BruCON Training: Module 3, Attacking the media
This is part of the BruCON VoIP security crash course training intro. For more information about the course and to secure a place, check out the BruCON website.
We trust our phones with our sensitive data more than most other forms of communications. We may not trust sending our credit card number by email to the hotel. In the end we give it to them on the phone anyway, and it may not matter if the phone is a mobile phone or a VoIP phone.
Since VoIP phones look very much like traditional phones, most people are impressed to learn (the hard way) that they can be intercepted just like other devices and computers on the network. This is one of the topics covered in the third module. We will use readily available tools that will allow you to sniff phone calls over the network very easily. Tools include Wireshark, UCSniff and Cain and Abel.
These tools will handle RTP and codecs differently so we will see which ones are best for the job.
As a penetration tester, you will encounter setups that try to prevent ARP cache poisoning and other attacks that allow for media interception. During this training we will look at each of these solutions and look how they can be often defeated.
When it comes to media, interception is not the only concern. There are tools that perform RTP injection, i.e. modify the RTP stream on the fly, which can make an interesting demonstration. Then there’s convert channels, where an insider embeds his/her data inside the RTP stream.