | Any C-LAN | UDP 1719 | |
Permit | Any C-LAN | TCP 1720 | Any endpoint | TCP any | The C-LAN uses TCP port 1720 for H.225 call signaling. |
Permit | Any endpoint | TCP any | Any C-LAN | TCP 1720 | |
Permit | Near-end C-LAN | TCP 1720 | Far-end C-LAN | TCP 1720 | Facilitates IP trunking between two Avaya call servers, and it must be done for each IP trunk. |
Permit | Far-end C-LAN | TCP 1720 | Near-end C-LAN | TCP 1720 | |
Permit | Any MedPro | UDP port range on IP Network Region form | Any endpoint | UDP any | A way to facilitate audio streams between MedPros and endpoints. |
Permit | Any endpoint | UDP any | Any MedPro | UDP port range on IP Network Region form | |
Permit | Any MedPro | UDP port range on IP Network Region form | Any endpoint | UDP any | Another way to facilitate RTP/ RTCP audio streams between MedPros and endpoints. |
Permit | Any endpoint | UDP any | Any endpoint | UDP any | Facilitates RTP/RTCP audio streams between direct IP-IP (shuffl ed) endpoints. |
Permit | Any IP telephone (hardphone) | UDP any | DNS server(s) | UDP 53 (DNS) | These are all services used by the IP telephone. TFTP is difficult to isolate to a port range. The GET and PUT requests from the client go to UDP port 69 on the server, but all other messages go between random ports. |
Permit Permit | DNS servers Any IP telephone (hardphone) | UDP 53 (DNS) UDP 68 (bootpc) | Any IP telephone (hardphone) DHCP server(s) | UDP any UDP 67 (bootps) | |
Permit | DHCP servers | UDP 67 (bootps) | Any IP telephone (hardphone) | UDP 68 (bootpc) | |
Permit | Any IP telephone (hardphone) | TFTP | TFTP server(s) |
| |
Permit | TFTP servers | TFTP | Any IP telephone (hardphone) |
| |
Permit | SNMP management stations | UDP any | Any IP telephone (hardphone) | UDP 161 (SNMP) | |
Permit | Any IP telephone (hardphone) | UDP 161 (SNMP) | SNMP management stations | UDP any | |
Permit | Any Avaya device | ICMP Echo | Any |
| Avaya devices ping other devices for various reasons. For example, C-LANs ping endpoints for management purposes; MedPros ping C-LANs to gauge network performance across an IP trunk; and IP telephones ping TFTP servers for verification purposes. |
Permit | Any | ICMP Echo Reply | Any Avaya device |
|
Table 8-2 includes additional IP addresses and ports used to connect to the Avaya S8300, S8400, S8500, and S8700 media servers.
Action | From | TCP/UDP Port or Protocol | To | TCP/UDP Port or Protocol | Notes |
---|---|---|---|---|---|
Permit | S8700 Enterprise Interface | TCP any | S8300 LSP | TCP 514 | Both S8700 and LSP running pre-CM2.x: This allows the S8700 to synchronize translations with the S8300 Local Survivable Processor (LSP). A TCP session is initiated from the S8700 to the S8300 TCP port 514. A second session is then initiated from the S8300 to the S8700 TCP port range 5121023. Network ports TCP 5121023 must be open. |
Permit | S8300 LSP | TCP 514 | S8700 Enterprise Interface | TCP any | |
Permit | S8300 LSP | TCP any | S8700 Enterprise Interface | TCP 5121023 | |
Permit | S8700 Enterprise Interface | TCP 5121023 | S8300 LSP | TCP any | |
Permit | Avaya Site Administration Workstation | TCP any | S8300, S8500, or S8700 Enterprise Interface | TCP 5023 | Allows an administrator to log in through the Avaya Site Administration to a call server. |
Permit | S8300, S8500, or S8700 Enterprise Interface | TCP 5023 | Avaya Site Administration Workstation | TCP any | |
Permit | Web Admin Station | TCP any | S8300, S8500, or S8700 Enterprise Interface | TCP 80 | Allows secure and unsecure web access to a call server. The call server redirects unsecure sessions to HTTPS. |
Permit | S8300, S8500, or S8700 Enterprise Interface | TCP 80 | Web Admin Stations | TCP any | |
Permit | Web Admin Station | TCP any | S8300, S8500, or S8700 Enterprise Interface | TCP 443 | |
Permit | S8300, S8500, or S8700 Enterprise Interface | TCP 443 | Web Admin Station(s) | TCP any | |
Permit | S8300, S8500, or S8700 Enterprise Interface | UDP any | DNS server(s) | UDP 53 (DNS) | Optional services used by S8300, S8500, and S8700. |
Permit | DNS server(s) | UDP 53 (DNS) | S8300, S8500, or S8700 Enterprise Interface | UDP any | |
Permit | S8300, S8500, or S8700 Enterprise Interface | UDP any | NTP server(s) | UDP 123 (NTP) | |
Permit | NTP server(s) | UDP 123 (NTP) | S8300, S8500, or S8700 Enterprise Interface | UDP any | |
Permit | G700 or G350 | TCP any | S8300 or other call server | TCP 2945 | Unencrypted: H.248 signaling between G700 or G350 Media Gateway and S8300 or other call server. G700/G350 initiates the session. |
Permit | S8300 or other call server | TCP 2945 | G700 or G350 | TCP any | |
Permit | G700 or G350 | TCP any | S8300 or other call server | TCP 1039 | Encrypted: H.248 signaling between G700 or G350 Media Gateway and S8300 or other call server. G700/ G350 initiates the session. |
Permit | S8300 or other call server | TCP 1039 | G700 or G350 | TCP any | |
Permit | Call server | IP any | IPSI board | IP any | There are too many system control messages and services between the call server and IPSI board to filter each individually. |
Permit | IPSI board | IP any | Call server | IP any |
Finally, Table 8-3 includes additional IP addresses and ports used for file synchronization.
Primary Firewall Port | Customer Network Port(s) | LSP Firewall Port | |
---|---|---|---|
Both primary and LSP running pre-CM2.x | TCP 514 | TCP 5121023 | TCP 514 |
Both primary and LSP running CM2.x | TCP 21873 (opens automatically; TCP 514 no longer needed) | TCP 21873 | TCP 21873 (opens automatically; TCP 514 no longer needed) |
Both primary and LSP running CM3.x | TCP 21874 (opens automatically) | TCP 21874 | TCP 21874 (opens automatically) |
Backward compatibility (CM1.3 primary; CM2.x LSP) | TCP 514 | TCP 5121023 | TCP 21873 (opens automatically) |
Backward compatibility (CM2.x primary; CM3.x LSP) | TCP 21873 (opens automatically) | TCP 21873 | TCP 21874 (opens automatically) |
We used Nmap version 4.01 to scan a S8300 Media Server and a G350 Media Gateway. The TCP and UDP ports/services results that follow were produced by Nmap executing on a host in a foreign subnet relative to the target devices.
The G350 Media Gateway contained the S8300 Media Server module and an MM710 T1/E1 ISDN PRI module. The G350 was connected to a subnet switch through its ETH LAN port. The media server module's Communication Manager applications and the G350's Media Gateway applications are addressed independently (in other words, each application suite has its own IP address).
The S8300 Media Server software version is
Operating system: Linux 2.6.11-AV15 i686 i686 Built: Jan 26 00:11 2006 Contains: 01.0.628.6 Reports As: R013x.01.0.628.6 Release String: S8300-30 22:00:10 License Installed: 2006-05-04 16:24:23 Messaging: --N3.1-26.0-------------
The ports open depend heavily on the Communication Manager version and configuration. For example, the S8300, using Processor Ethernet, has several ports open that an S8400, S8500, and S87 xx would not have open. Processor Ethernet causes certain services and ports to be used by the S8300 directly, whereas other configurations have these services and ports open on C-LAN, MedPro, or IPSI cards. The S8300 Media Server Nmap TCP port scan yielded the following result:
(The 65521 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 2.0) 23/tcp open telnet Linux telnetd 80/tcp open http Apache httpd 81/tcp open http Apache httpd 411/tcp open ssl Nessus security scanner 443/tcp open ssl OpenSSL 1039/tcp open unknown 1720/tcp open H.323/Q.931? 2222/tcp open ssh OpenSSH 3.9p1 (protocol 2.0) 2945/tcp open unknown 5022/tcp open ssh OpenSSH 3.9p1 (protocol 2.0) 5023/tcp open unknown 8009/tcp open ajp13? 21873/tcp open tcpwrapped 21874/tcp open tcpwrapped 1 service unrecognized despite returning data.
Following are some comments on the open ports:
-
23: telnet This and other administration ports can be blocked by the firewall running on the media server. In Communication Manager 3.1 and later, telnet can be disabled completely. Telnet is disabled by default in Communication Manager 4.0, due out in Spring 2007.
-
80: http A web administration port that redirects to port 443 after the user continues from the Welcome and Warning screens.
-
411: ssl IP phone HTTP/HTTPS firmware download port.
-
1039: unknown Encrypted H.248 signaling port.
-
2222: ssh High priority (HP) SSH port that can be blocked with the media server firewall or, in Communication Manager 3.1 and later, disabled completely.
-
2945: unknown Unencrypted H.248 signaling port.
-
5022: unknown SAT port using SSH. Can be blocked with the media server firewall or, in Communication Manager 3.1 and later, disabled completely.
-
5023: unknown SAT port using telnet. Can be blocked with the media server firewall or, in Communication Manager 3.1 and later, disabled completely.
-
8009: ajp13 Avaya states that this port was never needed externally and is being disabled with a security patch.
-
21873/21874: tcpwrapped File synchronization through SSL. Both ports are open to allow the S8300 to interoperate with older versions of Communication Manager.
The S8300 Nmap UDP port scan yielded the following result:
All 65536 scanned ports on 10.1.14.100 are: openfiltered PORT STATE SERVICE
The G350 Media Gateway Processor (MGP) version information follows . Note that the MGP can have different software installed for the MGP itself, embedded web application, and analog firmware. The latest version is 25.28.0.
Firmware Version: 25.23.0 Software Version: 25.23.0
The G350 Nmap TCP port scan yielded the following result:
(The 65533 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.5p1 (protocol 2.0) 23/tcp open telnet? 80/tcp open http? 2 services unrecognized despite returning data.
Following is a comment on the open port:
-
23: telnet Since version v24.17.0, you can disable telnet.
The G350 Nmap UDP port scan yielded the following result:
(The 65464 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 161/udp openfiltered snmp 2050/udp openfiltered unknown 2051/udp openfiltered unknown 2052/udp openfiltered unknown 2053/udp openfiltered unknown 2054/udp openfiltered unknown 2055/udp openfiltered unknown 65106/udp openfiltered unknown 65107/udp openfiltered unknown 65108/udp openfiltered unknown 65109/udp openfiltered unknown 65110/udp openfiltered unknown 65111/udp openfiltered unknown 65112/udp openfiltered unknown 65113/udp openfiltered unknown 65114/udp openfiltered unknown 65115/udp openfiltered unknown 65116/udp openfiltered unknown 65117/udp openfiltered unknown 65118/udp openfiltered unknown 65119/udp openfiltered unknown 65120/udp openfiltered unknown 65121/udp openfiltered unknown 65122/udp openfiltered unknown 65240/udp openfiltered unknown 65241/udp openfiltered unknown 65242/udp openfiltered unknown 65243/udp openfiltered unknown 65244/udp openfiltered unknown 65245/udp openfiltered unknown 65246/udp openfiltered unknown 65247/udp openfiltered unknown 65248/udp openfiltered unknown 65249/udp openfiltered unknown 65250/udp openfiltered unknown 65251/udp openfiltered unknown 65252/udp openfiltered unknown 65253/udp openfiltered unknown 65254/udp openfiltered unknown 65255/udp openfiltered unknown 65372/udp openfiltered unknown 65373/udp openfiltered unknown 65374/udp openfiltered unknown 65375/udp openfiltered unknown 65376/udp openfiltered unknown 65377/udp openfiltered unknown 65378/udp openfiltered unknown 65379/udp openfiltered unknown 65380/udp openfiltered unknown 65381/udp openfiltered unknown 65382/udp openfiltered unknown 65383/udp openfiltered unknown 65384/udp openfiltered unknown 65385/udp openfiltered unknown 65386/udp openfiltered unknown 65387/udp openfiltered unknown 65504/udp openfiltered unknown 65505/udp openfiltered unknown 65506/udp openfiltered unknown 65507/udp openfiltered unknown 65508/udp openfiltered unknown 65509/udp openfiltered unknown 65510/udp openfiltered unknown 65511/udp openfiltered unknown 65512/udp openfiltered unknown 65513/udp openfiltered unknown 65514/udp openfiltered unknown 65515/udp openfiltered unknown 65516/udp openfiltered unknown 65517/udp openfiltered unknown 65518/udp openfiltered unknown 65519/udp openfiltered unknown
Following are some comments on the open ports:
-
161: snmp Avaya uses SNMP V1 by default, but SNMP V3 is available as an option.
-
xxx Many of the high-numbered UDP ports are dynamic, so they will vary by scan.
The definitions of the reported port states are documented in Chapter 2.
We also tested the Avaya 4602, 4610, and 9630 IP phones along with the S8300 Media Server and G350 Media Gateway. As with the Communication Manager itself, Avaya documents the open port/services used by their IP phones. Figure 8-11 from the Avaya Application Solutions: IP Telephony Deployment Guide shows the ports used for signaling, audio, and management (note that the SIP ports are not used when H.323 is used).
Figure 8-12 shows the ports used for initialization and address resolution and Figure 8-13 shows the ports used for applications. (Both figures are from the Avaya Application Solutions: IP Telephony Deployment Guide .)
Nmap scans of each Avaya IP phone with H.323 loads were implemented. The TCP and UDP ports/services results were produced by Nmap executing on a host in a foreign subnet compared to the target devices. The version of the Nmap scanner we used was 4.01.
Pressing <MUTE> 8439# (in other words, <MUTE> VIEW ) on the 4602SW IP phone at x211/10.1.14.10 yielded the following information:
Model=4602D02A Market=0 Phone SN=06GM01006310 PWB version=003040202 MAC address=00:09:6E:0F:18:5B 4602sape1_82.bin <--- note: this is the application load 4602sbte1_82.bin <--- note: this is the boot load DSPV_5F82
Pressing <MUTE> 8439# (in other words, <MUTE> VIEW ) on the 4602SW IP phone at x221/10.1.14.12 yielded the following information:
Model=4602D02A Phone SN=06GM01006309 PWB SN=0 PWB comcode= <a bunch of black boxes> MAC address-00:09:6E:0F:18:5A L2 tagging=off VLAN ID=none IP address=10.1.14.12 Subnet mask=255.255.255.0 Router=10.1.14.1 File server=0.0.0.0 Call server=10.1.14.100:1719 Group=0 Protocol=default a02d01b2_3.bin <--- note: this is the application load 100 Mbps Ethernet b02d01b2_3.bin <--- note: this is the boot load
Pressing <MUTE> 8439# (in other words, <MUTE> VIEW ) on the 4610 IP phone at x231/10.1.14.13 yielded the following information:
Model = 4610D01A Phone SN = 06GM27012072 PWB SN = N/A PWB comcode = 001010101 MAC address = 00:09:6E:12:0A:31 L2 tagging = auto:off VLAN ID = none IP address = 10.1.14.13 Subnet mask = 255.255.255.0 Router = 10.1.14.1 File server = 10.1.14.100:411 Call server = 10.1.14.100:1719 802.1X = pass-thru-mode Group = 0 Protocol: default a10d01b2_6.bin (i.e. application load, H.323 R2.6) 100 Mbps Ethernet b10d01b2_6.bin (i.e. boot load, H.323 R2.6) Build = 2_6 DHCPSTD = 0
Pressing <MUTE> 8439# (in other words, <MUTE> VIEW ) on the 9630 IP phone at x251/10.1.14.15 yielded the following information:
MODEL = 9630D01A PHONE SN = 06N523750175 PWB SN = 06N523750175 PWB COMCODE = 700382922 MAC address = 00:04:0D:EB:BB:D0 L2 tagging = auto:off VLAN ID = none IP address = 10.1.14.15 Subnet mask = 255.255.255.0 Router = 10.1.14.1 File server = 0.0.0.0 Call server = 10.1.14.100:1719 802.1X = pass-thru-mode Group = 0 Protocol = default h96xx0971SVS.bin 100 Mbps Ethernet b96xx0971SVS.bin
The 4602SW IP phone at x211/10.1.14.10 Nmap TCP port scan yielded the following result:
(The 65515 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 1024/tcp open kdm? 1025/tcp open NFS-or-IIS? 1026/tcp open LSA-or-nterm? 1027/tcp open IIS? 1028/tcp open unknown 1029/tcp open ms-lsa? 1030/tcp open iad1? 1031/tcp open iad2? 1032/tcp open iad3? 1033/tcp open tcpwrapped 1034/tcp open tcpwrapped 1035/tcp open tcpwrapped 1036/tcp open tcpwrapped 1037/tcp open tcpwrapped 1038/tcp open tcpwrapped 1039/tcp open tcpwrapped 1040/tcp open tcpwrapped 1041/tcp open tcpwrapped 1042/tcp open tcpwrapped 1043/tcp open tcpwrapped 4543/tcp open unknown
Following is a comment on the open port:
-
4543 This is a dynamic port, so it will vary between scans.
The 4602SW IP phone at x211/10.1.14.10 UDP port scan yielded the following result:
(The 65530 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 0/udp openfiltered unknown 68/udp openfiltered dhcpc 161/udp openfiltered snmp 3000/udp openfiltered unknown 3030/udp openfiltered unknown 3031/udp openfiltered unknown
Here are some comments on the open ports:
-
68: dhcpc This port is used for client-side DHCP.
-
161: snmp This port is closed by default in more recent firmware versions.
-
3030/3031 These are dynamic ports, so they will vary between scans.
The 4602SW IP phone at x221/101.1.14.12 Nmap TCP port scan yielded the following result:
(The 65535 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 0/tcp filtered unknown
This H.323 IP phone load was far more impervious to TCP port scanning than 1.8.2.
The 4602SW IP phone at x221/10.1.14.12 Nmap UDP port scan yielded the following result:
(The 65533 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 0/udp openfiltered unknown 68/udp openfiltered dhcpc 49304/udp openfiltered unknown
This H.323 IP phone load was more impervious to UDP port scanning than R1.8.2. Here are some comments on the open ports:
-
68: dhcpc This port is used for client-side DHCP.
The 4610 IP phone at x231/101.1.14.13 Nmap TCP port scan yielded the following result:
All 65536 scanned ports on 10.1.14.13 are: filtered PORT STATE SERVICE
The 4610 IP phone is more impervious to scans than the 4602 IP phones.
The 4610 IP phone at x231/10.1.14.13 Nmap UDP port scan yielded the following result:
(The 63304 ports scanned but not shown below are in state: openfiltered) PORT STATE SERVICE 32768/udp closed omad 32769/udp closed unknown 32770/udp closed sometimes-rpc4 32771/udp closed sometimes-rpc6 32772/udp closed sometimes-rpc8 32773/udp closed sometimes-rpc10 32774/udp closed sometimes-rpc12 32775/udp closed sometimes-rpc14 32776/udp closed sometimes-rpc16 32777/udp closed sometimes-rpc18 32778/udp closed sometimes-rpc20 32779/udp closed sometimes-rpc22 32780/udp closed sometimes-rpc24 32781/udp closed unknown 32782/udp closed unknown 32783/udp closed unknown 32784/udp closed unknown 32785/udp closed unknown 32786/udp closed sometimes-rpc26 32787/udp closed sometimes-rpc28 32790/udp closed unknown To 34999/udp closed unknown
As you can see, the scans for the 4610 and 9630 are very similar. Here are some comments on the open ports:
-
68: dhcpc This port is used for client-side DHCP.
The 9630 IP phone at x251/101.1.14.15 Nmap TCP port scan yielded the following result:
All 65536 scanned ports on 10.1.14.15 are: filtered
The 9630 IP phone is more impervious to scans than the 4602 IP phones.
The 9630 IP phone at x251/10.1.14.15 Nmap UDP port scan yielded the following result:
32768/udp closed omad 32769/udp closed unknown 32770/udp closed sometimes-rpc4 32771/udp closed sometimes-rpc6 32772/udp closed sometimes-rpc8 32773/udp closed sometimes-rpc10 32774/udp closed sometimes-rpc12 32775/udp closed sometimes-rpc14 32776/udp closed sometimes-rpc16 32777/udp closed sometimes-rpc18 32778/udp closed sometimes-rpc20 32779/udp closed sometimes-rpc22 32780/udp closed sometimes-rpc24 32781/udp closed unknown 32782/udp closed unknown 32783/udp closed unknown 32784/udp closed unknown 32785/udp closed unknown 32786/udp closed sometimes-rpc26 32787/udp closed sometimes-rpc28 32788/udp closed unknown To 34999/udp closed unknown
As you can see, the scans for the 4610 and 9630 are very similar. Here are some comments on the open ports:
-
32768-34999 These are dynamic ports, so it will vary between scans.
Countermeasurs Open Ports/Services Countermeasures
There are several countermeasures you can employ to control and/or protect the open ports on an Avaya Communication Manager system. These are covered in the following sections.
Disable Unnecessary Ports
As discussed in Chapters 2 and 3, it's a good idea to disable as many default services as possible on your VoIP devices to avoid giving away too much information about your infrastructure. You can't do this directly on Avaya Communication Manager IP PBXs or IP phones, but you can use their management system to control some ports.
The Avaya management system allows the administrator to control which ports are open and, in some cases, which ports are internally "firewalled." The screens where you can access these controls are shown in Figures 8-14 and 8-15. As discussed previously, nonsecure services such as telnet should be disabled, if possible.
Use a Firewall to Protect the IP PBX
Tables 8-1, 8-2, and 8-3, shown previously in the chapter, list ports and access lists that you can use to program a firewall, which protects the Communication Manager system from the rest of the network. Deploying a firewall and adding these access lists will help prevent attackers from accessing the Communication Manager from unauthorized systems.
In addition to a traditional firewall, you can deploy application-layer or VoIP firewalls. VoIP firewalls are available from several vendors , including SecureLogix (http://www.securelogix.com), Sipera (http://www.sipera.com), Borderware (http://www.borderware.com), and Ingate (http://www.ingate.com). Some traditional firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) also provide support for VoIP.
Attack TFTP Enumeration
Popularity: | 5 |
Simplicity: | 7 |
Impact: | 4 |
Risk Rating: | 5 |
As we demonstrated in Chapter 3, the TFTP server used to provision IP phones can often contain sensitive configuration information sitting out in cleartext. You can easily enumerate these files with the TFTPbrute.pl exploit demonstrated in Chapter 3 or even with the latest version of Nessus (http://www.nessus.org). See Chapter 3 for more information, along with countermeasures for this attack.
Attack SNMP Enumeration
Popularity: | 6 |
Simplicity: | 7 |
Impact: | 6 |
Risk Rating: | 6 |
As you saw in Chapter 3, most networked devices support SNMP as a management function. An attacker can easily sweep for active SNMP ports on a device, and then query with specific Avaya OIDs in order to glean sensitive information from the device.
The Administration for the Avaya G250 and Avaya G350 Media Gateways states that the G250 and G350 Media Gateways support three versions of SNMP, including SNMPv1, SNMPv2, and SNMPv3. The Avaya G350 Media Gateway supports all three of these versions. The implementation of SNMPv3 on the G350 is backward compatible. An agent that supports SNMPv3 will also support SNMPv1 and SNMPv2c. By default, SNMP is not enabled for Avaya media servers.
Tech FAQ (www.tech-faq.com/snmp.shtml) provides the following definition of SNMP community strings. "The most basic form of SNMP security is the Community String. SNMP Community Strings are like passwords for network elements. Most often, there is one community string which is used for read-only access to a network element. The default value for this community string is often 'public.' Using this community string like a password, the Network Management System (NMS) can retrieve data from network elements. Less often, there is also a read-write community string. The default value for this is often 'private.' Using this community string, the NMS can actually change MIB variables on a network element."
When you browse to the Avaya G350 gateway IP address, you will be presented with a dialog box to enter SNMP parameters and radio buttons that allow you to select between SNMPv1 and SNMPv3 community string input. The default community string for the SNMPv1 selection is public .
Undocumented SNMP R/W community strings in Avaya equipment are not without precedent, as these sites show:
-
http://support.avaya.com/elmodocs2/security/Unauthorized_SNMP.pdf
-
http://www. securiteam .com/securitynews/5TP0E0U80U.html
Companion Web Site We used the snmpwalk tool for configuration enumeration of the S8300 Media Server and the G350 Media Gateway. The community string employed for the scans was public . The first snmpwalk was executed by supplying simply the target's IP address and then again targeting the Avaya particular OID of 1.3.6.1.4.1.6889. The commands executed are listed here. The output of these commands is significant, so we included a few interesting values from each command. The complete output is available on the Hacking Exposed VoIP website (www.hackingvoip.com).
S8300 Media Server:
[root@hackerbox]# snmpwalk -c public -v 1 10.1.14.100 SNMPv2-MIB::sysDescr.0 = STRING: Avaya S8300 Server SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.8.1.50 SNMPv2-MIB::sysName.0 = STRING: SecureLogixS8300 IP-MIB::ipAdEntAddr.10.1.14.100 = IpAddress: 10.1.14.100 IP-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1 IP-MIB::ipAdEntAddr.127.1.1.31 = IpAddress: 127.1.1.31 IP-MIB::ipAdEntAddr.192.11.13.6 = IpAddress: 192.11.13.6 TCP-MIB::tcpConnLocalPort.0.0.0.0.23.0.0.0.0.0 = INTEGER: 23 TCP-MIB::tcpConnLocalPort.0.0.0.0.111.0.0.0.0.0 = INTEGER: 111 TCP-MIB::tcpConnLocalPort.0.0.0.0.514.0.0.0.0.0 = INTEGER: 514 TCP-MIB::tcpConnLocalPort.0.0.0.0.5023.0.0.0.0.0 = INTEGER: 5023 TCP-MIB::tcpConnLocalPort.0.0.0.0.21873.0.0.0.0.0 = INTEGER: 21873 TCP-MIB::tcpConnLocalPort.0.0.0.0.21874.0.0.0.0.0 = INTEGER: 21874 TCP-MIB::tcpConnLocalPort.10.1.14.100.1039.0.0.0.0.0 = INTEGER: 1039 TCP-MIB::tcpConnLocalPort.10.1.14.100.1039.10.1.14.101.1138 = INTEGER: 1039 TCP-MIB::tcpConnLocalPort.10.1.14.100.1720.0.0.0.0.0 = INTEGER: 1720 TCP-MIB::tcpConnLocalPort.10.1.14.100.1720.10.1.14.10.3685 = INTEGER: 1720 TCP-MIB::tcpConnLocalPort.10.1.14.100.1720.10.1.14.12.3778 = INTEGER: 1720 UDP-MIB::udpLocalAddress.10.1.14.100.123 = IpAddress: 10.1.14.100 UDP-MIB::udpLocalAddress.10.1.14.100.1719 = IpAddress: 10.1.14.100 UDP-MIB::udpLocalAddress.127.0.0.1.123 = IpAddress: 127.0.0.1 UDP-MIB::udpLocalAddress.127.1.1.31.123 = IpAddress: 127.1.1.31 UDP-MIB::udpLocalAddress.192.11.13.6.123 = IpAddress: 192.11.13.6 UDP-MIB::udpLocalPort.0.0.0.0.69 = INTEGER: 69 UDP-MIB::udpLocalPort.0.0.0.0.111 = INTEGER: 111 UDP-MIB::udpLocalPort.0.0.0.0.123 = INTEGER: 123 UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161 UDP-MIB::udpLocalPort.0.0.0.0.162 = INTEGER: 162 UDP-MIB::udpLocalPort.10.1.14.100.123 = INTEGER: 123 UDP-MIB::udpLocalPort.10.1.14.100.1719 = INTEGER: 1719 UDP-MIB::udpLocalPort.127.0.0.1.123 = INTEGER: 123 UDP-MIB::udpLocalPort.127.1.1.31.123 = INTEGER: 123 UDP-MIB::udpLocalPort.192.11.13.6.123 = INTEGER: 123 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.100 1.3.6.1.4.1.6889 Lots of info, but very little that appears interesting.
G350 Media Gateway:
[root@hackerbox]# snmpwalk -c public -v 1 10.1.14.101 SNMPv2-MIB::sysDescr.0 = STRING: Avaya Inc., G350 Media Gateway, SW Version 25.23.0 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.45.103.2 IF-MIB::ifDescr.16777216 = STRING: Avaya Inc., G350 Media Gateway, SW Version 25.23.0 IF-MIB::ifDescr.167774722 = STRING: Avaya Inc., G350 Media Gateway, 10/100Base-Tx, FastEthernet 10/2 IF-MIB::ifDescr.211828737 = STRING: Avaya Inc., G350 Media Gateway, Vlan, Vlan 1 IF-MIB::ifDescr.218106371 = STRING: Avaya Inc., G350 Media Gateway, 10/100BaseTx Port IF-MIB::ifDescr.268438021 = STRING: Avaya Inc., G350 Media Gateway, Console port, Console IF-MIB::ifDescr.788531718 = STRING: Avaya Inc., G350 Media Gateway, USB port, USB-Modem IF-MIB::ifDescr.855640581 = STRING: Avaya Inc., G350 Media Gateway, PPP Session, Console IF-MIB::ifDescr.855640582 = STRING: Avaya Inc., G350 Media Gateway, PPP Session, USB-Modem IF-MIB::ifDescr.872417797 = STRING: Avaya Inc., G350 Media Gateway, External serial Modem, Console IF-MIB::ifDescr.872417798 = STRING: Avaya Inc., G350 Media Gateway, External USB Modem, USB-Modem IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.1 = IpAddress: 10.1.14.1 IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.10 = IpAddress: 10.1.14.10 IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.12 = IpAddress: 10.1.14.12 IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.99 = IpAddress: 10.1.14.99 IP-MIB::ipNetToMediaNetAddress.211828737.10.1.14.100 = IpAddress: 10.1.14.100 SNMPv2-SMI::mib-2.47.1.1.1.1.2.27 = STRING: "T1/E1 Media Module" SNMPv2-SMI::mib-2.47.1.1.1.1.2.29 = STRING: "Integrated Analog 1T+2L Module" SNMPv2-SMI::mib-2.47.1.1.1.1.2.32 = STRING: "Avaya Inc., G350 Converged Media Gateway" [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.101 1.3.6.1.4.1.6889 Lots of info, but very little that appears interesting.
Each IP phone responded to SNMP requests. The snmpwalk utility was used for configuration enumeration. Several IP phones responded despite the fact that the Nmap scan for reported port 161 (SNMP) was in the closed status under the UDP and TCP protocols. The community string used for the scans was public .
Companion Web Site First, snmpwalk was executed supplying simply the phone's IP address and then again targeting the Avaya particular OID of 1.3.6.1.4.1.6889. The commands executed are listed here. The output of these commands is significant, so we included a few interesting values from each command. The complete output is available on the Hacking Exposed VoIP website (www.hackingvoip.com).
Avaya 4602 IP phone, Extension 211 (IP address 10.1.14.10):
[root@hackerbox]# snmpwalk -c public -v 1 10.1.14.10 SNMPv2-MIB::sysDescr.0 = STRING: MIB Module for 46xx IP Telephones SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.69.1.6 SNMPv2-MIB::sysName.0 = STRING: AvayaIPT4602 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.99 = IpAddress: 10.1.14.99 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.100 = IpAddress: 10.1.14.100 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.101 = IpAddress: 10.1.14.101 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.10 1.3.6.1.4.1.6889 SNMPv2-SMI::enterprises.6889.2.69.1.1.1.0 = STRING: "domestic" SNMPv2-SMI::enterprises.6889.2.69.1.1.2.0 = STRING: "4602D02A" SNMPv2-SMI::enterprises.6889.2.69.1.1.3.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.4.0 = IpAddress: 10.1.14.100 SNMPv2-SMI::enterprises.6889.2.69.1.1.5.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.1.6.0 = STRING: "06GM01006310" SNMPv2-SMI::enterprises.6889.2.69.1.1.7.0 = STRING: "003040202" SNMPv2-SMI::enterprises.6889.2.69.1.1.9.0 = STRING: "00:09:6E:0F:18:5B"c SNMPv2-SMI::enterprises.6889.2.69.1.1.11.0 = IpAddress: 10.1.14.10 SNMPv2-SMI::enterprises.6889.2.69.1.1.21.0 = STRING: "4602sbte1_82.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.22.0 = STRING: "4602sape1_82.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.32.0 = STRING: "46xxupgrade.scr" SNMPv2-SMI::enterprises.6889.2.69.1.1.40.0 = STRING: "Version: 4602E1806(SW): Jun 11 2004" SNMPv2-SMI::enterprises.6889.2.69.1.2.1.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.2.2.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.2.3.0 = STRING: "10.1.14.10" SNMPv2-SMI::enterprises.6889.2.69.1.2.4.0 = STRING: "10.1.14.1" SNMPv2-SMI::enterprises.6889.2.69.1.3.2.0 = STRING: "4602sape1_82.bin" SNMPv2-SMI::enterprises.6889.2.69.1.4.5.0 = STRING: "G711Ulaw64k,20mS,Sil. Sup.OFF" SNMPv2-SMI::enterprises.6889.2.69.1.4.6.0 = STRING: "G711Ulaw64k,20mS,Sil. Sup.OFF" SNMPv2-SMI::enterprises.6889.2.69.1.4.9.0 = STRING: "211"
Avaya 4602 IP phone, Extension 221 (IP address 10.1.14.12):
[root@hackerbox]# snmpwalk -c public -v 1 10.1.14.12 SNMPv2-MIB::sysDescr.0 = STRING: VxWorks SNMPv1/v2c Agent SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.69.1.6 SNMPv2-MIB::sysContact.0 = STRING: Wind River Systems SNMPv2-MIB::sysName.0 = STRING: AV SNMPv2-MIB::sysLocation.0 = STRING: Planet Earth IP-MIB::ipAdEntAddr.10.1.14.12 = IpAddress: 10.1.14.12 TCP-MIB::tcpConnState.10.1.14.12.3778.10.1.14.100.1720 = INTEGER: established(5) TCP-MIB::tcpConnLocalAddress.10.1.14.12.3778.10.1.14.100.1720 = IpAddress: 10.1.14.12 TCP-MIB::tcpConnLocalPort.10.1.14.12.3778.10.1.14.100.1720 = INTEGER: 3778 TCP-MIB::tcpConnRemAddress.10.1.14.12.3778.10.1.14.100.1720 = IpAddress: 10.1.14.100 TCP-MIB::tcpConnRemPort.10.1.14.12.3778.10.1.14.100.1720 = INTEGER: 1720 [root@hackerbox]# snmpwalk -c public -v 1 10.1.14.12 1.3.6.1.4.1.6889 SNMPv2-SMI::enterprises.6889.2.69.1.1.1.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.1.2.0 = STRING: "4602D02A" SNMPv2-SMI::enterprises.6889.2.69.1.1.3.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.4.0 = IpAddress: 10.1.14.100 SNMPv2-SMI::enterprises.6889.2.69.1.1.5.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.1.6.0 = STRING: "06GM01006309" SNMPv2-SMI::enterprises.6889.2.69.1.1.9.0 = STRING: "00:09:6E:0F:18:5A" SNMPv2-SMI::enterprises.6889.2.69.1.1.10.0 = STRING: "100" SNMPv2-SMI::enterprises.6889.2.69.1.1.11.0 = IpAddress: 10.1.14.12 SNMPv2-SMI::enterprises.6889.2.69.1.1.19.0 = STRING: "AvayaTFTPserver" SNMPv2-SMI::enterprises.6889.2.69.1.1.21.0 = STRING: "b02d01b2_3.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.22.0 = STRING: "a02d01b2_3.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.32.0 = STRING: "46xxupgrade.scr" SNMPv2-SMI::enterprises.6889.2.69.1.1.40.0 = STRING: "<ZSPV_x.x>" SNMPv2-SMI::enterprises.6889.2.69.1.3.2.0 = STRING: "a02d01b2_3.bin" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.1 = STRING: "Dec 99 3:59:59:tBoot:msgQSend failed (mt=2, st=0) errno=3d0001, QID=0x806ac160" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.2 = STRING: "Dec 99 23:59:59:tPTunnel:<-- GRQ : msg sent to 10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.3 = STRING: "Dec 99 23:59:59:tReceive:<-- RRQ: msg sent." SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.4 = STRING: "Dec 99 23:59:59:tReceive:--> RCF: msg received" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.5 = STRING: "Dec 99 23:59:59:tReceive:--> L4 Audio changed" SNMPv2-SMI::enterprises.6889.2.69.1.3.4.1.1.6 = STRING: "Dec 99 23:59:59:tAudio:. Error: can't disable audio path because audio is already " SNMPv2-SMI::enterprises.6889.2.69.1.4.5.0 = STRING: "EM_AudioCapability_g711Ulaw64k_chosen" SNMPv2-SMI::enterprises.6889.2.69.1.4.6.0 = STRING: "EM_AudioCapability_g711Ulaw64k_chosen" SNMPv2-SMI::enterprises.6889.2.69.1.4.9.0 = STRING: "221" SNMPv2-SMI::enterprises.6889.2.69.1.4.28.1.1.1 = STRING: "10.1.14.100"
Avaya 4602 IP phone, Extension 231 (IP address 10.1.14.13):
[root@hackerbox]# snmpwalk -c public -v1 10.1.14.13 SNMPv2-MIB::sysDescr.0 = STRING: VxWorks SNMPv1/v2c Agent SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.69.1.7 SNMPv2-MIB::sysContact.0 = STRING: Wind River Systems IF-MIB::ifDescr.1 = STRING: Avaya0 IF-MIB::ifPhysAddress.1 = STRING: 0:9:6e:12:a:31 IP-MIB::ipAdEntAddr.10.1.14.13 = IpAddress: 10.1.14.13 RFC1213-MIB::ipRouteDest.10.1.14.0 = IpAddress: 10.1.14.0 IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.100 = STRING: 0:4:d:e3:e2:b1 IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.101 = STRING: 0:4:d:9a:b4:2d IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.210 = STRING: 0:4:75:ed:3f:d9 IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.211 = STRING: 0:12:17:50:3e:dd IP-MIB::ipNetToMediaPhysAddress.2.10.1.14.13 = STRING: 0:9:6e:12:a:31 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.100 = IpAddress: 10.1.14.100 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.101 = IpAddress: 10.1.14.101 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.210 = IpAddress: 10.1.14.210 IP-MIB::ipNetToMediaNetAddress.1.10.1.14.211 = IpAddress: 10.1.14.211 UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161 UDP-MIB::udpLocalPort.0.0.0.0.1025 = INTEGER: 1025 UDP-MIB::udpLocalPort.0.0.0.0.49300 = INTEGER: 49300 UDP-MIB::udpLocalPort.127.0.0.1.10000 = INTEGER: 10000 [root@hackerbox]# snmpwalk -c public -v1 10.1.14.13 1.3.6.1.4.1.6889 SNMPv2-SMI::enterprises.6889.2.69.1.1.1.0 = STRING: "Obsolete" SNMPv2-SMI::enterprises.6889.2.69.1.1.2.0 = STRING: "4610D01A" SNMPv2-SMI::enterprises.6889.2.69.1.1.3.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.4.0 = IpAddress: 10.1.14.100 SNMPv2-SMI::enterprises.6889.2.69.1.1.5.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.1.6.0 = STRING: "06GM27012072" SNMPv2-SMI::enterprises.6889.2.69.1.1.7.0 = STRING: "001010101" SNMPv2-SMI::enterprises.6889.2.69.1.1.8.0 = STRING: "EJ0718163956" SNMPv2-SMI::enterprises.6889.2.69.1.1.9.0 = STRING: "00:09:6E:12:0A:31" SNMPv2-SMI::enterprises.6889.2.69.1.1.11.0 = IpAddress: 10.1.14.13 SNMPv2-SMI::enterprises.6889.2.69.1.1.19.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.21.0 = STRING: "b10d01b2_6.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.22.0 = STRING: "a10d01b2_6.bin" SNMPv2-SMI::enterprises.6889.2.69.1.1.32.0 = STRING: "46xxupgrade.scr" SNMPv2-SMI::enterprises.6889.2.69.1.1.40.0 = STRING: "<ZSPV_x.x>" SNMPv2-SMI::enterprises.6889.2.69.1.1.48.0 = STRING: "700274673" SNMPv2-SMI::enterprises.6889.2.69.1.1.51.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.63.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.1.64.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.2.1.0 = STRING: "10.1.14.100" SNMPv2-SMI::enterprises.6889.2.69.1.2.2.0 = INTEGER: 1719 SNMPv2-SMI::enterprises.6889.2.69.1.2.3.0 = STRING: "10.1.14.13" SNMPv2-SMI::enterprises.6889.2.69.1.3.2.0 = STRING: "a10d01b2_6.bin"
Avaya 4602 IP phone, Extension 251 (IP address 10.1.14.15):
[root@hackerbox]# snmpwalk -c public -v1 10.1.14.15 SNMPv2-MIB::sysDescr.0 = STRING: Avaya Phone SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6889.1.69.2.2 SNMPv2-MIB::sysContact.0 = STRING: Customer support SNMPv2-MIB::sysName.0 = STRING: AVAEBBBD0 SNMPv2-MIB::sysLocation.0 = STRING: Lincroft New Jersey USA IF-MIB::ifPhysAddress.2 = STRING: 0:4:d:eb:bb:d0 IP-MIB::ipAdEntAddr.10.1.14.15 = IpAddress: 10.1.14.15 IP-MIB::ipNetToMediaPhysAddress.1.10.1.14.15 = STRING: 0:4:d:eb:bb:d0 IP-MIB::ipNetToMediaPhysAddress.2.10.1.14.100 = STRING: 0:4:d:e3:e2:b1 established(5) TCP-MIB::tcpConnLocalAddress.10.1.14.15.4494.10.1.14.100.1720 = IpAddress: 10.1.14.15 TCP-MIB::tcpConnLocalPort.10.1.14.15.4494.10.1.14.100.1720 = INTEGER: 4494 TCP-MIB::tcpConnRemAddress.10.1.14.15.4494.10.1.14.100.1720 = IpAddress: 10.1.14.100 TCP-MIB::tcpConnRemPort.10.1.14.15.4494.10.1.14.100.1720 = INTEGER: 1720 UDP-MIB::udpLocalPort.0.0.0.0.68 = INTEGER: 68 UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161 UDP-MIB::udpLocalPort.0.0.0.0.1025 = INTEGER: 1025 UDP-MIB::udpLocalPort.0.0.0.0.49300 = INTEGER: 49300 SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2) [root@hackerbox]# snmpwalk -c public -v1 10.1.14.15 1.3.6.1.4.1.6889 SNMPv2-SMI::enterprises.6889.2.69.2.1.4.0 = STRING: "h96xx0971SVS.bin" SNMPv2-SMI::enterprises.6889.2.69.2.1.5.0 = STRING: "h96xx0971SVS.bin" SNMPv2-SMI::enterprises.6889.2.69.2.1.7.0 = STRING: "b96xx0971SVS.bin" SNMPv2-SMI::enterprises.6889.2.69.2.1.11.0 = STRING: "G.711U" SNMPv2-SMI::enterprises.6889.2.69.2.1.12.0 = STRING: "G.711U" SNMPv2-SMI::enterprises.6889.2.69.2.1.22.0 = STRING: "PX3.2" SNMPv2-SMI::enterprises.6889.2.69.2.1.33.0 = IpAddress: 10.1.14.15 SNMPv2-SMI::enterprises.6889.2.69.2.1.42.0 = STRING: "00:04:0D:EB:BB:D0" SNMPv2-SMI::enterprises.6889.2.69.2.1.43.0 = STRING: "9630D01A" SNMPv2-SMI::enterprises.6889.2.69.2.1.45.0 = STRING: "700383409" SNMPv2-SMI::enterprises.6889.2.69.2.1.46.0 = STRING: "06N523750175" SNMPv2-SMI::enterprises.6889.2.69.2.1.58.0 = STRING: "700382922" SNMPv2-SMI::enterprises.6889.2.69.2.1.59.0 = STRING: "06N523750175" SNMPv2-SMI::enterprises.6889.2.69.2.2.7.0 = IpAddress: 10.1.14.100
Perhaps the most interesting information here is the names of binary and configuration files. If an attacker can gather these names and then retrieve the files from a TFTP server, then if the files contain passwords or other security- related information, the attacker can exploit the IP phone.
Countermeasurs SNMP Enumeration Countermeasures
There are several countermeasures you can employ to secure SNMP. These are covered next .
Control Access to SNMP
Best practices for network design suggest that SNMP access should be fairly limited within an enterprise network from the VoIP phone access ports. This means that an attacker shouldn't be allowed to simply unplug a VoIP phone, plug in his laptop to the access port, and start arbitrarily querying SNMP devices on the VLAN. Strict access control can be applied on the switch to make sure the only SNMP management traffic is allowed from controlled locations.
Disable SNMP If Not Needed
You should disable SNMP if it is not being used. Avaya has been in the process of disabling SNMP by default on new firmware loads. An Avaya Security Advisory along with a new version of firmware is being released. For more information, see http://support.avaya.com/elmodocs2/security/ipphone_snmp_secv7.pdf.
Use Secure Versions of SNMP
Another countermeasure is to avoid using SNMPv1 and SNMPv2 in preference of SNMPv3. At the current time, however, Avaya does not support SNMPv3 on their IP phones.
Change Community Strings
Community strings are like passwords. It is always wise to change the default to a new, hard-to-guess value.
H.323 Software Release 2.6 for the 4610SW, 4620SW, 4621SW, and 4622SW IP telephones in software bundle 081406 does not support a default value for the SNMP community string. Therefore, phones upgraded to Release 2.6 will not support SNMP unless an SNMP community string is configured.