trebroN
2013-05-24, 22:48
Came across a few issues with Kali Linux and UCSniff against a Cisco Call Manager VOIP phone system.
UCSNIFF installed from source and compiled after a path was corrected
goto your unpacked source location
cd include
vi client.h
replace #include linux/if_tr.h
with #include /usr/include/netinet/if_tr.h
Cisco appears to have broken the --tftpm option by implmenting "http download" to enhance configuration file operation in CUCM 8.6.1 (Released Jan.4,2013).
Ucsniff 3.20 MITM failed when tested on a post 8.6.0 Cisco CUCM system in SCCP mode that didn't have encryption or CTL files enabled and would have previously been exploitable.
Sniffing confirmed the phone SEPXXXXXX.xml configuration was retrieved by HTTP on TCP port 6970.
Ucsniff documentation notes that it uses a UDP dissector for TFTP.
Ucsniff 3.20 didn't see the HTTP phone configuration download and continued to loop on the dropping keepalive messages.
Cisco documentation notes that the new CUCM behavior will revert to TFTP if HTTP is not available so a test to force TFTP was done by apt-get of firestarter to a firewall on Kali and deny port TCP 6970.
When ucsniff was rerun in targeted mode with a pre-seeded targets.txt and with firestarter active:
#ucsniff -i eth0.xx --tftpm -T -D
Dropping keepalives....
Receiving SEP CNF XML file via TFTP MitM attack
Modified the GARP Setting to GARP Enabled
UCSniff running GARP Disablement bypass flood for IP Phone xxxx
When left in this state ucsniff caused a targeted denial of service and continued to reregister the phone because after retrieving the config the phone initialization uses HTTP 6970 to download the ITL and for other SCCP activity.
Turning off the firewall after the GARP messages complete while keeping ucsniff active allowed the attack to complete and not DOS the phone.
Caveats:
Each MITM ucsniff session only intercepted forward direction RTP from target calls on a local subnet, reverse when target calling off-subnet phone.
Ucsniff didn't record the calls. Wireshark was active on the Kali MITM to save the random high port UDP conversations.
Identifying UDP streams and forcing RTP interpretation was needed in Kali's Wireshark.
Wireshark's player does not have a G.722 codec so conversation payloads needed to be extracted and converted by another utility such as FLV MP3 Converter.
When in ucsniff avoid switching to unicast and re-arping to not DOS the target phone subnet
It is still possible to break SBD and intercept calls via MITM ARP attacks with ucsniff on Kali as a proof of concept but guessing Ucsniff will either need to add HTTP download support and options for local subnet --tftpm to multiple targets or a different way defeat the phone's GARP disable default.
UCSNIFF installed from source and compiled after a path was corrected
goto your unpacked source location
cd include
vi client.h
replace #include linux/if_tr.h
with #include /usr/include/netinet/if_tr.h
Cisco appears to have broken the --tftpm option by implmenting "http download" to enhance configuration file operation in CUCM 8.6.1 (Released Jan.4,2013).
Ucsniff 3.20 MITM failed when tested on a post 8.6.0 Cisco CUCM system in SCCP mode that didn't have encryption or CTL files enabled and would have previously been exploitable.
Sniffing confirmed the phone SEPXXXXXX.xml configuration was retrieved by HTTP on TCP port 6970.
Ucsniff documentation notes that it uses a UDP dissector for TFTP.
Ucsniff 3.20 didn't see the HTTP phone configuration download and continued to loop on the dropping keepalive messages.
Cisco documentation notes that the new CUCM behavior will revert to TFTP if HTTP is not available so a test to force TFTP was done by apt-get of firestarter to a firewall on Kali and deny port TCP 6970.
When ucsniff was rerun in targeted mode with a pre-seeded targets.txt and with firestarter active:
#ucsniff -i eth0.xx --tftpm -T -D
Dropping keepalives....
Receiving SEP CNF XML file via TFTP MitM attack
Modified the GARP Setting to GARP Enabled
UCSniff running GARP Disablement bypass flood for IP Phone xxxx
When left in this state ucsniff caused a targeted denial of service and continued to reregister the phone because after retrieving the config the phone initialization uses HTTP 6970 to download the ITL and for other SCCP activity.
Turning off the firewall after the GARP messages complete while keeping ucsniff active allowed the attack to complete and not DOS the phone.
Caveats:
Each MITM ucsniff session only intercepted forward direction RTP from target calls on a local subnet, reverse when target calling off-subnet phone.
Ucsniff didn't record the calls. Wireshark was active on the Kali MITM to save the random high port UDP conversations.
Identifying UDP streams and forcing RTP interpretation was needed in Kali's Wireshark.
Wireshark's player does not have a G.722 codec so conversation payloads needed to be extracted and converted by another utility such as FLV MP3 Converter.
When in ucsniff avoid switching to unicast and re-arping to not DOS the target phone subnet
It is still possible to break SBD and intercept calls via MITM ARP attacks with ucsniff on Kali as a proof of concept but guessing Ucsniff will either need to add HTTP download support and options for local subnet --tftpm to multiple targets or a different way defeat the phone's GARP disable default.