We’re going to cover different signaling protocols and how one can scan for them. The outline of this 2 hour lab session is as follows: Attacking Signalling Protocols SIP Protocol Scanning a. How and why it works b. using svmap, nmap, smap c. fingeprinting SIP Attacks a. Credential grabbing b. Enumerating extensions, protections and bypassing protection too c. SIP update or RE-INVITE Cracking digest authentication (online and offline attacks) Various attacks related to SIP a. Finding SIP open relays (toll fraud and accessing internal systems DoS a. Malformed messages (e.g. SIP messages that crash a PBX) b. Flooding is effective – various types of flooding SCCP 1. Protocol 2. Scanning 3. Attacks a. Capture FAC-code b. MiTM (sccp proxy) c. Callmanager hijack / spoofing + crash phone Attacking Cisco CallManager 1. CCMuser SQL injection 2. Webdialer 3. Jailbreaking CUCM Attacks on Client “hard phones” Extension mobility abuse a. Grabbing credential b. Take control of phone c. DoS URI feature abuse a. Remote control b. Display fake message Remotely c. Remote Wiretapping