Tuesday, September 7, 2010

BruCON Training: Module 4, Attacking Unified Communications

The final module in the upcoming pentesting VoIP crashcourse is the most exciting one. In this section we look at VoIP systems as a whole. Unified communications is one of those words that have been hyped up to include everything, from chat to video phone calls and SMS. What we will look at in this section is how to go about breaking into the following during a penetration test:
  1. Web application security flaws in Asterisk-based PBX servers
  2. Attacking various services open in PBX servers, such as TFTP
  3. How once you're on a PBX network, you can sometimes simply use your phone to spy on other phone calls
  4. How to make use of hardware taps 
  5. Hardware phone features that can be abused
  6. Abuse of various exposed features in Cisco call manager accessible on the HTTP server

This module will help familiarize the attendees with the target servers and system. Who knows, it may even give a kick-start to find some new 0-days in one of these Unified Communications solutions ;-)

No comments: