New Tool Released: Sip Rogue

Posted January 23, 2007 by hackingvoip
Categories: VoIP Security

We finally posted our sip_rogue test/attack tool on our Hacking Exposed Website. This tool allows you to perform a variety of application level man-in-the-middle attacks. We described it in our book, but had to clean it up a bit before posting. Hopefully folks will find it to be useful.

Sample chapter from Hacking Exposed VoIP

Posted December 15, 2006 by hackingvoip
Categories: VoIP Security

We’re pleased to release a full electronic sample chapter from Hacking Exposed VoIP for your reading pleasure. Chapter 3 delves into enumeration of VoIP services in order to glean interesting information (e.g. user names, phone extensions, passwords, etc.) . Hope you enjoy!

Compiling VLANping on FreeBSD

Posted December 14, 2006 by hackingvoip
Categories: VoIP Security

Thanks to Justin Hohner for sending his changes to VLANping so that it would compile cleanly under FreeBSD. Here are the diffs:

# diff -u orig/hack_library.h hack_library.h
— orig/hack_library.h Wed Oct 25 18:46:09 2006
+++ hack_library.h Tue Nov 7 23:21:20 2006
@@ -33,6 +33,7 @@
#include <stdlib.h>
#include <stdbool.h>
#include <fcntl.h>
+#include <sys/time.h>

int Str2IP ( char *str, int *ipNum );
int DumpPacket ( char *psPacket, int packetSize );

# diff -u orig/Makefile Makefile
— orig/Makefile Wed Oct 25 21:04:23 2006
+++ Makefile Wed Nov 8 02:02:58 2006
@@ -1,5 +1,5 @@
vlanping: vlanping.c vlanping.h
– gcc -I../hack_library vlanping.c -lnet ../hack_library/hack_library.o -o vlanping
+ gcc -I../hack_library vlanping.c -lnet -L/usr/local/lib ../hack_library/hack_library.o -o vlanping

rm -f vlanping

# diff -u orig/vlanping.h vlanping.h
— orig/vlanping.h Wed Oct 25 21:16:55 2006
+++ vlanping.h Wed Nov 8 02:06:23 2006
@@ -31,15 +31,12 @@
#ifndef __VLANPING_H
#define __VLANPING_H

-#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
-#include <net/if.h>
-#include <linux/sockios.h>

#include <sys/socket.h>
#include <netinet/in.h>
@@ -54,6 +51,7 @@
#include <sys/stat.h>
#include <fcntl.h>

+#include “/usr/local/include/libnet.h”
#include “hack_library.h”

#define __VLANPING_VERSION “vlanping – Version 1.0”

At Long Last – The Book is Released!

Posted December 7, 2006 by hackingvoip
Categories: VoIP Security

We’re pleased to announced that after over a year of research and writing, our book is finally released! You can grab a copy from here. We developed and released about 20 new security tools to go along with the book available at Please drop us a note at with your feedback.

New Tools Released!

Posted October 30, 2006 by hackingvoip
Categories: VoIP Security

We posted several new tools on the “Hacking Exposed” website, We also provided updates and better README files for some of the existing tools. Here is a quick summary of the new tools:

  • rtpinsertsound/rtpmixsound – these tools take the contents of a .wav or tcpdump format file and insert or mix in the sound. These tools require access (sniffing of the VoIP traffic but not necessarily MITM) to the RTP stream, so they can properly craft sequence numbers, timestamps, etc. rtpinsertsound, with the right timing, can be used to add words or phrases to a conversation. rtpmixsound can be used to merge in background audio, like noise, sounds from a “gentlemans club”, curse words, etc., etc. These tools have been tested in a variety of vendor environments and work in pretty much any environment, where encryption isn’t used.
  • redirectpoison – this tool works in a SIP signaling environment, to monitor for an INVITE request and respond with a SIP redirect response, causing the issuing system to direct a new INVITE to another location. This tool requires access to the SIP signaling, but does not require a MITM (Man-in-the-middle attack). We tested this tool with the Asterisk and SER SIP proxies, along with a variety of SIP phones.
  • spitter – this tool works in conjunction with Asterisk, to set up a voice SPAM/SPIT generation platform. Once Asterisk is set up, spitter is used to schedule any number of calls, using your choice of audio files.

The tools come with README files, so they should be pretty easy to use. Please let us know what you think.

eWeek Podcast – VOIP: How Secure?

Posted October 24, 2006 by hackingvoip
Categories: VoIP Security

Dave recently was interviewed in a podcast with eWEEK senior writer Matt Hines about VoIP Security. Some of the questions that were asked and answered included:

Enterprise are obviously adopting VoIP at a very fast rate, are the threats ramping up quickly as well?

What do you see as the most significant threats to VoIP security right now?

Phishing continues to menace online business applications of all types, how is the threat of VoIP phishing coming together?

Some people feel that the issue of security in regards to IP telephony are being over-hyped, do you feel that people are making too much of an issue of the problem?

What can you tell us about your work with the VoIP security alliance, what sort of work is being done by the group right now?

Top Voices in IP Communications

Posted October 14, 2006 by hackingvoip
Categories: VoIP Security

The October issue of Internet Telephony Magazine includes a feature article on the “Top 100 Voices of IP Communications”. Dave was honored as one of the editor’s selections for his contributions to VoIP security.

Recent Presentations Roundup

Posted October 11, 2006 by hackingvoip
Categories: VoIP Security

In the last month, we’ve been keeping busy evangelizing VoIP Security at various conferences and press events. Mark was most recently at IPComm in Nashville, Tennesee where he presented on SIP Vulnerabilities (3.8MB pdf) as well as VoIP Hacking Defenses (3.7MB pdf). Mark also recently spoke on a panel at VoiceCon Fall about Conducting a VoIP Security Assessment (1.5MB pdf). Dave also recently spoke on a panel at the NetEvents European Summit on VoIP Security (see pic).

We also just found out that our presentation on Exploiting VoIP Networks was accepted at the 2007 RSA Conference in San Francisco. Drop us a line if you’re planning on attending! Also, our book should be out by then so I imagine we’ll have a few copies to give out at our talk.

Black Hat Presentation and Tools Release

Posted August 6, 2006 by hackingvoip
Categories: VoIP Security

Mark and Dave at Black HatWe spoke at the Black Hat Briefings this past week in Las Vegas on “Hacking VoIP Exposed”. In coordination with our presentation (available in pdf format 2.3MB), we released on Wednesday a plethora of new VoIP security tools that we wrote for our book. We even demonstrated many of them in our talk against a simple VoIP testbed running Asterisk and a few IP phones There’s been quite a bit of press interest, a few stories of we listed below:

BusinessWeek, Security Threats Come A-Callin’
CNET, New tools test VoIP security
InfoWorld, BH Briefings begins with 10 years under its belt
The Register, VoIP Hacking Exposed
Networking Pipeline, VoIP-Hacking Toolkit Hits The Net
SearchSecurity, Cisco coping with more BH revelations
Blue Box Podcast, Black Hat super-sized edition
VON Magazine, Free Web Security Tools (Really)

Cisco even released a security advisory in response to a technique we demonstrated in our talk to brute force valid SIP phone extensions.

Thanks to everyone who attended our talk and has since dropped us a line with feedback.The crowd at our Black Hat Talk

Quoted in BusinessWeek

Posted July 12, 2006 by hackingvoip
Categories: VoIP Security

Dave was quoted in a BusinessWeek article about VoIP and Phishing. Consequently, the last chapter of our upcoming book is focused on VoIP Phishing schemes.