[VOIPSEC] running pentest on cisco voip

Dan York dyork at voxeo.com
Thu Jan 31 13:16:36 CST 2008 

Davide,

On Jan 31, 2008, at 5:05 AM, davide.pignedoli at sedoc.it wrote:

> Hi everybody
> I just joined the ML after finding some very useful information in  
> the archive.

Welcome to the list!

> I'm running a basic PenTest on the Cisco VOIP infrastructure of a  
> Customer of mine and I'm having some problems with the rtp sniffing...
<snip>
>
> The only attack I'm unable to perform is a MITM between 2 phones.
> I cannot sniff any RTP packet, therefore there is no call  
> interception, no vomit, no  WAV to produce as an evidence.
> Ettercap seems to be poisoning fine (checked with another laptop on  
> a switch monitor port), but no RTP packets are showing in wireshark  
> o ettercap itself...

Are you sure that you are in the middle of the path *between* the 2  
phones?

One of the interesting aspects of SIP from a network sniffing point- 
of-view is that while the SIP *call signaling* goes from the phone to  
one or more SIP proxies, the voice *media* (typically RTP) streams  
directly from one SIP endpoint to the other endpoint.  The classic  
diagram illustrating a SIP call flow looks like this (use a fixed- 
width font like Courier if it doesn't look good):

             +-------+         +-------+
             |SIP    |         |SIP    |
             |Proxy  |--SIP----+Proxy  |
             +-------+         +-------+
           /                            \
         SIP                            SIP
         /                                \
     +--/---+                          +---\--+
     |Phone | ---------RTP------------ |Phone |
     +------+                          +------+

In your case there might only be one "SIP proxy" in the form of the  
Cisco Call Manager (or whatever it is called now... Unified  
Communications Manager, etc.) but the essence of the diagram is the  
same: SIP signaling flows through the server, RTP media streams  
directly between the endpoints.

If you aren't seeing RTP at all my immediate reaction would be that  
you may be intercepting the SIP traffic to/from the phones to the CM,  
but not *between* the phones.

Regards,
Dan

-- 
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO    Voxeo Corporation     dyork at voxeo.com
Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com

Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com

More information about the Voipsec mailing list