ace voip | Penetration Testing Tools

ace voip

ACE (Automated Corporate Enumerator) is a simple yet powerful VoIP corporate directory enumeration tool that mimics the behavior of an IP phone to download name and extension entries that can display a given phone on its screen interface. In the same way that the “Corporate Directory” VoIP hard phone feature enables users to easily dial by name through their VoIP handset,

ACE was developed as a research idea born of a “VoIP hopper” to automate VoIP attacks that might be targeted against names in an enterprise directory. The concept is that in the future, attacks will be made against users based on their name, rather than targeting VoIP traffic against random RTP audio streams or IP addresses. ACE works using DHCP, TFTP and HTTP so that VoIP corporate directories can be downloaded. It then outputs the directory to a text file, which can be used as input to other VoIP evaluation tools. ACE is a standalone utility, but its functions are integrated into UCSniff.

ACE currently supports the VoIP corporate directory used in Cisco Unified IP phones. It works in the following way:

1)Spoofs CDP to get VVID
2)Adds Voice VLAN Interface (VLAN Hop) – subsequent traffic is tagged with VVID
3)Sends DHCP request tagged with VVID
4)Decodes TFTP Server IP Address via DHCP Option 150
5)Sends a TFTP request for IP Phone configuration file
6)Parses file, learning Corporate Directory URL
7)Sends an HTTP GET request for Directory
8)Parses XML Data, writing directory users to a formatted text file

What is VoIP ?

Voice over IP (VoIP) is an exciting technology that provides many benefits and cost-effective solutions for communication.
It is a methodology and set of technologies for the delivery of voice communication and multimedia sessions over an Internet Protocol (IP) network.
More and more small and enterprise businesses are IP based, replacing their old traditional telephony systems. A VoIP-based PBX can provide many features such as: multiple extensions, caller ID, voicemail, IVR capabilities, recording of conversations, logging, use with hardware-based telephones or software-based (aka soft phones). Now days there are many vendors for PBX, IP telephones, VoIP services and equipment: CISCO, AVAYA and ASTERISK, SNOM, Thomson… With new technology there is a new challenge for both the security and defensive side. The danger of the “great” traditional phone lines was that it was susceptible to eclipse. The “old school” way to eavesdrop on someone’s phone line was to physically connect a small transmitter somewhere along the phone cord. Was connected inside or outside their premises.

IP telephony systems are also susceptible to eversdropping, making it a bit more difficult to do in an IP environment, requiring more knowledge and the right set of tools to execute, detect and.


ACE can be used in one of two ways. First, it can auto-discover the TFTP Server IP Address via DHCP, or (second) the user can specify the TFTP Server IP address as a command line parameter of the tool. In either case, you must supply the MAC Address of the IP Phone with the -m option in order for the tool to correctly download the configuration file via TFTP.

root@kali:~# ace
ACE v1.10: Automated Corporate (Data) Enumerator
Usage: ace [-i interface] [ -m mac address ] [ -t tftp server ip address | -c cdp mode | -v voice vlan id | -r vlan interface | -d verbose mode ]

-i (Mandatory) Interface for sniffing/sending packets
-m (Mandatory) MAC address of the victim IP phone
-t (Optional) tftp server ip address
-c (Optional) 0 CDP sniff mode, 1 CDP spoof mode
-v (Optional) Enter the voice vlan ID
-r (Optional) Removes the VLAN interface
-d (Optional) Verbose | debug mode

Example Usages:
Usage requires MAC Address of IP Phone supplied with -m option

ace -t -m

Mode to automatically discover TFTP Server IP via DHCP Option 150 (-m)

ace -i eth0 -m 00:1E:F7:28:9C:8e

Mode to specify IP Address of TFTP Server

ace -i eth0 -t -m 00:1E:F7:28:9C:8e

Mode to specify the Voice VLAN ID

ace -i eth0 -v 96 -m 00:1E:F7:28:9C:8E

Verbose mode

ace -i eth0 -v 96 -m 00:1E:F7:28:9C:8E -d

Mode to remove vlan interface

ace -r eth0.96

Mode to auto-discover voice vlan ID in the listening mode for CDP

ace -i eth0 -c 0 -m 00:1E:F7:28:9C:8E

Mode to auto-discover voice vlan ID in the spoofing mode for CDP

ace -i eth0 -c 1 -m 00:1E:F7:28:9C:8E

12 thoughts on “ace voip | Penetration Testing Tools

Comments are closed.