This audit is performed as an Infrastructural penetration test (Gray Box methodology), carried out in the organization’s VoIP VLAN segment. The audit reviews the privileges and the restrictions of that segment and runs a full penetration test from it to the organizational inner/secured network infrastructure.
The audit is designed to expose security issues resulting from unsecured VoIP telephony architecture, VoIP management (IP-PBX) and user devices' vulnerabilities.
Any vulnerability found, is then investigated in order to evaluate and illustrate its potential damage to the organization’s critical business information assets.
The process includes:
- Detection and identification of users' extensions.
- IP-PBX-extension handshake password cracking.
- Voice calls or video calls transmission tapping (Eavesdropping).
- Application level Denial of Service potential – using IP-PBX application: unauthorized change of system configuration; trace relevant users' activity.
- Network level Denial of Service potential – using common IP networking DoS tools.
- Piggyback administrative privilege from the IP-PBX to penetrate the corporate directory in order to acquire critical information business assets.
The purpose of the above measures is to identify the potential of exposing classified information transferred via this media. Consequently, to provide a clear status about how plausible is an unauthorized penetration and the damage potential from a random VoIP spot at the organizational network (without any prior knowledge about the VoIP infrastructure) by simulation of real hacking attempts that can be performed by an inside user within the VoIP network.