It had to come sooner or later. Today I retired my self-written blog sofware in favour of Wordpress.
I wrote the original software by hand directly in PHP/CSS in haste during my last course holidays, it was never properly finished and was probably filled with SQL holes (:o!)
Yeah, so anyway, Wordpress now.
After playing with UCSniff 3.0 detailing from my last entry, i still got the error:
Not saving conversation media file because either forward or reverse media not received.
This caused ucsniff to only generate a forward wave file.
I looked around for a solution, but it was already built into ucsniff.
One of the problems with this new UCSniff feature is that it is ineffective against intercepting any Skinny messages from the phone to the network. This is because the IP Phone ARPs for its remote IP gateway when it boots up and registers for the first time, and any subsequent spoofed ARP packets are ineffective.
All we have to do is run:
ucsniff -i eth0.20 --tftpm -T -D
One thing that I observed was that –tftpm would only be correctly applied in targeted mode. Even though we can target using the ettercap options /x/ // it still wouldnt work.
When it works properly it will show:
Receiving SEP CNF XML file via TFTP MitM attack Modified the GARP Setting to GARP Enabled UCSniff running GARP Disablement bypass flood for IP Phone xxxx
You can still target a single host MitM without ARPing the whole VLAN by generating a targets.txt file.
I may make a basic bash script and post it for generating a targets.txt file, but its easily hand editable and would show something like:
XXXX.XXXX.XXXX.XXXX,ext,name,sccp
As part of my recently talked about network security course, I’ve been playing with VoIP security, trying to get everything working on my EEE 701.
Previously I gave instructions on running BT3 on a USB with persistence, this worked great on the EEE, however I ran into problems when running voiphopper. The EEE complained about not being able to add the VLAN interface to eth0 and therefore vlanhopping would not work.
ERROR: trying to add VLAN # to IF -:eth0:- error: Invalid argument
I did the usual and modprobed 8021q, checked other dependencies etc but it wouldnt go. The 701 runs an Attansic L2 card and in linux runs under the atl2 driver, so I did some research and found mixed reports on the net about VLAN tagging not being supported on the atl2. After no luck I even contemplated buying a newer netbook with supported hardware.
I’ve got another persitent distro, Ubuntu Netbook Remix, so I decided to test that as the atl2 drivers are built into the kernel and have changed recently. Long story short, VLAN tagging worked in UNR.
I tried to find newer atl2 drivers and load them manually into BT3, but couldnt find any readily and couldnt really be bothered searching too hard. I downloaded BT4 and made another persistent usb drive. Due to the newer Debian kernel used in BT4, VLAN tagging worked without a problem.
VLAN tagging and therefore voiphopper now worked. Next intercepting SCCP conversations. In my previous testing I was using UCsniff 2.4 to record SCCP conversations via ARP poisoning (MitM). This worked infrequently, and in my production environment (Clustered Cisco Call Manager 4.2(sr3a)) complained about GARP being disabled and that it would not record the conversation. Since then i’ve been hanging out for UCSniff 3.0 which was due to be released on the 24/10/09. They released it early! 
Another long story short, UCSniff 3.0 works under BT4 under an EEE 701 and happily records SCCP from CCM4.2.
Happy days!
I’ve yet to test packet injection on BT4, but dont expect too many problems with this.
Heres a step by step of the processes involved.
Create persistent BT4 on USB
Followed the directions outlined here:
VLAN Support + VLAN Hopping
Firstly modprobe to enable VLAN tagging in the environment
modprobe 8021q
Connect to a cisco switchport with a similar switch config
switchport mode access switchport access vlan 10 switchport voice vlan 20
Try VLAN hopping with voiphopper
voiphopper -i eth0 -c 0
Download and compile UCSniff 3.0
Download UCSniff here:
Compiling
tar zxvf ucsniff-3.01.tar.gz cd ucsniff-3.01 ./configure make make install
MiTM SCCP
To record all SCCP conversations on the voice VLAN
ucsniff -i eth0.20 --garpdb // //
Or to target a particular IP phone, without enumerating the targets on the voice VLAN first
ucsniff -i eth0.20 --garpdb /XXXX.XXXX.XXXX.XXXX/ //
Finally play back the file from the commandline
play filename.mp3
So the Australian Daylight Savings kicked in over the weekend again.
The details which I posted here 12months ago works perfectly again. One extra thing to note is after applying the change to the Windows taskbar time, the 797X’s will change their time automatically, the other phones wont though.
In order to force them to update their time, you will need to reset the devices from the Date/Time group.
Hope this helps 
So im currently studying for my Advanced Diploma of Network Security after completing my Diploma of Network Engineering about 12months ago. As part of my course I will be studying CEH, however I’ve decided to get a jump on things by integrating security into all my other subjects. I pulled out the long neglected EEEPC 701 that I was given as part of finishing my NE course and work on CCNA Security and CCNA Wireless.
Heres a pretty simple guide to getting the 701 up and running with a persistent Backtrack 3 on usb, fingerprinting with Kismet and cracking WEP with wesside-ng.
Firstly I followed the persistent usb details outlined at:
Secondly for each time you want to inject packets or use kismet run the following:
wlanconfig ath0 destroy wlanconfig ath0 create wlandev wifi0 wlanmode monitor
To run kismet, you will have to modify the following file. If you’re running BT3 live without persistence you will have to do this every time.
Edit /usr/local/etc/kismet.conf and change source to:
source=madwifi_g,wifi0,wifi0
Finally, I wont record another WEP video like every other person on the net – just run the following to find the bssid mac of the AP (from kismet):
wesside -i ath0 -v MAC
Next I plan on running easside-ng for those networks where something doesn’t go right (occasional). Ill throw the details up for that when I’ve done it.
Well, I’ve been having issues with my SIP registration from iiNet working within Cisco CME.
When doing a debug ccsip all, it appeared that I wasn’t receiveing a SIP INVITE, and that I would constantly throw out REGISTER’s but not hear anything back.
Yesterday I started thinking that maybe there was a something in my firewall ACL that was blocking the connection, but when I looked at it i couldn’t see anything wrong with it. I decided to add permit tcp any any eq 5060 just to make sure things were happening, and then I saw this response:
10 permit tcp any any eq 5060 (18 matches)
So things were happening but something still wasnt right.
I had spent most of the day looking over the config and trying different solutions around the net but nothing helped. This morning I decided to revisit the config and started with the ACL’s. Then I noticed this.
240 deny udp any any eq 1024 (128 matches)
I had borrowed an ACL from our work access layer switches, designed to filter out commonly used virus ports and this was one of the entries. It looked like the SIP response from iiNet was replying on udp port 1024 for the INVITE message which was of course blocked. As soon as I removed this registration went straight through and calls started routing.
Hope this helps saves the headaches that i had.
Recently I purchased the Blackberry Storm which is exclusive to Vodafone here in Australia.
I have had some problems finding the initialisation commands for Vodafone in Australia.
Here is the process.
Installing the Blackberry Storm will install 3 modems:
- Standard 33600 bps Modem
- Standard 33600 bps Modem #2
- Standard Modem
Leave the first two alone, but under the standard modem in the advanced properties, enter
+cgdcont=,,"vfinternet.au"
Next create a new manual internet connection and when it asks for a password enter *99# and do not enter any username or password
Open up the Blackberry Desktop Manager, connect to the new connection and away you go
I found a great quote on the Ubuntu security forums today.
I have been toying with the idea of setting up SNORT and managed AV and found this at the beginning of the tutorial.
“Paranoia will get you through times of no enemies better than enemies will get you through times of no paranoia” ~ Pete Granger
This quote so easily spells out the best approach IT security.
Genius.
//EDIT
Fixed, see above posts.
//EDIT
it looks like something is wrong in this config. CME works perfectly however the SIP registration fails, for some reason I never receive a SIP INVITE. So be wary when using this config.
I have had my Cisco 2621XM working with Call Manager Express for some time now, and have had calls routing through iiNet’s SIP Servers, however recently I lost some configuration and had to rebuilt it again.
So I have decided to post it up here.
Note that this is only the SIP and CME configuration and heaps more is needed to actually run the router.
aaa authentication login LOCAL_AUTH local
aaa session-id common
!
ip dhcp pool p900
network 10.5.0.0 255.255.0.0
dns-server 203.0.178.191
default-router 10.5.0.1
option 150 ip 10.5.0.1
domain-name cme
!
voice service voip
sip
localhost dns:iinetphone.iinet.net.au
!
!
voice class codec 1
codec preference 1 g729br8
voice translation-rule 1
rule 1 /02XXXXXXXX/ /02XXXXXXXX/
rule 2 /XXXXXXXX/ /02XXXXXXXXX/
!
voice translation-rule 2
rule 1 /02XXXXXXXX/ /XXXXXXXX/
!
!
voice translation-profile Incoming_Number
translate called 2
!
voice translation-profile Outgoing_Number
translate calling 1
!
tftp-server flash:P00308000400.bin
tftp-server flash:P00308000400.loads
tftp-server flash:P00308000400.sb2
tftp-server flash:P00308000400.sbn
!
sccp ccm 10.5.0.1 identifier 1
!
sccp ccm group 1
associate ccm 1 priority 1
!
!
dial-peer voice 1 voip
description STD Calls
translation-profile incoming Incoming_Number
translation-profile outgoing Outgoing_Number
destination-pattern .T
voice-class codec 1
session protocol sipv2
session target dns:sip.nsw.iinet.net.au
dtmf-relay sip-notify rtp-nte
no vad
!
!
sip-ua
authentication username 02XXXXXXXX password XXXX realm iinetphone.iinet.net.au
no remote-party-id
retry invite 4
retry response 3
retry bye 2
retry cancel 2
retry register 5
timers register 300
mwi-server dns:sip.nsw.iinet.net.au expires 3600 port 5060 transport udp unsolicited
registrar dns:sip.nsw.iinet.net.au expires 3600
sip-server dns:sip.nsw.iinet.net.au
!
!
telephony-service
load 7960-7940 P00308000400
max-ephones 5
max-dn 5
ip source-address 10.5.0.1 port 2000
system message CCM4
time-format 24
date-format dd-mm-yy
voicemail 9999
mwi relay
max-conferences 4 gain -6
moh flash:music-on-hold.au
web admin system name XXXX XXXX
dn-webedit
time-webedit
transfer-system full-consult
transfer-pattern ....
directory entry 1 0001 name XXXX
create cnf-files version-stamp 7960 Oct 14 2008 07:28:46
!
!
ephone-dn 1 dual-line
number 02XXXXXXXX
label Main Phone
description Main Phone
name Main Phone
no huntstop
!
!
ephone 1
description Home 7940
mac-address 0011.93B6.CE9C
speed-dial 1 04XXXXXXXX label XXXX
type 7940
button 1:1
As part of my current job, I manage IP telephony for a building with about ~600 endpoints.
In .AU we go from +10GMT to +11GMT for daylight savings which come into effect the first Sunday of October. When we swapped over the times for daylight savings we noticed that some of the phones pull time from different sources. I searched for a definitive answer but couldnt find one in time.
Here is what we experienced. We run Cisco Call Manager 4.2(3)sr3a. The 7970 and 7975’s pull time directly from the windows taskbar time. So whatever time is showing on the taskbar is the time that will be shown on the 70 and 75’s. The 7906, 7940 and 7960 are a bit different. They seemed to pull the time from the CCM Date/Time group. The DT group is influenced by the Windows time, however the DTG will apply DST automatically.
This is what we experienced. If Windows was set at +10GMT and the DTG was also set at +10GMT (both in the sydney tz) and the time was 1PM, the 7X’s would show 1PM but all other phones would show 2PM. This is because the DT group thinks hey, Windows is +10GMT but I know were in DST so i will apply another 1 hour.
We were worried about placing either the Windows or CCM time in different TZ’s for logging reasons. If something was to happen down the track, the logs still need to reflect the right time.
I believe that these inconsistencies may have been caused by a number of factors inclusive of old firmware versions and windows patches not being applied. However due to this being a production network, upgrades on the fly are risky to do.
The fix here was to apply +10GMT(Syd) to Windows, set at the right time, and also +10GMT to CCM, but place it in the Brisbane TZ. This removed the errors as Brisbane does not participate in DST, but also kept both times at +10 to satisfy the logs.
Hope this helps some one.