EnableSecurity

Announcing the VOIPPACK April edition supporting IAX2 and can now scan Asterisk servers. Because the feedback for sipautohack was great, we included a similar tool for the Asterisk protocol called iax2autohack in the April edition of VOIPPACK. The following are the new tools avialable in this update:

• iax2enumerate which like sipenumerate, tries to guess extensions present on the Asterisk box, and will inform you if the extension has any password set or not


• iax2cracker which given a known extension on the Asterisk box, will attempt to recover the password through an online bruteforce attack


• iax2autohack which finds out any Asterisk servers on the network, enumerates the extensions and launches a password cracking attack on each extension

The following demo shows iax2autohack in action:

[vimeo http://vimeo.com/4162693]

For more information about VOIPPACK and our other offerings check out the products page.

Additionally we confirmed a few phones that are vulnerable to the SIP Digest Leak vulnerability (tools included in VOIPPACK) for the Cisco 7940, Grandstream, Fritzbox and more, thanks to Sjur and another unnamed entity ;-) Will be working on further research and releasing a paper after Troopers09 where Wendel G Henrique and I will be presenting our Web Application Firewall research and releasing new tools.

Watch twitter if you're interested in what's happening ;-)

Just published a tutorial called “How to set up a VoIP lab” which provides easy step-by-step instructions on how to get a VoIP lab up and running. Abstract:

Have you been wondering about what sort of security vulnerabilities apply to the VoIP network that’s coming up in your next assignment but have no equipment to test on yet?
Truth is that most of the times there is no need for a lot of expensive hardware to setup a basic lab for testing VoIP security.

Download the PDF version

EnableSecurity VOIPPACK is finally out! We would like to thank everyone who made this possible. VOIPPACK can be purchased from our reseller Immunity in the US or directly for the rest of the world.

More information about pricing and video demonstrations can be found in the product page.

EnableSecurity! I will be publishing my security research and rants as well as providing Security Consultancy, Research and Design. A brief "who am I" can be seen at the Linkedin Profile page, while Google has further details.

So what sort of things am I doing?

• Wireless security auditing


• Web Application Security


• VoIP security research


• Reverse Engineering

I'll continue developing SIPVicious and publish additional tools to help security professionals get the job done.

And one more thing - I suggest that you subscribe to the RSS as I shall be releasing some research later on this week.