[VOIPSEC] running pentest on cisco voip

Thu Jan 31 04:05:23 CST 2008

Hi everybody
I just joined the ML after finding some very useful information in the archive.

I'm running a basic PenTest on the Cisco VOIP infrastructure of a Customer of mine and I'm having some problems with the rtp sniffing...

Here is what I did:
- plugged the laptop in to the wall
- connected to data vlan, obtained an ip address from dhcp server (assume 192.x.x.x)
- started voiphopper, waited 30 seconds... I joined the voice vlan with an ip address released by another dhcp server (assume 10.0.0.0)
- now my laptop has eth0 on the data native vlan and eth0.5 on the tagged voice vlan (no trunking on the switch port...)
- started Ettercap, on eth0.5, listed all of the phones in the building
- run arp poisoning between some phones and the callmanager, captured skinny packets of call setup (this way I could link IP addresses, phone numbers and usernames...) 

The only attack I'm unable to perform is a MITM between 2 phones. 
I cannot sniff any RTP packet, therefore there is no call interception, no vomit, no  WAV to produce as an evidence.
Ettercap seems to be poisoning fine (checked with another laptop on a switch monitor port), but no RTP packets are showing in wireshark o ettercap itself...

Anybody has any idea why?
Have anybody anybody succesfully run this type of attack?
I couldn't find any page on the web with a similar problem...

I suspect the issue is more in the sniffing than in the poisoning itself...
I'd like to produce some evidence to make sure the Customer will adopt an encrypted protocol at the end of the PenTest...
I don't want them to think that because I was unable to register a call, nobody ever will :-) 

Other info:
- Switch ports are configured with a native data VLAN and a tagged voice VLAN announced via CDP
- I asked the networking staff to give me, for a test, an untagged port on the voice VLAN and I could use Cain with no problems to run a MITM attack against 2 phones and register the call... 

Thanks for your help
Davide