API tools faq
paste
Advertisement
scaredkys

Cisco VoIP Hijacking Exploit Paper

scaredkys
Jul 25th, 2019
1,206
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.71 KB | None | 0 0
raw download clone embed print report
  1. Cisco VoIP Hijacking Exploit - Paper #01
  2. [Written By: SmallDoink#0666]
  3. [Written By: ScaredKYS]
  4. -
  5. Cisco's line of VoIP/IP Phones are vulnerable to hijacking. This form of hijacking I discovered only works on Cisco phones and some VoIP adapters.
  6. Cisco's Vulnerable Devices:
  7. 8800 Series
  8. 7800 Series
  9. 6900 Series
  10. 3900 Series
  11. --
  12. Other Devices:
  13. Ooma Tele Air
  14. ------
  15. Explanation Of Vulnerability:
  16. Cisco has a VoIP API it uses to log calls made from their IP phones. I discovered a way to grab the private key the server and the phone share and also grab the public key. By doing this I was able to access the Cisco API and see:
  17. 1.) Who they are calling
  18. 2.) How long they have been on calls
  19. 3.) Who they have called
  20. I was also able to swap phone calls between multiple Cisco IP phones, meaning I could make each IP phone on the VLAN transfer calls to each other along the network.
  21. ---
  22. [UPDATED PAPER]
  23. Cisco's IP Phones use Cisco's Gateway and API to access and call other phones. By having access to the private key and public key I have the ability to change the JAL and DTAL features and use it for malicious purposes, hence the ability to transfer and merge calls. With access to the API I could view calls logs, etc. The API is hosted on *http://api.cisco.com/voice-api/* and to use the link to find calls. Use *http://api.cisco.com/voice-api/external-ip/callid* where external-ip is the phone's external IP and callid is the Call's ID. To access the API you must have an Ip range of either:
  24. 1.) Cisco's Private Network
  25. 2.) A Known Cisco Device
  26. E.x.: 72.163.8.17 Cisco's Private Network
  27. -
  28. Cisco uses standard VoIP encryption along with packet hashing upon activation of their device.
  29. Cisco has a key generation on their phones that allow access to the server, with internal access to the phone, you can intercept the key and use it to authenticate with the gateway. Once gateway access has been granted you are inside of the cisco voice network, but you are only given permissions to view your phones that are registered on your network.
  30. -
  31. Cisco's API automatically saves call logs, call information, call time, and call destination in their database which is a MySQL database. You can not inject any information into the database since it is filtered only a standard of syntax they have set.
  32. ---
  33. Network Architecture For Calls:
  34. Cisco Phone -> Router -> Internet -> Cisco Gateway -> Cisco API -> Cisco Gateway -> VoIP to Phone Regulator -> Phone Destination
  35. -
  36. Network Architecture For Database:
  37. Spoofed IP -> Cisco Gateway -> Cisco API -> Cisco Database
  38. - | -
  39. Gateway is authed|API used to req
  40. with keys | Data
  41.  
  42. [Written By: SmallDoink#0666]
  43. [Written By: ScaredKYS]
  44. Cisco VoIP Hijacking Exploit - Paper #01
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!