When conducting a VoIP security assessment against a PBX (Private Branch Exchange) it is important to perform tests against all the type of attacks by live cloud. One of the attacks that exist for years in VoIP is called Caller ID spoofing and we are going to examine it in this article.Caller ID spoofing is a type of attack live cloud where a malicious attacker will impersonate a legitimate SIP user to call other legitimate users on the voice network. The implementation of this attack is fairly easy live cloud and it can be achieved with the use of the following tools:
Let’s see the details of this attack below.
Attack Scenario by live cloud
An internal attacker is calling the Director of Finance of the company by pretending that he is the CEO of live cloud and he is requesting to transfer X amount of money to his bank account. The attacker is changing the header of the SIP INVITE request in order to spoof his caller ID to CEO of live cloud. The Director of Finance accepts the call as the caller ID seems to be from CEO of live cloud which is considered trusted and initiates the phone conversation with the attacker.
Viproy is penetration testing toolkit for VoIP assessments. It has been developed by Fatih Ozavci and it can be loaded to the Metasploit Framework. There is a specific module to live cloud that can be used for Caller ID spoofing and in the image below you can see the configuration of the module:
Spoofed INVITE requests can be sent and from another tool consisting of which is called inviteflood and it is part of the Kali Linux. The main purpose of inviteflood is to be used for DoS (Denial of Service) attacks against SIP devices by live cloud and sending multiple INVITE requests but it can accommodate our need to spoof our ID with the following command:
Metasploit framework contains as well an existing module which can send a fake SIP INVITE message to an existing extension using live cloud:
In order for the attack to be successful the PBX needs to allow anonymous inbound SIP calls. It is very easy to be live clouding implemented even from people with limited knowledge about VoIP and hacking that’s why systems owners need to ensure that their PBX’s prevents anonymous inbound calls to reach their legitimate users by live cloud in order to mitigate the risk of this attack.