Skip to main content

VoIP Eavesdropping: UCSniff (II)

 VoIP Eavesdropping: UCSniff (I)


To start this second article I'll dig a little deeper in VoIP Eavesdropping techniques. There are different classifications over the net but I´m going to use "Hacking Exposed VoIP" book (I strongly recommend it) one for being , in my opinion, the most complete. According to it we define four categories for these attacks:

TFTP Configuration File Sniffing
IP phones often obtain their configuration parameters from a TFTP server, you can get an idea imagining something similar to DHCP Protocol, but in application layer of course. In this case attacker could obtain some passwords sniffing or downloading them directly from ftp server, moreover he could even reconfigure phone. In fact I have a fun idea in mind for another POC but we are waiting for someone to lend us a proper phone :).

Number Harvesting
Attacker monitors all calls in order to obtain legitimate numbers and extensions of a system which will be used combined with other attacks.

Call Pattern Tracking 
The attack target is the list with all the calls made by a member of an organization in order to detect suspicious activities among the members.

Conversation Eavesdropping and Analysis
This is the most impressive attack because the bad guy try to record both sides of conversations.

That being said, now I´m going to show UCSniff automates the attacks studying results obtained from last post. Next picture shows files generated after the sniffing.

Figure: Generated files

TFTP Configuration File Sniffing 
As I said before I do not have a proper phone for this test, but UCSniff supports it,  even TFTP Modify Attack (cursiva) as you can see in the picture.


Figure: TFTP Modify Attack


Number Harvesting
During the sniffing we could see extensions involved in calls on the Output and Status(cursiva) panel. Now we can consult them in call.log, calldetail.log and sip.log , which also stores it with much more detailed log including all SIP messages (REGISTER, INVITE, etc.)


Figure: Detailed call list

Figure: INVITE from sip.log 

Call Pattern Tracking
Files commented in Number Harvesting cover this point too.

Conversation Eavesdropping and Analysis
In this example 81-Calling-81-18:48:12-3-reverse.wav stores one side conversation for the reasons commented in previous post, but in a real environment we should get something like this:
Figure: Generated .wavs  in real example

Names are really intuitive so, at this point, I think you can understand by yourself all the helpfull information included in other generated files, you can ask me any doubt in a comment or a mail :). In the next post I hope talk about countermesurements porposed for protect a infrastruture against this kind of Eavesdropping attack.


Jesús Pérez

Popular posts from this blog

SIP INVITE attack with Metasploit

Some days ago my friend  @pepeluxx  wrote  another post  about INVITE attacks. He spoke about a  @sinologic   project  which allows to everybody passing some security tests to SIP servers. Furthermore he also published a perl script to do the same task. So I implemented it on Metasploit because I think It could be really useful during a pentesting. It’s interesting because these attacks are really dangerous, normally, attackers try to call to expensive locations. This target numbers often have special charges and they make money with this. Here there are two well known examples: http://blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html http://snapvoip.blogspot.com.es/2009/02/calls-to-cuba-and-voip-attacks.html I’m not going to deep in this vector because of being a well known (and old!!) one. Basically the attacker tries to make a call using a misconfigured PBX. This is allowed because  SIP RFC  says that an ...

Flooding Asterisk, Freeswitch and Kamailio with Metasploit

Hi, it has been a long time since my last post because of my new job and my final year project ("VoIP denegation of service attacks" for curious) but there is something I found during my tests with  Freeswitch ,  Kamailio  and  Asterisk  that I want to share. NOTE: Really, guys of  Security By Default  blog published us (my good friend Roi Mallo and me) two articles about how to develop modules for Metasploit framework, another two are coming.  ;) During my project, among others, I developed a Metasploit module which can flood SIP protocol with common frames (INVITE, OPTIONS, REGISTER, BYE), I wrote it at Quobis (nice job ;) in order to use it for some private tests because actual software didn´t fit our needs, so we are going to probe how is the behavior of different GPL VoIP servers against this kind of attacks: - Asterisk: I think it needs no introduction, the famous softswitch/PBX software. - Freeswitch: It´s a newer soft...

SIP extension enumeration in Bluebox-ng

There are some well known SIP extension enumeration vulnerabilities in different VoIP servers, specially in Asterisk. This brute-force vector is based on the study of the authentication responses of the target server. Sometimes its replies are different in the case that the client uses a valid extension, so it's easy to discover them. This vector is normally classified as a low security risk. Moreover we're moving towards a federated SIP environment , in which the extension is the public email address of the user. But it's still important in some cases: To guide next steps during a penetration test. In example, you can use the discovered extension to reduce the number of attempts in the phase of SIP extensión brute-force. Some RCE (Remote Code Execution) exploits need a valid extension to work. After a little research, these are the known vulns: CVE-2009-3727 : It's quite old and it's practically not present in real environments. It's still not imple...