[VOIPSEC] Fwd: [Voptalk] RE: Looking for Unique VOIP tools.
Shawn Merdinger
shawnmer at gmail.com
Wed Mar 28 02:59:38 CDT 2007
fyi
---------- Forwarded message ----------
From: Gould, Aaron <aaron.gould at ngc.com>
Date: Mar 27, 2007 11:34 AM
Subject: RE: [Voptalk] RE: Looking for Unique VOIP tools.
To: "Gould, Aaron" <aaron.gould at ngc.com>,
voptalk at lists.vopsecurity.org, NimrodS at comsecglobal.com,
david.endler at voipsa.org
Nimrod, i almost forgot to mention....you asked about Cisco specific
tools for "skinny" aka SCCP..... i don't know of any tools for testing
SCCP, however I will say that I've discovered at least one SCCP
weakness in a Cisco 7940/7960 when using a SIP fuzzing tool.....here's
how.....i used a SIP trunk on the Call Manager (CM) and launched a
fuzzed SIP INVITE at the IP address of the Call Manager BUT with the
phone number extension of the Cisco 7940 or 7960....so when the SIP
INVITE came to the Call Manager, it saw the CONTACT or TO URI in the
SIP INVITE and did it's job of forwarding it (sig translation) to the
the SCCP phone registered with that phone number........the phone then
does a crash reboot (about 8 out of 10 times. not every time, but
almost). I beleive the exceptional data was truncated during the CM
SIP to SCCP translation, BUT not truncated enough to keep from
crashing the Cisco Phone. It's a little troubeling that the CM
doesn't perform some sort of sanity or max length checking on the
fields in the SIP INVITE's during the forwarding/translating process.
Oh well, I guess that's what SIP firewalls and stuff like that are
for.
Aaron
p.s. i think i tested a Cisco 7912 and found it vulnerable to this as
well.....can't remember for sure
________________________________
From: Gould, Aaron
Sent: Tuesday, March 27, 2007 12:03 PM
To: pthermos at vopsecurity.org; voptalk at lists.vopsecurity.org;
NimrodS at comsecglobal.com; david.endler at voipsa.org
Cc: Gould, Aaron
Subject: RE: [Voptalk] RE: Looking for Unique VOIP tools.
i'll share this peter, but on one condition, you let me test and use
your unistim tools and utilities once you get them ready for
trial/release (please) :) btw, do you remember me? i was doing
some sip/h323 voip vulnerability anlysis work 4 or 5 months ago and
you and i passed email occassionally....matter of fact i think we may
have even spoke on the phone at some point.....anyway
if you are going to capture unistim (nortel proprietary voip sig prot)
and it's carrier protocol rudp (nortel's proprietary sequencing
mechanism real-time udp) which rides over standard udp.....so it's
unistim over rudp over udp....you'll need ethereal 0.10.9
http://oldapps.com/Wireshark.php with the attached plugin.....Install
this plugin .dll in the directory <Ethereal install
dir>\plugins\0.10.9 ... e.g. C:\Program
Files\Ethereal0109\plugins\0.10.9 ....from what i saw it will
overwrite the existing rudp.dll file which is fine ....using
wireshark 0.99.4 i see unistim packets erroneously as Cross Point
Frame Injector (CPFI) PDU's.....i searched hi and low for a
ethereal/wireshark decode and this is what i've come up with.
i currently have a live Nortel VoIP network that I test with......
i2050 softphone and i2004 regular (grey) and phase 2 (black)
hardphones also 2 seperate Nortel IP PBX (like call management
systems).... 1 - BCM200 (business communications manager 200) and 2 -
CS1K for short....or Communications Server 1000....also known as
Succession 1000S.....which is comprised of a Sig Server (runs VXWorks
OS on a intel platfrom) and this sig srv communicates with a Nortel
Call Server which is a 1 slot chassis which has the SSC processor for
call routing. The sig srv is where the unistim dialogues take place
and the phones register, i think it does some sort fo unistim proxying
and communicates with the call server on the backend over a seperate
out of band lan (could be a vlan, which is what it is in my case)....i
never really sniffed that sig server to call server traffic to see if
it's some other protocol
i have some sniffs of i2050 registration.....then i2050 calling i2004.....etc
i2050 softphone registering with Succession 1000/CS1K (udp port 4100
on CS1K and udp port 5000 on i2050, then switches to, still udp/5000
on i2050 but udp 7300 on CS1K, then switches again to still udp/5000
on i2050 but udp/5100 on cs1k.....i have the .cap files showing all
these dialogues
Aaron
________________________________
From: voptalk-bounces at lists.vopsecurity.org on behalf of Peter Thermos
Sent: Mon 3/26/2007 9:37 PM
To: voptalk at lists.vopsecurity.org
Subject: [Voptalk] RE: Looking for Unique VOIP tools.
It will also be helpful even if someone can capture UNISTIM traffic.
I can develop some utilities around it.
Peter
> -----Original Message-----
> From: Nimrod Sasson [mailto:NimrodS at comsecglobal.com]
> Sent: Monday, March 19, 2007 5:16 AM
> To: pthermos at vopsecurity.org; Shawn Merdinger;
> voptalk at lists.vopsecurity.org
> Subject: Looking for Unique VOIP tools.
>
> Do you know any tools for Cisco (skinny) and Nortel (Unistim) tools?
> They use specific protocol which is based on SIP and H323,
> but they changed Something and many of the tools get only noises.
>
> Thanks a lot
>
> Nimrod.
>
>
> -----Original Message-----
> From: voptalk-bounces at lists.vopsecurity.org
> [mailto:voptalk-bounces at lists.vopsecurity.org] On Behalf Of
> Peter Thermos
> Sent: Thursday, March 15, 2007 9:30 PM
> To: 'Shawn Merdinger'; voptalk at lists.vopsecurity.org
> Subject: RE: [Voptalk] New: VoIP Security tools list
>
> Thanks Shawn!
>
> Just a note to the group, SIVus fits in all the following categories:
>
> -VoIP Scanning and Enumeration Tools
> -VoIP Packet Creation and Flooding Tools -VoIP Fuzzing Tools
> -VoIP Signaling Manipulation Tools
>
> although it is listed only under VoIP Scanning and Enumeration Tools.
>
> Peter
>
> > -----Original Message-----
> > From: voptalk-bounces at lists.vopsecurity.org
> > [mailto:voptalk-bounces at lists.vopsecurity.org] On Behalf Of Shawn
> > Merdinger
> > Sent: Thursday, March 15, 2007 1:29 AM
> > To: voptalk at lists.vopsecurity.org
> > Subject: [Voptalk] New: VoIP Security tools list
> >
> > FYI -- hope this is useful for folks :)
> >
> > Thanks,
> > --scm
> >
> > ---------- Forwarded message ----------
> > From: David Endler <david.endler at voipsa.org>
> > Date: Mar 14, 2007 8:34 AM
> > Subject: New: VoIP Security tools list
> > To: pen-test at securityfocus.com
> >
> >
> > The VoIP Security Alliance (VOIPSA) is pleased to announce
> the public
> > release of its VoIP security tool list. Check it out at:
> >
> > http://www.voipsa.org/Resources/tools.php
> >
> > This list was developed to address the current void of VoIP
> security
> > testing resources and sites, for vendors and VoIP users
> alike. It is
> > separated into the following seven broad
> > categories:
> >
> > * VoIP Sniffing Tools
> > * VoIP Scanning and Enumeration Tools
> > * VoIP Packet Creation and Flooding Tools
> > * VoIP Fuzzing Tools
> > * VoIP Signaling Manipulation Tools
> > * VoIP Media Manipulation Tools
> > * Miscellaneous Tools
> >
> > Special thanks to VOIPSA members Shawn Merdinger and Dustin
> Trammell
> > who created the list and have graciously agreed to maintain it. For
> > more information about the tools list, you can listen to
> Dan York and
> > Jonathan Zar discuss it in Blue Box Podcast #54 and also with Shawn
> > Merdinger in Blue Box Special Edition #16 both available at
> > http://www.blueboxpodcast.com
> >
> >
> > David Endler
> > VOIPSA Chairman
> > http://www.voipsa.org
> >
> > --About VOIPSA
> > The Voice over IP Security Alliance (VOIPSA) aims to provide VoIP
> > security related resources through a unique collaboration
> of VoIP and
> > Information Security vendors, providers, and thought
> leaders. VOIPSA's
> > mission is to drive adoption of VoIP by promoting the
> current state of
> > VoIP security research, VoIP security education and awareness, and
> > free VoIP testing methodologies and tools.
> > _______________________________________________
> > - The VoPSecurity Forum -
> >
> > To post a message to the mailing list send an email to [
> > voptalk_at_lists.vopsecurity.org ]
> >
>
>
> _______________________________________________
> - The VoPSecurity Forum -
>
> To post a message to the mailing list send an email to [
> voptalk_at_lists.vopsecurity.org ]
> **************************************************************
> ************************************
> The contents of this email and any attachments are confidential.
> They are intended for the named recipient(s) only.
> If you have received this email in error please notify the
> system manager or the
> sender immediately and do not disclose the contents to anyone
> or make copies.
>
> ** eSafe scanned this email for viruses, vandals and
> malicious content. **
> **************************************************************
> ************************************
>
>
_______________________________________________
- The VoPSecurity Forum -
To post a message to the mailing list send an email to [
voptalk_at_lists.vopsecurity.org ]
_______________________________________________
- The VoPSecurity Forum -
To post a message to the mailing list send an email to [
voptalk_at_lists.vopsecurity.org ]
More information about the Voipsec
mailing list