Home 0P3N Blog Tutorial: Hacking/Troubleshooting VoIP and ISDN
Ready to Start Your Career?
Create Free Account
Kouzelnik s profile image
By: Kouzelnik
October 12, 2015

Tutorial: Hacking/Troubleshooting VoIP and ISDN

By: Kouzelnik
October 12, 2015
Kouzelnik s profile image
By: Kouzelnik
October 12, 2015
VoIP and ISDN Hacking and Troubleshooting - Cybrary

Phone hacking has been around since creation of the phone line. Now, with VoIP technology, we face new issues.

Let's take a closer look at Cisco connections and troubleshooting of basic problems. Much depends on the connection and hardware you're working with. Cisco phones are connected to the switch and managed via CME or CUCM.

Below, you'll find basic ways and commands to troubleshoot VoIP issues. I also added few basics of ISDN troubleshooting.

 How is Your IP Phone Connecting?
  1. The Cisco IP Phone connects to an Ethernet switchport. If the IP phone and switch support PoE, the IP phone receives power through either Cisco-proprietary PoE or 802.3af PoE.
  2. As the Cisco IP Phone powers on, the Cisco switch delivers voice VLAN information to the IP phone using CDP as a delivery mechanism. The Cisco IP Phone now knows what VLAN it should use.
  3. The Cisco IP Phone sends a DHCP request asking for an IP address on its voice VLAN.
  4. The DHCP server responds with an IP address offer. When the Cisco IP Phone acceptsthe offer, it receives all the DHCP options that goes along with the DHCP request. DHCP options include items such as default gateway, DNS server information, domain name information and so on. In the case of Cisco IP Phones, a unique DHCP option is = Option 150. This option directs the IP phone to a TFTP server.
  5. After the Cisco IP Phone has the IP address of the TFTP server, it contacts the TFTPserver and downloads its configuration file. Included in the configuration file is a listof valid call processing agents (such as Cisco Unified Communications Manager orCisco Unified Communications Manager Express CME agents).
  6. The Cisco IP Phone attempts to contact the first call processing server (the primaryserver) listed in its configuration file to register. If this fails, the IP phone moves to thenext server in the configuration file. This process continues until the IP phone registerssuccessfully or the list of call processing agents is exhausted
 Basic Commands:sh ephone att!sh ephone phone!sh voice call sum!sh voice port sum!sh voice call!sh dial-peer voice sum!sh isdn stat!sh ephone!sh log More Commands:sh ver | i upt! <check for uptime of router/switch>sh power inline! <is the phone getting power?>sh int desc! <every interface should have description - anything useful?>sh cdp nei! <can you see the phone in CDP?>sh cdp nei det!sh cdp entry <cdp name>! <ip address of phone can be found here>sh env all! <check enviroment - all ok?>sh log Router Commands:sh arp! <can you see phone's MAC?>sh ephone!sh run | s e-phone! <check config! CME case...> Debugging:
  • FAX / PSTN linedebug vpm signalThis command is used to collect debug information for signaling events and can be useful in resolving problems with Analog PSTN lines or device connected to analogue FXS ports. tam kde neni ISDN, ale jen FXO/FXS trunky
  • Ephonesdebug ip dhcp server eventsdebug tftp eventsdebug tftp packetsshow telephony-service tftp-bindingsdebug ephone register  (useful! - CME IP, DATE and TIME, SOFTKEYS, CODEC CAPABILITIES, EXTENSIONS)debug ephone state
  • How to verify ephone extension statusdebug vpm signal + debug ephone state- Call the main number (voice port number)- Watch voice port status - which one is going up?- Connection plar opx (redirection to huntgroup handling incoming callu)- Adjust connection plar on exact voice portu for exact non-working extension- Call the main number again and only the exact extension will ring
  • ISDNdebug isdn q931The Bearer Capability (or bearer cap) is the layer 3 service indication, which defines the characteristics of a given call. The Bearer Cap of a call is indicated by the telco in the Q.931 SETUP messages. The Bearer cap is often used to distinguish among 64k voice (analog), 56k data calls and 64k data calls.Bearer Cap Description:0x8890 ISDN 64K call – Used for ISDN BACKUP0x8890218F ISDN 56K call0x8090A2 Voice/Speech call (u-law)0x9090A2 Voice/Speech call (u-law) - 3.1 kHz Audio0x8090A3 Voice/Speech call (A-law)0x9090A3 Voice/Speech call (A-law) - 3.1 kHz Audio
  • EXTERNAL CALL to the MAIN OUTSIDE numberdebug voice ccapiterm mon- from your phone call the external number- debug ongoing...
  • CALL SIMULATIONdebug voice ccapiterm moncsim start 1011    - e.g. call number 1011 internal extension <of course external calls possible>csim start 988XXXXXXX
 Unregistered - TCP Socket:: [-1]# sh ephone phone - verify the firmware version# sh ephone sum | i mac# dir flash:/phone/7940-7960# restart    causes the phone to perform a warm reboot and redownload its configuration file from the TFTP server- Verify the phone has its PoE, voice VLAN access port, TFTP reachable, correct MAC address assigned- Bounce the switchport on switch, check if CME has the correct MAC in ephone config- Verify IP address if from IP DHCP pool, because it can stuck in boot cycle due to bad IP- CME router must have DHCP pool, option 150 for TFTP- Check for bugs on DN: sh voice call sum DECEASED status is shown in the ephone output. The CME router has lost connectivity with the IP phone through a TCP keepalive failureUNREGISTERED status indicates the CME router closed the connection to the IP phone in a normal manner! When unregistered from router. it's ok. But, in the case they would not reach CUCM primary server they would stay registered to router in SRST mode. Troubleshooting ISDN More Deeply sh int desc# sh isdn status# sh run | i string#isdn test call int BR0/1/0 02083852668# sh isdn history# sh isdn active# sh controllers BRI 0- Time to check with your Telco---------------------------------------------------------------------------------ISDN check process----------------------#sh isdn status                  >>> defined SWITCHTYPE?  or ISDN not used#sh isdn history#sh run | i stringdialer string 02XXXXXXXXXDebug#terminal monitor#debug isdn q931#isdn test call int BRI <?> string - After a test call, one BRI int has to go up/up. It may happen that the router will shutdown.#sh controller BRI <?># debug isdn q931# debug isdn q921 FACTORY Reset of Cisco IP PhonesThis can be very helpful ;)1 - Unplug cable, plug it back in and press# key until red light starts blinking2 - Release# and type 123456789*0# in sequence3 - Ephone should be restarted after this - approximately 2 times. Solved?It will take time to factory reset itself.!! During factory reset, do not power down the phone until it completes the factory reset process and the main screen appears. You will brick the phone@! Importance of Voice Peers#sh dial-peer voice sumWithout good configured Dial Peers, the CME will match inbound voice traffic to default peer 0, which features all the negatives and problems:• Any voice codec: Dial peer 0 handles any incoming voice codec; it is not hardcoded to any specific codec• No DTMF relay: DTMF relay sends dialed digits outside of the audio stream. This is useful because compressed codecs often distort dialed tones on the call• IP Precedence 0: This is probably the most painful default of dial peer 0. Setting the traffic to IP Precedence (IPP) to 0 strips all QoS markings. The router now treats the voice traffic the same as the data traffic• Voice Activity Detection (VAD) enabled: VAD allows you to save bandwidth by eliminating voice traffic during periods of silence on the call• No Resource Reservation Protocol (RSVP) support: The lack of RSVP goes right along with the lack of any QoS for the voice calls. The router does not reserve any bandwidth specifically for dial peer 0 calls• Fax-rate voice: The router limits the bandwidth available to fax signals to the maximum allowed by the VoIP codec. This could devastate fax calls if you are using a low bandwidth compressed codec• No application support: Dial peer 0 cannot refer calls to outside applications, such as an Interactive Voice Response (IVR) system• No DID support: Dial peer 0 cannot use the DID feature to automatically forward calls from an outside PSTN carrier to internal devices The Phone Doesn't Ring - But All Looks Good?Magical command is sh ephone ;)Search for DnD (Do Not Disturb) and for CFA (Call Forward All)If active - found respective DNs and adjust configuration... 
GOOD LUCK!...to be continued....let me know, lads, if you're interested in this topic :)Kouzelnik CybPavl
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry