[VOIPSEC] running pentest on cisco voip

Jacek Materna jmaterna at voipshield.com
Thu Jan 31 11:04:40 CST 2008 

Looks okay to me. Main question is, what is your arp poisoning target
when doing the RTP capture test? If you poison to be one of the 2 phones
and you get nothing in wireshark then you have problem with wireshark
for sure, I've done this myself. Make sure you're not poisoning as the
CM, as no rtp will go to you. 

Jacek M.
http://www.bleedingvoip.com

-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of davide.pignedoli at sedoc.it
Sent: Thursday, January 31, 2008 5:05 AM
To: voipsec at voipsa.org
Subject: [VOIPSEC] running pentest on cisco voip

Hi everybody
I just joined the ML after finding some very useful information in the
archive.

I'm running a basic PenTest on the Cisco VOIP infrastructure of a
Customer of mine and I'm having some problems with the rtp sniffing...

Here is what I did:
- plugged the laptop in to the wall
- connected to data vlan, obtained an ip address from dhcp server
(assume 192.x.x.x)
- started voiphopper, waited 30 seconds... I joined the voice vlan with
an ip address released by another dhcp server (assume 10.0.0.0)
- now my laptop has eth0 on the data native vlan and eth0.5 on the
tagged voice vlan (no trunking on the switch port...)
- started Ettercap, on eth0.5, listed all of the phones in the building
- run arp poisoning between some phones and the callmanager, captured
skinny packets of call setup (this way I could link IP addresses, phone
numbers and usernames...) 

The only attack I'm unable to perform is a MITM between 2 phones. 
I cannot sniff any RTP packet, therefore there is no call interception,
no vomit, no  WAV to produce as an evidence.
Ettercap seems to be poisoning fine (checked with another laptop on a
switch monitor port), but no RTP packets are showing in wireshark o
ettercap itself...

Anybody has any idea why?
Have anybody anybody succesfully run this type of attack?
I couldn't find any page on the web with a similar problem...

I suspect the issue is more in the sniffing than in the poisoning
itself...
I'd like to produce some evidence to make sure the Customer will adopt
an encrypted protocol at the end of the PenTest...
I don't want them to think that because I was unable to register a call,
nobody ever will :-) 

Other info:
- Switch ports are configured with a native data VLAN and a tagged voice
VLAN announced via CDP
- I asked the networking staff to give me, for a test, an untagged port
on the voice VLAN and I could use Cain with no problems to run a MITM
attack against 2 phones and register the call... 

Thanks for your help
Davide



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list