First, let me introduce myself – I am Arjun Sambamoorthy, a Research Engineer in Sipera VIPER Lab. I am the co-author of UCSniff ( Unified Communication Sniffer) with Jason Ostrom. As a developer of UCSniff, I like to talk about why UCSniff was developed, the new features of UCSniff v2.1, and video eavesdropping. This is my first technical blog. I am excited about it, and your comments are always welcome.
Why UCSniff? UCSniff is a free VoIP/UC security assessment tool useful for VoIP administrators and security professionals to test for the threat of unauthorized VoIP ( audio and video ) eavesdropping. We have heard and read a lot of comments that running Ettercap or any other MitM (Man in the Middle) tool along with Wireshark is enough to do unauthorized eavesdropping. Yes, it is true and I used to do that for testing and demos. But it is a very lengthy and laborious process on a segmented network. This is the procedure to do it:
First, create a voice vlan interface using VoIP Hopper or vconfig, if the network being tested has best layer 2 security practice of segmenting the data and voice traffic using Virtual LANs (VLANs)
Second, start a MitM tool like ettercap and use the new voice interface created in step 1 for the ARP Poisoning
Third, start wireshark in order to capture all the traffic, using the created voice interface.
Wireshark has a cool feature to analyze all the captured RTP streams - every RTP stream has a forward and reverse direction media flow and wireshark lets you save these forward and reverse direction streams in a SUN “au” file format. Right now wireshark supports only G711ulaw and G711alaw codec. The media streams of all other codec can be saved in a “raw” file format, a raw file format does not have any audio container, so it cannot be played back by any media player. Now comes the toughest part – analyzing and associating each saved RTP stream with the corresponding SIP or Skinny(SCCP) call. Why would we want to associate each saved RTP stream with its corresponding SIP/Skinny call?The value of the captured media streams is not worth it, unless we know the parties involved in the conversation. The user can get this information from the SIP message and use the RTP port and IP information from SDP to associate with its corresponding RTP stream.
The above listed procedure is feasible to do for only one or two captured conversations, but I will really go crazy if I had to sit and analyze more than 50 conversations like this. Instead, we will write a tool to automate the whole procedure.
Since we have to do this procedure for every security assessment, we thought of writing a free open source tool to automate it, which is UCSniff. UCSniff is a complete package for eavesdropping and it has other cool features that are difficult to do with the traditional way of eavesdropping using ettercap and wireshark.
* Downloads the VoIP corporate directory ( Corporate directory is a mapping between the person’s name and their extension)
* Dynamically learning the IP address of the user – this mapping helps us to do targeted eavesdropping. For example, eavesdropping only on CFO’s calls.
* Saving the conversation to a bi-direction wav file.
And many more. Jason has already written about all the features, usage and installation instruction of UCSniff on http://ucsniff.sf.net. Please visit it, if you want to know more.
We released a new version of UCSniff v2.1 sometime last week, with major bug fixes and with the following new features/enhancements:
- Eavesdropping on Microsoft OCS IM conversations
- Support for Avaya SIP eavesdropping (handles SIP re-invites properly)
- Re-write of SIP code for enhanced logging and memory efficiency
- Enhanced ARP spoofing with unicast arp requests (also detects devices that have GARP disabled)
- Support for G.711 a-law codec (already supports G.722, G.711 u-law)
The most interesting work was adding the Microsoft OCS IM feature. Usage of communicator clients like Microsoft OCS and Cisco Presence Communicator is increasing within the Enterprise. Why? Likely for unified communication of VoIP/Video clients along with quick message sharing and file transfers among the users in the enterprise. Therefore, we thought, adding IM eavesdropping support will be really valuable for the approaching security assessments. Support for Cisco Presence Communicator will be done soon – we have just not set it up yet in the lab.
Man in the middle attacks on Ethernet type media are done by sending spoofed “gratuitous ARP” (GARP) reply packets, . By default, many OS’es (except Sun Solaris) and IP phones accept these spoofed ARP packets, thus becoming a victim to MitM attacks. There are ways to discard the received GARP packets (i.e., to disable the GARP feature), but not all devices support this feature in their firmware. In our lab we found a way to detect all the devices that have GARP disabled and we also found a way to defeat it. The next release of UCSniff will have this feature integrated into it.
By some people in the media, 2009 is being called the year of IP video, with many companies deploying UC-based video conferencing systems, IP Video-based surveillance systems and video phones, to mention an important few. There are a lot of security holes and vulnerabilities in these UC/VoIP based video systems. One with a very high potential for the bad guys to exploit is “video eavesdropping.” The ramifications and business impact of video eavesdropping is more sever than that of VoIP eavesdropping on just audio. With increasing video file sharing sites like youtube, myspace and other social networking sites, it is easy to broadcast and share a video message – especially a confidential video which will be of interest to many. Moreover, many of the video systems do not support basic security features like signaling and media encryption.
UCSniff supports decoding of H264 video codec, using the open source ffmpeg libraries. UCSniff creates a nice avi file separately for the forward and reverse direction video streams. Decoding H264 RTP payload, mixing the audio, and adding the avi container is very processor intensive. I am thinking of adding an option in UCSniff to just create a raw “h264″ file with no avi container and no audio. This option would not require a user to install the ffmpeg libraries. The raw h264 file is only playable using the vlc media player, so this h264 file will be of much higher quality than the decoded avi file.
In our lab, we are also working on other cool video tools like, videojak and videosnarf. We will release these tools soon.
Hope my first blog is very informative and you liked it.