Hack 85. Secretly Record VoIP Calls
G.711 uLaw is the most common codec used in enterprise VoIP, but it's far from secure.
The G.711 codec is the de facto standard for voice encoding on VoIP networks, because the earliest VoIP gear and software didn't have enough processor power for real-time transcoding from one codec to another. This means that if a call were to originate on the PSTN and terminate on a VoIP device, the entire call would have to be in the same codec. The codec that's always been used on the (North American) PSTN is G.711 uLaw. Unfortunately, even as Cisco CallManagerarguably the world's first enterprise VoIP platformbecame popular, it was painfully clear that running G.711 uLaw across the Internet was a very insecure thing to do.
That's because the RTP packaging convention used by most VoIP systems doesn't encrypt the media stream of a call, making it the aural equivalent of clear text, ripe for outside snooping. Using tcpdump and a copy of vomit (Voice over Misconfigured Internet Telephones), you can actually capture phone calls midstream and convert them into WAV files. How's that for security? (I argue that it's actually harder to secretly record calls with VoIP than it is on the PSTN, but let me digress here….)
To clandestinely record a G.711 uLaw phone call, you'll need to be able to run tcpdump, the common packet capture utility, or its Windows counterpart, windump. This means you'll need to be a privileged user on the machine you're going to record from (for Windows, this means Administrator; for Unix, it means root).
You'll also need the ability to view network traffic to and from the host(s) participating in the call. This means running the capture on one of the hosts directly, programming your switch to let you monitor the port where one of the hosts is connected, or (gasp!) connecting both hosts to a hub, where you can capture packets to your heart's content. To put this in plain English, unless you're using a hub or a specially configured switch, you'll be able to record calls only from a device that's actually on the call pathi.e., the caller's host, the receiver's host, or a VoIP server in the middle of the conversation.
6.15.1. The Hack
It's possible to do this hack on Windows (you'll need the same WinPCap library you used when you installed Ethereal on your Windows PC [Hack #81]; you did install Ethereal already, right?). However, I'll assume you're using Unix, since tcpdump is a standard Unix utility and because it's easier to install vomit on Linux or BSD than it is on Windows.
18.104.22.168. Compile and install libdnet and libevent.
To download, compile, and install the libdnet and libevent libraries, required by vomit, log in as root and use these commands:
# cd /usr/src # wget http://ufpr.dl.sourceforge.net/sourceforge/libdnet/libdnet-1.10.tar.gz # tar xvfz libdnet-1.10.tar.gz # cd libdnet-1.10 # ./configure # make # make install # cd .. # wget http://www.monkey.org/~provos/libevent-1.1a.tar.gz # tar vzxf libevent-1.1a.tar.gz # cd libevent-1.1a # ./configure # make # make install
Obviously, this is just a sequence of commands to fetch the libraries, open the archives, and compile the source code within.
22.214.171.124. Compile and install vomit.
Next, grab the vomit tarball and compile it on the same machine, again as root:
# cd /usr/src # wget http://vomit.xtdnet.nl/vomit-0.2c.tar.gz # tar zvfx vomit-0.2c.tar.gz # cd vomit-0.2c # ./configure # make # make install
126.96.36.199. tcpdump some packets.
When I did this hack, I did it on my Asterisk server running on Linux. This simplified the capture process, since all I had to do was set up an extension on the Asterisk server that answered the call immediately and produced some audio. (For a refresher on doing this, flip back to "Attach a SIP Phone to Asterisk" [Hack #42].) Once the extension was in place, I started tcpdump like this:
# tcpdump w test.file
When you use this command, it will create a dump file in the current directory that contains every IP packet sent or received by the default interface. This file is going to get big pretty quick, so run this command only for as long as is necessary to capture the call you're placing to the server. Then, at the conclusion of the call, hit Ctrl-C to stop tcpdump.
188.8.131.52. "Wave" goodbye to privacy.
Now, here's the truly fun part. The point of vomit is to pick the G.711 RTP packets out of the dump file created by tcpdump (test.file, as shown earlier) and string them together into a WAV file. Try it:
# vomit r test.file > test.wav
Run that WAV file through SoX if you need it in another format [Hack #24], and off you go. Just don't record any calls without full knowledge of the participants, or you could find yourself in legal trouble.