Now That we have Access, Let s Sniff

Now That we have Access, Let's Sniff!

Depending on where in the network the attacker has gained network access, he is now in a position to perform one or more of the following types of attacks.

Attack Sniffing TFTP Configuration File Transfers

Popularity:

5

Simplicity:

8

Impact:

10

Risk Rating:

8

Sniffing for TFTP configuration files traveling across the network is as easy as simply watching for any and all traffic on UDP port 69 (the TFTP default service port). You can use a variety of packet-capturing utilities to capture this information. As you saw in Chapter 3 while enumerating TFTP servers, you only need to discover the actual name of the configuration file. With tcpdump or Wireshark (formerly named Ethereal) this is a fairly easy maneuver:

 tcpdump dst port 69 tcpdump: listening on eth0 02:43:18.899478 192.168.1.55.20000 > 192.168.1.103.tftp:  22 RRQ "unidencom.txt" 02:43:19.028863 192.168.1.55.19745 > 192.168.1.103.tftp: 31 RRQ "uniden00e011030397.txt" 02:43:37.878042 192.168.1.52.51154 > 192.168.1.103.tftp: 31 RRQ "CTLSEP001562EA69E8.tlv" [tos 0x10] 02:43:37.899329 192.168.1.52.51155 > 192.168.1.103.tftp: 32 RRQ "SEP001562EA69E8.cnf.xml" [tos 0x10] 02:43:37.919054 192.168.1.52.51156 > 192.168.1.103.tftp: 28 RRQ "SIP001562EA69E8.cnf" [tos 0x10] 02:43:37.968715 192.168.1.52.51157 > 192.168.1.103.tftp: 23 RRQ "SIPDefault.cnf" [tos 0x10] 02:43:38.017358 192.168.1.52.51158 > 192.168.1.103.tftp: 30 RRQ "./SIP001562EA69E8.cnf" [tos 0x10] 02:43:38.058998 192.168.1.52.51159 > 192.168.1.103.tftp: 27 RRQ "P0S3-07-5-00.loads" [tos 0x10] 02:43:56.777846 192.168.1.52.50642 > 192.168.1.103.tftp: 23 RRQ "SIPDefault.cnf" [tos 0x10] 02:43:56.943568 192.168.1.52.50643 > 192.168.1.103.tftp: 30 RRQ "./SIP001562EA69E8.cnf" [tos 0x10] 02:43:59.031713 192.168.1.52.50651 > 192.168.1.103.tftp: 21 RRQ "RINGLIST.DAT" [tos 0x10] 02:43:59.432906 192.168.1.52.50652 > 192.168.1.103.tftp: 21 RRQ "dialplan.xml" [tos 0x10] 

As you can see, we now know the names of the configuration files that exist on the TFTP server. We can then, at our leisure, download these files directly from the TFTP server from any Linux or Windows command prompt:

 % tftp 192.168.1.103 tftp> get SIP001562EA69E8.cnf 

As we learned in Chapter 3, many of these configuration files contain juicy information such as usernames and passwords in the clear.

Countermeasurs TFTP Sniffing Countermeasures

Because of the inherently insecure nature of TFTP, there aren't many options for securing the communications channel. One option is to create a separate VLAN for the communications channel from the phones to the TFTP server. Doing this assumes that the TFTP server is dedicated to serving only those phones with configuration files. Also, using firewall ACLs to ensure only valid IP address ranges (for example, the phone's DHCP IP addresses range) are accessing the TFTP server can also help.

Attack Performing Number Harvesting and Call Pattern Tracking

Popularity:

3

Simplicity:

5

Impact:

4

Risk Rating:

4

There are a few ways to perform passive number harvesting in a SIP environment. The easiest is to simply sniff all SIP traffic on UDP and TCP port 5060 and analyze the From: and To: header fields. Another way involves using the Wireshark packet sniffer (http://www.wireshark.org), which is demonstrated at the end of this section.

For call pattern tracking, sniffing all of the SIP signaling traffic again on UDP and TCP ports 5060 would do the job. Using a tool such a voipong (http://www.enderunix.org/voipong/) can also help automate this process by logging all calls to and from various IP addresses:

 # voipong -d4 -f EnderUNIX VOIPONG Voice Over IP Sniffer starting... Release 2.0-DEVEL, running on efe.dev.enderunix.org [FreeBSD 4.10-STABLE FreeBSD 4.10-STABLE #0: Thu Dec i386] (c) Murat Balaban http://www.enderunix.org/ 19/11/04 13:32:10: EnderUNIX VOIPONG Voice Over IP Sniffer starting... 19/11/04 13:32:10: Release 2.0-DEVEL running on efe.dev.enderunix.org  [FreeBSD 4.10-STABLE FreeBSD 4.10-STABLE #0: Thu Dec i386]. (c) Murat Balaban http://www.enderunix.org/ [pid: 71647] 19/11/04 13:32:10: fxp0 has been opened in promisc mode, data link: 14 (192.168.0.0/255.255.255.248) 19/11/04 13:32:10: [8434] VoIP call detected. 19/11/04 13:32:10: [8434] 10.0.0.49:49606 <--> 10.0.0.90:49604 19/11/04 13:32:10: [8434] Encoding: 0-PCMU-8KHz 19/11/04 13:38:37: [8434] maximum waiting time [10 sn] elapsed for this call, call might have been ended. 19/11/04 13:38:37: .WAV file [output/20041119/session-enc0-PCMU-8KHz-10.0.0.49,49606-10.0.0.90,49604.wav] has been created successfully. 

Wireshark can be used to see the actual phone numbers and SIP URI's involved in each call. Launch Wireshark and capture traffic normally (or open a previously created network capture file.) Click Statistics VoIP Calls, and a summary screen will pop up, similar to the one shown in Figure 5-5, that shows all of the calls made and received.

image from book
Figure 5-5: Wireshark's VoIP call analyzer

Countermeasurs Number Harvesting and Call Pattern Tracking Countermeasures

To prevent snooping on a user 's dialing patterns, enable signaling encryption either on the network layer (IPSec) or on the transport layer (for example, SIP TLS or secure mode SCCP using TLS). Also, separate VLANs will help mitigate the risk of simple signaling sniffing on the network. The following illustration shows the various levels of security that can be applied to the signaling stream across the various layers .

image from book

Attack Performing Call Eavesdropping

Popularity:

9

Simplicity:

7

Impact:

7

Risk Rating:

8

There are a variety of tools that can perform call eavesdropping assuming the attacker has the appropriate level of network access. Let's demonstrate a few of them.

Wireshark

Launch Wireshark and capture traffic normally (or open a previously created network capture file). Click Statistics RTP Show All Streams and a window will pop up similar to the one shown in Figure 5-6.

image from book
Figure 5-6: Wireshark RTP Streams listing

Click one of the RTP streams and then select Analyze. The screen shown in Figure 5-7 should now appear.

image from book
Figure 5-7: Wireshark RTP Stream Analysis

Clicking Save Payload should invoke the screen shown in Figure 5-8, allowing you to save the audio file in one of two formats (.au or .raw).

image from book
Figure 5-8: Saving the stream as an audio file

Cain and Abel

Cain and Abel (http://www.oxid.it/) is a powerful sniffing and password-cracking tool that has some great VoIP hacking features. In order to eavesdrop on a conversation, first start Cain and Abel normally and click the Sniffing button. (We will cover Cain and Abel's ARP poisoning features in the next chapter.) Click the Sniffer tab at the top, and you should see a screen similar to the one in Figure 5-9.

image from book
Figure 5-9: Cain and Abel

Now, click the VoIP tab at the bottom, and you should see a screen similar to the one in Figure 5-10. Now, you can right-click and play any of the captured RTP streams shown on the menu screen. Easy, no?

image from book
Figure 5-10: Cain and Abel's VoIP reconstruction

vomit

vomit ( voice over misconfigured internet telephones ) is a utility that can be used with the sniffer tcpdump to convert RTP conversations to WAV files. vomit, by itself, is not a packet sniffer, but converts raw packet captures in playable audio.

 $ vomit -r phone.dump  waveplay -S8000 -B16 -C1 

vomit is available at http://vomit.xtdnet.nl.

voipong

You saw the voipong (http://www.enderunix.com/voipong) tool in action earlier when we talked about call pattern tracking. voipong is also useful for recording conversations. Looking at the end of the voipong snippet shown previously:

 19/11/04 13:38:37: .WAV file [output/20041119/session-enc0-PCMU-8KHz- 10.0.0.49,49606-10.0.0.90,49604.wav] has been created successfully. 

voipong can be configured to output WAV files for each captured conversation.

Oreka

Finally, there is Oreka (http://oreka. sourceforge .net), which is an open-source VoIP recording toolset that runs on Windows and flavors of Linux. It consists of three main parts as per the documentation:

  • OrkAudio   This is the audio capture background service. It supports VoIP and sound devicebased recording.

  • OrkTrack   This service filters out unwanted recordings and logs records to any popular SQL database.

  • OrkWeb   This service is the web interface accessible via any standard compliant web browser.

Attack Extracting Touch Tones from Recorded Calls

Popularity:

2

Simplicity:

9

Impact:

5

Risk Rating:

5

Let's assume an attacker has captured a variety of conversations using some of the aforementioned tools. Some of those conversations might have included recordings of people dialing in to their bank's automated help line. The recording might also include the touch tone sounds of the eavesdropped victim entering in sensitive information such as their pin number or account number.

A simple little tool called DTMF Decoder (http://www.polar-electric.com/DTMF/Index.html) can translate the tones from your sound card into the actual digits being pressed on the phone. If an attacker loads the DTMF Decoder and plays the audio file recording of a conversation, the digits will appear in the screen as shown in Figure 5-11.

image from book
Figure 5-11: DTMF Decoder translating the touch tones for 1-2-3-4

Countermeasurs Call Eavesdropping Countermeasures

The only way to ensure confidentiality of a VoIP conversation is to encrypt the phone conversation (in other words, the RTP media stream). As with signaling security, there are several ways to accomplish this. One is through the network layer with IPSec (VPN), and the other is through a media encryption technology on the transport layer, such as Secure Real-time Transport Protocol (SRTP RFC 3711) or ZRTP (http://www.ietf.org/internet-drafts/draft-zimmermann-avt-zrtp-01.txt). SRTP is currently implemented and supported by several hard phone, firewall, and SIP proxy vendors , and is by far the dominant standard. ZRTP is currently implemented in the softphone plug-in Zfone (http://www.philzimmermann.com/EN/zfone/).



Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net