[VOIPSEC] Voipsec Digest, Vol 38, Issue 1
Erwin Davis
erwin.davis at gmail.com
Tue Feb 5 08:57:53 CST 2008
Hi,
You may be able to get what you expect,
(1) get the IP addr of the IP phone of the big guys, (chief officers, etc),
(2) arp-poison the vlan switch (I didnot know if different VLAN scenarios
work)
(3) wait and listen from the wireshark running on your computer
Thoughts?
e
-----Original Message-----
> From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
> Behalf Of davide.pignedoli at sedoc.it
> Sent: Thursday, January 31, 2008 5:05 AM
> To: voipsec at voipsa.org
> Subject: [VOIPSEC] running pentest on cisco voip
>
> Hi everybody
> I just joined the ML after finding some very useful information in the
> archive.
>
> I'm running a basic PenTest on the Cisco VOIP infrastructure of a
> Customer of mine and I'm having some problems with the rtp sniffing...
>
> Here is what I did:
> - plugged the laptop in to the wall
> - connected to data vlan, obtained an ip address from dhcp server
> (assume 192.x.x.x)
> - started voiphopper, waited 30 seconds... I joined the voice vlan with
> an ip address released by another dhcp server (assume 10.0.0.0)
> - now my laptop has eth0 on the data native vlan and eth0.5 on the
> tagged voice vlan (no trunking on the switch port...)
> - started Ettercap, on eth0.5, listed all of the phones in the building
> - run arp poisoning between some phones and the callmanager, captured
> skinny packets of call setup (this way I could link IP addresses, phone
> numbers and usernames...)
>
> The only attack I'm unable to perform is a MITM between 2 phones.
> I cannot sniff any RTP packet, therefore there is no call interception,
> no vomit, no WAV to produce as an evidence.
> Ettercap seems to be poisoning fine (checked with another laptop on a
> switch monitor port), but no RTP packets are showing in wireshark o
> ettercap itself...
>
> Anybody has any idea why?
> Have anybody anybody succesfully run this type of attack?
> I couldn't find any page on the web with a similar problem...
>
> I suspect the issue is more in the sniffing than in the poisoning
> itself...
> I'd like to produce some evidence to make sure the Customer will adopt
> an encrypted protocol at the end of the PenTest...
> I don't want them to think that because I was unable to register a call,
> nobody ever will :-)
>
> Other info:
> - Switch ports are configured with a native data VLAN and a tagged voice
> VLAN announced via CDP
> - I asked the networking staff to give me, for a test, an untagged port
> on the voice VLAN and I could use Cain with no problems to run a MITM
> attack against 2 phones and register the call...
>
> Thanks for your help
> Davide
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 31 Jan 2008 14:16:36 -0500
> From: Dan York <dyork at voxeo.com>
> Subject: Re: [VOIPSEC] running pentest on cisco voip
> To: davide.pignedoli at sedoc.it
> Cc: voipsec at voipsa.org
> Message-ID: <D7E56C8D-07EB-4F4C-B482-CCA5D33DF9DE at voxeo.com>
> Content-Type: text/plain; charset=US-ASCII;
> delsp=yes; format=flowed
>
> Davide,
>
> On Jan 31, 2008, at 5:05 AM, davide.pignedoli at sedoc.it wrote:
>
> > Hi everybody
> > I just joined the ML after finding some very useful information in
> > the archive.
>
> Welcome to the list!
>
> > I'm running a basic PenTest on the Cisco VOIP infrastructure of a
> > Customer of mine and I'm having some problems with the rtp sniffing...
> <snip>
> >
> > The only attack I'm unable to perform is a MITM between 2 phones.
> > I cannot sniff any RTP packet, therefore there is no call
> > interception, no vomit, no WAV to produce as an evidence.
> > Ettercap seems to be poisoning fine (checked with another laptop on
> > a switch monitor port), but no RTP packets are showing in wireshark
> > o ettercap itself...
>
> Are you sure that you are in the middle of the path *between* the 2
> phones?
>
> One of the interesting aspects of SIP from a network sniffing point-
> of-view is that while the SIP *call signaling* goes from the phone to
> one or more SIP proxies, the voice *media* (typically RTP) streams
> directly from one SIP endpoint to the other endpoint. The classic
> diagram illustrating a SIP call flow looks like this (use a fixed-
> width font like Courier if it doesn't look good):
>
> +-------+ +-------+
> |SIP | |SIP |
> |Proxy |--SIP----+Proxy |
> +-------+ +-------+
> / \
> SIP SIP
> / \
> +--/---+ +---\--+
> |Phone | ---------RTP------------ |Phone |
> +------+ +------+
>
> In your case there might only be one "SIP proxy" in the form of the
> Cisco Call Manager (or whatever it is called now... Unified
> Communications Manager, etc.) but the essence of the diagram is the
> same: SIP signaling flows through the server, RTP media streams
> directly between the endpoints.
>
> If you aren't seeing RTP at all my immediate reaction would be that
> you may be intercepting the SIP traffic to/from the phones to the CM,
> but not *between* the phones.
>
> Regards,
> Dan
>
> --
> Dan York, CISSP, Director of Emerging Communication Technology
> Office of the CTO Voxeo Corporation dyork at voxeo.com
> Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
> Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
>
> Bring your web applications to the phone.
> Find out how at http://evolution.voxeo.com
>
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 31 Jan 2008 15:22:46 -0500
> From: Dan York <dyork at voxeo.com>
> Subject: Re: [VOIPSEC] running pentest on cisco voip
> To: Davide Pignedoli <davide.pignedoli at sedoc.it>
> Cc: voipsec at voipsa.org
> Message-ID: <C4EBF2A9-AD18-4E13-8FCB-5A66190251D9 at voxeo.com>
> Content-Type: text/plain; charset=US-ASCII;
> delsp=yes; format=flowed
>
> Davide,
>
> > I'm sure I'm running the MITM between the 2 phones...
>
> Obviously you *are* based on the info below! ;-)
>
> > On my Customer network, the IP-Phones are talking RTP (not SIP) and
> > the call setup is done via SKINNY.
>
> Sure... I forgot that your note said the call control was Skinny vs
> SIP. The diagram is still basically the same... and is generally
> true for most of the VoIP protocols out there. Call control
> signaling (SIP, Skinny or otherwise) goes between the phones and the
> call server while media (almost always RTP) goes directly from one
> phone to the other. Some systems can be set up to have the media go
> back through a media gateway in more of a "star" configuration but
> most VoIP systems I'm aware of do have the endpoints (like IP phones)
> streaming directly point-to-point (assuming they are on the same LAN/
> WAN).
>
> > Today I managed to perform a succesfull attack, with Windows, this
> > way:
>
> Interesting.
>
> > So, in the end... the procedure I followed with voiphopper and
> > ettercap seems to be the correct one...
> > Does anybody know a procedure on Linux to re-load/re-initialize
> > libpcap??
>
> I don't. It's admittedly been a year or two since I did any serious
> usage of sniffing tools on Linux. (And I'm a Mac user now.)
>
> Regards,
> Dan
>
> --
> Dan York, CISSP, Director of Emerging Communication Technology
> Office of the CTO Voxeo Corporation dyork at voxeo.com
> Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
> Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
>
> Bring your web applications to the phone.
> Find out how at http://evolution.voxeo.com
>
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> End of Voipsec Digest, Vol 38, Issue 1
> **************************************
>
More information about the Voipsec
mailing list