Re: Voice over IP

["mht" <mht () clark net>]

The same type of vulnerability exists in injecting malicious code into
the conversation, a bit harder than a simple trojan horse, but it is
possible.  Similar to subliminal messages in Movies.. :)

EnetSec had the Model 2600 which had the capability of decoding phone
calls breaking them apart, etc for anything that was being transmitted
across modem, voice, fax, ip, etc.

/m
----- Original Message -----
From: Dug Song <dugsong () monkey org>
To: <pen-test () securityfocus com>
Sent: Thursday, June 14, 2001 6:10 PM
Subject: Re: Voice over IP


> On Thu, Jun 14, 2001 Brandon Young wrote:
>
> > A couple of colleagues and I are working on a security audit for a
> > VOIP system. Anyone know of any exploits and vulnerabilities that
may
> > exist with Cisco's call manager? One thing we have found is that the
> > traffic can be sniffed during phone calls. TCP is used for the
> > initial connection setup and then once the phone has setup a session
> > to the call manager it then uses the RTP protocol. We found that the
> > conversation is placed in the PCMU audio codec. We are looking to
> > find a way to extract the payloads and reassemble the audio so that
> > we can play back the phone conversations.  We are also looking at
> > launching a man in the middle attack and getting access to the
> > conversation and trying and listen to it in real time instead of
> > capturing and replaying. Any ideas on some possible ways to execute
> > this?
>
> soon to be integrated into the dsniff suite:
>
> http://www.monkey.org/~provos/vomit/
>
> decode and convert Cisco IP phone calls into .wav format for playback
> (either realtime or from a tcpdump capture), and inject .wav data into
> ongoing telephone conversations.
>
> be sure to leave a tip for Niels. :-)
>
> -d.
>
> p.s. he really does leave me those kind of crazy messages...
>
> ---
> http://www.monkey.org/~dugsong/