There are a few ways to enumerate an E.164 alias, which is needed to spoof an H.323 endpoint (as shown in the previous example). The easiest method is simply to sniff the information over the network. During a call, one endpoint will call another endpoint using its E.164 alias. The destination endpoint’s information moves across the network in cleartext; thus, an attacker can simply sniff the connection and view the destination E.164 alias. If an attacker is sniffing the network using Wireshark, the location of the E.164 alias is located on the dialedDigits line. The dialedDigits line shows the destination E.164 alias used for the voice connection. The path to find the dialedDigits line on an H.323 packet using Wireshark is shown below:
H.225.0 RAS gatekeeperRequest endpointAlias Item 1 Item: dialedDigits dialedDigits
It may not be possible to simply perform a man-in-the-middle attack to sniff the network, thereby forcing the attacker to find a better way to enu- merate E.164 information. The next method, which is the better choice when sniffing is not possible, is to brute-force the information from a gatekeeper. When an endpoint attempts to register with a gatekeeper using an unauth- orized E.164 alias, the gatekeeper sends a Security Denial Message, specifically: securityDenial (11). However, if an endpoint attempts to register with an E.164 alias that has already been registered, the gatekeeper will send a duplicate error message, specifically: duplicateAlias. A duplicate error signals that the attempted E.164 information is legitimate and registered to the gatekeeper but used by a different H.323 endpoint. This behavior allows an attacker to enumerate E.164 information from the gatekeeper. Because an attacker will be told when he has the incorrect E.164 alias (securityDenial) or correct but already used E.164 alias (duplicateAlias), he can send several million packets to the gatekeeper with a different E.164 alias (1 to 999999999) until he gets a list of duplicateAlias messages from the gatekeeper. This list will then give the attacker a list of valid E.164 numbers, allowing him to enumerate possible entities to spoof. To automate this attack, an attacker can simply write a script to send millions of registration request packets to the gatekeeper, each with a unique E.164 alias. Once the attacker receives a duplicateAlias error message from the gatekeeper, he will have enumerated a valid E.164 alias.
66 Cha pt er 3
For example, Figures 3-9 and 3-10 show the enumeration process. Line 2 (rejectReason) in Figure 3-9 shows an error message when an attacker attempts to register with an E.164 alias that is not authorized (securityDenial). Line 2 in Figure 3-10 shows an error message (rejectReason) when an attacker attempts to register with an authorized E.164 alias that has already been registered (duplicateAlias). The difference in the error messages tells the attacker that his second attempt was using a valid E.164 alias name.
Figure 3-9: Security denial error when trying to register with an unauthorized E.164 alias
Figure 3-10: Enumerating E.164 alias by the duplicateAlias error message
E.164 Hopping Attacks
Hopping attacks allow unauthorized users to jump across security groupings, allowing them to escape any kind of isolation that was put in place. For example, hopping attacks allow unauthorized users to access authorized areas. Furthermore, the attacks allow unprivileged users to access areas where only privileged users should be. Previous hopping attacks are best known from Cisco switches. Attackers were able to hop across VLANs using specific VLAN tags and gain access to certain networks that should have otherwise been limited.
An E.164 hopping attack is an extension of the spoofing attacks described previously. Often, gatekeepers will use E.164 aliases as security entities (allowing only a static set of E.164 aliases to register to gatekeepers or make specific types of calls). Hence, E.164 aliases are set up with different zones for H.323 endpoints. For example, one group of aliases might be allowed to call anywhere, including international locations at the most expensive time of day; another group might be restricted to calling only domestic long distance numbers; another group might be allowed to call internal numbers only; and a final group might be allowed to call only “900” numbers.
As of this writing, many controls for outbound dialing are not used, as every number can call anywhere; however, this trend will probably change. For example, in today’s mobile environment, many company conversations that discuss sensitive information occur via the phone. The assumption is that everyone with access to the number should be on the call; however, conference bridge numbers are forwarded to the wrong place more often than people think.
S ig na li ng : H.323 Se cur it y 67
The pre-texting and information leakage issues at Hewlett-Packard, motivating the company to break the law in 2006 (although with virtually no consequences), led to the need for stronger security for sensitive conference calls (http://en.wikipedia.org/wiki/2006_HP_spying_scandal).For example, conference calls discussing a company’s goals will need a method to ensure that only internal phone numbers can join the call. If the technique used to identify authorized phones is the E.164 alias, the alias can be spoofed. Any controls set up by the gatekeeper/gateway for dialing restrictions can simply be overridden by an attacker.
Spoofing the E.l64 alias breaks the entire model for identity assurance on the H.323 VoIP network. Furthermore, as an end user, calling the CEO, CFO, or simply your co-worker on another floor may result in your speaking to an attacker who has hijacked an identity.