Skip to main content

VoIP Eavesdropping: UCSniff (I)

After a long time without writing because of different reasons I´m going to begin a group of articles trying to cover different type of attacks against any of the components of a common VoIP (Voice Over Internet Protocol) infrastructure and how to stop them. If you are beginning in this world of VoIP I recommend you to read Building Telephony Systems with OpenSIPS 1.6 where the authors go through basic theoretical and practical skills needed to implement a complete system.

This time, I will start with VoIP Eavesdropping attack, as the name suggest it consists on listen a conversation without speakers consent. This attack existed in the traditional telephony systems and nowadays is also possible against VoIP ones (and other protocols too, in example bluetooth).

As you can imagine we are in front of a classic sniffing attack so, first of all, we need to gain access. Any of the techniques you know are ok, moreover, there are another specific ways for this kind of systems of getting the .pcap file we are looking for. For example, some phones have a "feature" which allows saving a .pcap with all traffic passing over its interfaces and more of them have vulnerabilities in their web control panel, so it could be possible to access to this profitable file :). But this is not the topic of this article despite of being an interesting one too, so I hope take it up again another day.

Now we have the capture, then we need a tool able to understand SIP (Session Initiation Protocol) and RTP (Real-time Transport Protocol), among others. The most used option is Whireshark, but it doesn´t support H.264 video codec so we can´t eavesdrop video conversations, in this case we should call it IP Video Eavesdropping not VoIP Eavesdropping. I found this video where we can see an example of this:

I like Wireshark for studying specific situations but, anyway, we need something more automatic for pentesting tests in order to be capable of reconstruct and synchronize conversations correctly. I usually use Xplico for this kind of things but, for the moment, SIP, SDP and RTP protocol are not fully supported as we can see in the website:

Figure: Xplico supported protocols state 

Today we will use UCSniff, a tool which allows to rapidly test for the threat of unauthorized VoIP and Video Eavesdropping. I paste here some features:
- Audio Eavesdropping
- Video Eavesdropping (creates H.264 format file)
- Realtime Audio Monitor
- GUI Support
- Realtime Video Monitor
- Creates an avi file and muxes audio and video
- Creates a wav file and muxes both forward and reverse audio

For this POC (Proof Of Concept) I will use two virtual machines, one with BT (Backtrack) 5 and Zoiper Classic as client (I had problems running Ekiga on BT5) and another with a Debian Squeeze with a basic installation of Asterisk. It is not a very real environment but it´s enough for this POC, so we don´t need to do MitM (Main in the Middle). I’m sure if you are reading this you know how to gain access with you favorite sniffer or UCSniff ;).

OK, first we need to download the latest version of UCSniff (here) and to install dependencies to compile it on BT5 with GUI (Graphical User Interface) and realtime video monitor:

apt-get install build-essential zlib1g-dev liblzo2-dev libpcap0.8-dev libnet1-dev libasound2-dev libbz2-dev libncurses5-dev apt-get install libx11-dev libxext-dev libfreetype6-dev

NOTE: VLC version and development libraries included in BT5 broke the compilation, so we have to install it directly from VLC repositories before:

add-apt-repository ppa:lucid-bleed/ppa
apt-get update
apt-get install vlc libvlc-dev

Now, go in ucsniff-3.0 folder and compile it:

./configure --enable-libvlc --enable-gui
make install

We are ready for run it (graphical interface) for the first time:

ucsniff -G

Figure: UCSniff general view

Yes, it´s not too sexy, above all these evil buttons! xD. For this test we have to select Monitor Mode and Start Sniffing like in the picture and the sniffer will start to capture. Next step is making a call, I will call myself (yes, it´s possible! you should try it :D).

Figure: Calling myself

After accepting the incoming Output Console will log it as in the next two pictures (second took after hang up from one side).

Figure: Logging calls

Well done!, we can see the conversation was captured, there are two calls instead of only one because of virtual machine interface really is mapped to another, but it works, one of this two .wav will be empty and the other will contain saved conversation. I think it´s enough for the first day. Next article we will review all the outputs produced by the sniffer and we are going to deep a bit more in this attack. At the moment, I recommend you visiting the site of the tool where you can learn more about it and view examples using the GUI with MitM and Video Eavesdropping:

Figure: UCSniff Video Eavesdropping

Jesús Pérez

Popular posts from this blog

ISO 27001: Inventario de los activos de información

Uno de los primeros pasos que debe seguir la entidad para adaptarse a la norma ISO 27001 es realizar el inventario de activos que contendrá todos aquellos activos de información que tienen algún valor para la organización y que quedan dentro del alcance del SGSI . En un principio puede parecer un poco abrumador para un principiante(como yo) por la enorme cantidad de activos que se te van ocurriendo por eso decidí empezar por clasificarlos de alguna forma, de entre las múltiples maneras que me encontré elijo la definida por los expertos del foro ISO27k ya que me parece la más completa, mostrando ejemplos de cada tipo y es válida para entidades de muy distinta naturaleza. Éste podría ser un buen punto para comenzar siempre teniendo en cuenta lo que nos aconsejan también en ese foro: "Debido a que los activos son algo cambiante, incluso si pudieras cubrir absolutamente todo lo que hay hoy, mañana la situación sería un poco diferente y más en unas semanas, meses o años. Así que

SIP extension enumeration in Bluebox-ng

There are some well known SIP extension enumeration vulnerabilities in different VoIP servers, specially in Asterisk. This brute-force vector is based on the study of the authentication responses of the target server. Sometimes its replies are different in the case that the client uses a valid extension, so it's easy to discover them. This vector is normally classified as a low security risk. Moreover we're moving towards a federated SIP environment , in which the extension is the public email address of the user. But it's still important in some cases: To guide next steps during a penetration test. In example, you can use the discovered extension to reduce the number of attempts in the phase of SIP extensión brute-force. Some RCE (Remote Code Execution) exploits need a valid extension to work. After a little research, these are the known vulns: CVE-2009-3727 : It's quite old and it's practically not present in real environments. It's still not imple

SIP INVITE attack with Metasploit

Some days ago my friend  @pepeluxx  wrote  another post  about INVITE attacks. He spoke about a  @sinologic   project  which allows to everybody passing some security tests to SIP servers. Furthermore he also published a perl script to do the same task. So I implemented it on Metasploit because I think It could be really useful during a pentesting. It’s interesting because these attacks are really dangerous, normally, attackers try to call to expensive locations. This target numbers often have special charges and they make money with this. Here there are two well known examples: I’m not going to deep in this vector because of being a well known (and old!!) one. Basically the attacker tries to make a call using a misconfigured PBX. This is allowed because  SIP RFC  says that an extension has not to be registered to be abl