How to Spoof Caller ID to Make Free Calls – VoIP Pentesting

This is the tutorial i was working last day to share more ideas to my readers about voice over IP (VoIP) hacking, as i said it will give you the answer for one most asked question, How hackers spoof caller ID?.

Today we will learn how to conduct Penetration testing of VoIP (Voice over IP) against a Private Branch Exchange as it’s must to perform pen tests for all type of attacks. For VoIP security assessment, most important pen test is Caller ID Spoofing and how hackers spoof caller ID to make fake calls on behalf of someone else without disclosing his/her information. Before starting pen test we have to understand what is Caller ID Spoofing? Caller ID spoofing is a type of attack where a malicious attacker will impersonate a legitimate SIP user to call other legitimate users on the voice network. So let’s learn how hackers spoof caller ID. Penetration testing of Caller ID Spoofing will require certain pre-requisties to perform complete VoIP pen test.

    Requirements for Caller ID Spoofing Pen test:

Now Consider an attack scenario where a malicious attacker calling some customer by pretending that he is an CEO of some organization and he wish to verify some information from customer or want to transfer ABC amount to customer’s account like we see spam emails of huge money transfers and lottery winnings. The attacker is changing the header of the SIP INVITE request in order to spoof his caller ID to CEO. Customer accepts the call as the caller ID seems to be from CEO which is considered trusted and initiates the phone conversation with the attacker.
Spoof Caller ID

The crafted malformed SIP INVITE message can be seen below:
Spoofed Caller ID header packet
Now let’s see how this type of attack can be conducted with the use of various tools.

Penetration testing of VoIP Using VIPROY for Caller ID Spoofing :

Now lets see how we can use Viproy tool for VoIP penetration tests. Viproy is penetration testing toolkit for VoIP assessments and it works with MetaSpoilt framework. There is a specific module that can be used for Caller ID spoofing and in the image below you can see the configuration of the module:
Penetration testing of VoIP using Viproy Spoofed Caller ID
This will cause the phone device to ring with the custom message of our choice even from phone extensions that are not valid.

Penetration testing of VoIP Using InviteFlood for Spoofing Caller ID :

There is another tool for Spoofing caller ID’s known by name InviteFlood. InvitedFlood is part of the Kali Linux.

The main purpose of inviteflood is to be used for DoS (Denial of Service) attacks against SIP devices by sending multiple INVITE requests but it can accommodate our need to spoof our ID with the following command:
Caller ID Spoofing Inviteflood

Penetration testing of VoIP Using MetaSploit for Spoofing Caller ID :

Metasploit framework contains an existing module which can send a fake SIP INVITE message to an existing extension which can be used for Spoofing Caller ID :
Using Metasploit for Invite Spoof
The device will ring with showing caller ID as The Metasploit has you.

In order for the attack to be successful the Private Branch Exchange needs to allow anonymous inbound SIP calls. It is very easy to be implemented even from people with limited knowledge about VoIP and hacking. That’s why systems owners need to ensure that their Private Branch Exchange’s prevent anonymous inbound calls to reach their legitimate users in order to mitigate the risk of this attack.

Recommended Tutorials:

Kali Linux Tutorial: Wireless Auditing with Aircrack-ng, Reaver, and Pixiewps
How To Bypass Antivirus Detection Using Veil-Evasion In Kali LinuxImproved Features Of New Kali Linux 2.0 And How To Upgrade To It

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search above and press enter to search. Press ESC to cancel.

Back To Top

So glad to see you sticking around!

Want to be the first one to receive the new stuff?

Enter your email address below and we'll send you the goodies straight to your inbox.

Thank You For Subscribing

This means the world to us!

Spamming is not included! Pinky promise.