VoIP Conversation Hacking: Performing ARP Poisoning with Cain and Vomit, Lab Reports of Electrical and Electronics Engineering

The process of performing arp poisoning to obtain voip conversations using tools like vomit and cain. It covers the basics of voip communication using sip protocol, the use of ethereal and vomit for packet capture and playback, and the use of cain for sniffing and arp poisoning. It also includes questions for self-assessment and references for further learning.

Typology: Lab Reports

Pre 2010

Uploaded on 08/05/2009

koofers-user-0g9
koofers-user-0g9 🇺🇸

5

(3)

10 documents

1 / 24

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ECE 4112 Internetwork Security
Lab NEW: Voice Over Internet Protocol (VoIP)
Group Number: _______________
Member Names: _________________________ _________________________
Date Assigned: TBD
Date Due: TBD
Last Edited: December 6, 2005
Lab Authored by: Luis Miguel Cortés Peña
Gédéon Kamga
Please read the entire lab and any extra materials carefully before starting. Be sure to
start early enough so that you will have time to complete the lab. Answer ALL questions
and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE
the Date Due.
Goal: The goal of this lab is to show you how VoIP works and demonstrate some of
its vulnerabilities.
Summary: This lab will introduce you to VoIP, how to listen to VoIP
conversations in both Windows and Linux. You will also get to perform ARP poisoning
to obtain a VoIP conversation.
Background and Theory:
Introduction
VoIP (voice over IP - that is, voice delivered using the Internet Protocol) is a term
used in IP telephony for a set of facilities for managing the delivery of voice information
using the Internet Protocol (IP). Voice over IP uses Internet Protocol (IP) to carry voice
as packets over a packet-switched data network. Voice information is then sent in digital
form in discrete packets rather than in the traditional circuit-switched protocols of the
public switched telephone network (PSTN). A major advantage of VoIP and Internet
telephony is that it increases operating efficiency, avoiding expensive communication
costs and reducing unnecessary expenses that occur with ordinary telephone service [1]
[2].
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18

Partial preview of the text

Download VoIP Conversation Hacking: Performing ARP Poisoning with Cain and Vomit and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity!

ECE 4112 Internetwork Security

Lab NEW: Voice Over Internet Protocol (VoIP)

Group Number: _______________ Member Names: _________________________ _________________________ Date Assigned: TBD Date Due: TBD Last Edited: December 6 , 2005 Lab Authored by: Luis Miguel Cortés Peña Gédéon Kamga Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due.

Goal: The goal of this lab is to show you how VoIP works and demonstrate some of

its vulnerabilities.

Summary: This lab will introduce you to VoIP, how to listen to VoIP

conversations in both Windows and Linux. You will also get to perform ARP poisoning to obtain a VoIP conversation.

Background and Theory:

Introduction

VoIP (voice over IP - that is, voice delivered using the Internet Protocol) is a term used in IP telephony for a set of facilities for managing the delivery of voice information using the Internet Protocol (IP). Voice over IP uses Internet Protocol (IP) to carry voice as packets over a packet-switched data network. Voice information is then sent in digital form in discrete packets rather than in the traditional circuit-switched protocols of the public switched telephone network (PSTN). A major advantage of VoIP and Internet telephony is that it increases operating efficiency, avoiding expensive communication costs and reducing unnecessary expenses that occur with ordinary telephone service [1] [2].

VoIP Security

VoIP uses the Internet for phone service, bypassing expensive long-distance communication providers, which results in significant savings. However, as with most technology advancements, if not set up and deployed correctly, a VoIP solution can expose an organization to security breaches (Figure 1). For instance, when VOIP is used externally, gateway technologies convert data packets from the IP network into voice before sending them over a public switched telephone network. When VOIP is used internally, the gateways basically route packetized voice data between the source and the destination. A potential issue is that VOIP gateways can be hacked into by malicious attackers in order to make free telephone calls. In addition, attackers can infiltrate phone conversations and steal confidential data in the same way they would hack an IT system. Spammers can also use denial of service attacks to render the phone system useless. To deploy a VoIP solution, one needs to assure that the solution is safe, secure and protected from outside threats. Below is a list of typical attacks that a VoIP system might face [1][3]. Toll Fraud: The IP version of the classic attack by a person pretending to be an employee or Console Cracking (asking the operator for an outside trunk) to make long distance calls. However, the attacker impersonates a valid user and IP address by plugging in their phone or spoofing the MAC Ethernet address. Eavesdropping: The attacker sniffs (taps into the LAN wireline or Wi-Fi connection) to intercept voice messages. Available tools such as VOMIT-Voice Over Misconfigured Internet Telephony allow performing this function. Call Hijacking: Attacker spoofs a SIP Response redirecting the caller to a rogue SIP address and intercepts the call. Resource Exhaustion: Also Known As DOS [Denial Of Service] attack. This attack reduces the number of available IP addresses, bandwidth, processor memory, and other router/server functions. Message Integrity: MIM [Man-In-the-Middle] attack to intercept, alter, or redirect call. Message Type Attacks: Attacker bombards (repetitive) SIP server with BYE or CANCEL messages or ICMP [Internet Message Control Protocol] "port unreachable" messages.

Figure 2 : VoIP Session Initiation Routine.

Prelab Questions: None.

Lab Scenario: You will need your hard drive for this lab. You will be using

two RedHat WS 4.0 machines running on your computer. Ensure that you pick a computer equipped with both an internal sound card and an Ensoniq AudioPCI installed by a TA. One of the RedHat 4.0 WS machine will be a virtual machine which you will download from NAS. This virtual machine will contain all the necessary software installed. The other can be a physical machine (your RedHat WS 4.0 host machine) or a copy of the virtual machine downloaded from NAS. If you decide to use your RedHat WS 4.0 host machine, you will have to install minisip (explained later in this lab manual). You will also need to use your Windows XP virtual machine to perform some of the attacks.

Section 1: Minisip

Minisip is a free SIP user agent. It features services such as Secure VoIP, SIP, MIKEY, RTP, SRTP, SDP, Video Telephony, Push-to-talk. This tool can be downloaded here: http://www.minisip.org The description from the website says: “Minisip is a SIP User Agent ("Internet telephone") developed at KTH currently running on Linux. Keywords: Secure VoIP; SIP; MIKEY; RTP; SRTP; SDP; Video Telephony; Push-to-talk. You can download it for free from the download page.

Minisip is developed by Ph.D and Master students at the Royal Institute of Technology, KTH, Stockholm, Sweden. The source code is available as a number of libraries under the GNU Lesser General Public License (LGPL) and applications under the GNU General Public Licence (GPL).“

Section 1.1 Installing Minisip (Physical RedHat WS 4.0 Machine)

Installing minisip is a very tedious job because of all its dependencies and environmental variables needed. For this reason it is recommended that you use a script named minisipsintaller created for you. In order to do so, perform the following steps as root:  Connect to nas  Go to the lab directory  Copy the directory named software to your home directory (/root/)  Go to the directory software/minisip and run the script minisipinstaller: **_# cd /root/software/minisip

./minisipinstaller_**

NOTE: If the script does not finish successfully, you might want to run it again since there might be a dependency which is out of order and makes other dependencies fail. This should take approximately 60-90 minutes. When this finishes, the script should have created a script named runminisip located in the root directory. Run this script which should open minisip without any problem. # ~/runminisip Now we will fix some dependencies so that vomit can be run: **# cd ~/software/lib/

tar xvfz libdnet-*.tar.gz

cd libdnet*

./configure

make

make install

cd ..

tar xvfz libevent-*.tar.tar

cd libevent*

./configure

make

make install**

# ~/runminisip If minisip fails to open, delete the file named .minisip-conf in the root’s directory and try again: # rm ~/.minisip-conf  Now click File > Preferences. You will see a screen which displays the sip account settings.  Select the default one and click on Edit…  Enter anything you want for the Account name (i.e. VoIP) and enter your SIP URI: as username@YourIPHere. Usually YourIPHere is replaced by the domain of the VoIP provider. You can find your IP by executing the command ifconfig in a shell.  Now type the IP of the computer you will be connecting to (which is different from the host machine’s IP as shown on Figure 3). Your screen should now look similar to the following screen shot. Figure 4 : Minisip - Settings.  Uncheck the box labeled “Requires authentication” since we are not connecting to an actual proxy server.  Now hit OK on the “Sip Account settings”  Ensure that Sound device is mapped to /dev/dsp  Click OK on “minisip – Settings.”  Now we need to setup the contact information. Right click on the contact window and select “Add a Contact.”  Enter your group number in the Name, VoIP in Type and enter the username@IPAddress of the computer you are connecting to.

The contact information window should look like the following figure: Figure 5 : Contact Information.  Hit OK when done. Your minisip is now setup to connect to computer B. However, computer B needs to be setup also. Perform the same steps above on your RedHat WS 4.0 virtual machine computer B. Before powering on the machine:  Select the Red Hat Enterprise Linux 4 tab.  Power off the computer if its on  Select VM > Settings > Sound Adapter  Under connection, select dps  Make sure Connect at power on is checked  Click OK  Power on Machine

Section 1.2 Audio Setup

Now we need to setup the sound so that you can talk and listen to the conversation. To do this you need to mute the microphone (so that you do not hear your self talking) and enable your speakers.  Go to Start > Sound & Video > Volume Control. Change your settings and your Volume Control window should look like the following:

played with ordinary sound players. Vomit requires a tcpdump output file. Vomit is not a VoIP sniffer also it could be but the naming is probably related to H.323.”  On either computer A or computer B, run Ethereal and begin capturing packets on eth0.  Establish a VoIP connection on both computer A and computer B and have a conversation.  Now stop capturing packets and save it to your home directory (/root) in a file named phone.dump.  Get a screen shot of Ethereal displaying the connection Invite and ACK.

Screenshot 3 : Ethereal displaying SIP Invite and Ack.

Open a shell and cd in to your home directory: # cd ~ Now run vomit with the following command: # vomit –r phone.dump | waveplay-20010924/waveplay –S8000 –B16 –C Listen to the output. Question 1 : Were vomit and waveplay able to playback the file? Question 2 : How is the quality of the playback compared to that of the actual conversation? Section 4: Cain and Able You have seen how linux plays back conversations, now you will use windows to both sniff and playback conversations. We use what people call window’s “Swiss Army knife of handy networking goodies.” This software can be downloaded from: http://www.oxid.it/cain.html Cain should be installed on your windows virtual machine from previews labs. If it is not, copy it from the nas lab directory named cainandable and install it.  Open up VMware by typing vmware on the shell or finding the shortcut in Start > System Tools > VMware.  Start your windows virtual machine.  Now run Cain and Able whose shortcut is on the desktop (named Cain).  Once Cain starts up, click Configure and then select the “Filters and ports” tab.  Scroll all the way down and make sure that the SIP/RTP protocol is enabled.

 Click OK.  Once that is done, click on the sniff button ( ). Your network diagram should now look like the following: Figure 7 : Network diagram with virutal machine.

Section 4.1 Cain Sniffing.

 Re-establish a VoIP conversation and again have a conversation with your partner.  Meanwhile go to the Sniffer tab on Cain and then select the VoIP tab on the bottom.  Get a screenshot of Cain sniffing and recording the conversation.

Screenshot 4 : Cain recording a VoIP conversation.

 Stop Cain from sniffing by pressing the sniff button again and go to C:\Program Files Cain\VoIP where your conversation was saved.  Play the audio and listen to the conversation. Question 3 : Was Cain able to save the file as a wave file? Question 4 : How is the quality of the playback compared to that of the actual conversation? Question 5 : Comparing Cain with vomit, which one did a better job?

Section 4.2: Cain Man in the Middle

Usually attacks of this kind are rare since attackers encounter switches more often

If another team is doing their lab, wait until they establish a VoIP connection. If there is no other team working, make the connection your self and then come back to Cain. Get a screen shot of Cain performing ARP poisoning and recording a VoIP conversation.

Screenshot 5 : Cain performing ARP poisoning to record a VoIP conversation.

Now if you have access to speakers, replay their conversation and let them hear it.

Question 6 : How can you protect yourself from this type of attack?

Question 7 : How can this be performed on Linux?

Now that you have finished the lab, you need to delete your .minisip.conf file in your home directory so that other classmates can do the lab: # rm ~/.minisip.conf

Question 8 : How long did it take you to complete this lab? Was it an

appropriate length lab?

Question 9 : What corrections and or improvements do you suggest for this

lab? Please be very specific and if you add new material give the exact

wording and instructions you would give to future students in the new lab

handout. You may cross out and edit the text of the lab on previous pages to

make corrections/suggestions. Note that part of your lab grade is what

improvements you make to this lab. You may want to search the world wide

web for other Buffer Overflow examples. What tools can we add to this lab

that teach something else new? You need to be very specific and provide

details. You need to actually do the suggested additions in the lab and provide

solutions to your suggested additions. Caution as usual: only extract and use

the tools you downloaded in the safe and approved environment of the

network security laboratory.

Answer Sheet Lab NEW Group Number: _______________ Member Names: _________________________ _________________________

Minisip correctly setup and working conversation.

TA Check Off : _________________________

Question 1: Were vomit and waveplay able to playback the file?..................................... 10 Question 2: How is the quality of the playback compared to that of the actual conversation?..................................................................................................................... 10 Question 3: Was Cain able to save the file as a wave file?................................................ 11 Question 4: How is the quality of the playback compared to that of the actual conversation?..................................................................................................................... 11 Question 5: Comparing Cain with vomit, which one did a better job?.............................. 11 Question 6: How can you protect yourself from this type of attack?................................ 13 Question 7: How can this be performed on Linux?........................................................... 13 Question 8: How long did it take you to complete this lab? Was it an appropriate length lab?..................................................................................................................................... 13 Question 9: What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make corrections/suggestions. Note that part of your lab grade is what improvements you make to this lab. You may want to search the world wide web for other Buffer Overflow examples. What tools can we add to this lab that teach something else new? You need to be very specific and provide details. You need to actually do the suggested additions in the lab and provide solutions to your suggested additions. Caution as usual: only extract and use the tools you downloaded in the safe and approved environment of the network security laboratory................................................ 13

Answer Sheet: Question 1: Were vomit and waveplay able to playback the file?..................................... 10 Question 2: How is the quality of the playback compared to that of the actual conversation?..................................................................................................................... 10 Question 3: Was Cain able to save the file as a wave file?................................................ 11 Question 4: How is the quality of the playback compared to that of the actual conversation?..................................................................................................................... 11 Question 5: Comparing Cain with vomit, which one did a better job?.............................. 11 Question 6: How can you protect yourself from this type of attack?................................ 13 Question 7: How can this be performed on Linux?........................................................... 13 Question 8: How long did it take you to complete this lab? Was it an appropriate length lab?..................................................................................................................................... 13 Question 9: What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make corrections/suggestions. Note that part of your lab grade is what improvements you make to this lab. You may want to search the world wide web for other Buffer Overflow examples. What tools can we add to this lab that teach something else new? You need to be very specific and provide details. You need to actually do the suggested additions in the lab and provide solutions to your suggested additions. Caution as usual: only extract and use the tools you downloaded in the safe and approved environment of the network security laboratory................................................ 13 Possible Additions Implement a SIP Proxy Server Perform Call Hijacking DoS Kill VoIP Connection Invite Flooding Packet insertion Conversation Encryption Connection Certification Screenshot 1: Minisip receiving phone call......................................................................... 9 Screenshot 2: SIP URI as [email protected]....................................................... 9 Screenshot 3: Ethereal displaying SIP Invite and Ack...................................................... 10 Screenshot 4: Cain recording a VoIP conversation........................................................... 11 Screenshot 5: Cain performing ARP poisoning to record a VoIP conversation................ 13

**_# cd ~

tar xvfz waveplay-20010924.tar.tar

cd waveplay-

make_**

The computer is now ready. You should test that minisip is running.

The following is a printout of the script written to easily install minisip: #/bin/sh echo "Exporting some system variables needed" export LD_LIBRARY_PATH=/usr/local/lib/ export PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/local/lib/pkgconfig echo "Installing Initial Dependencies" cd dependencies echo "Installing cairo" tar xvfz cairo.tar.gz cd cairo ./configure --prefix=/usr make make install cd .. echo "DONE WITH CAIRO" echo "Installing jpeg" tar xvfz jpegsrc.tar.gz cd jpeg- ./configure --prefix=/usr make make install cd .. echo "DONE WITH JPEG" echo "Installing tiff" tar xvfz tiff-.tar.gz cd tiff- ./configure --prefix=/usr make make install cd .. echo "DONE WITH TIFF" echo "Installing pkg-config" tar xvfz pkg-config.tar.gz cd pkg-config ./configure --prefix=/usr make make install cd .. echo "DONE WITH PKG-CONFIG" echo "Installing pango" tar xvfz pango.tar.gz cd pango ./configure --prefix=/usr make make install cd .. echo "DONE WITH PANGO"