x90 - BT4 + EEE 701 + VLAN Hopping + UCSniff 3.0

xchg eax, eax

BT4 + EEE 701 + VLAN Hopping + UCSniff 3.0

Security | 2009-10-23 07:23:35

As part of my recently talked about network security course, I’ve been playing with VoIP security, trying to get everything working on my EEE 701.

Previously I gave instructions on running BT3 on a USB with persistence, this worked great on the EEE, however I ran into problems when running voiphopper. The EEE complained about not being able to add the VLAN interface to eth0 and therefore vlanhopping would not work.

ERROR: trying to add VLAN # to IF -:eth0:- error: Invalid argument

I did the usual and modprobed 8021q, checked other dependencies etc but it wouldnt go. The 701 runs an Attansic L2 card and in linux runs under the atl2 driver, so I did some research and found mixed reports on the net about VLAN tagging not being supported on the atl2. After no luck I even contemplated buying a newer netbook with supported hardware.

I’ve got another persitent distro, Ubuntu Netbook Remix, so I decided to test that as the atl2 drivers are built into the kernel and have changed recently. Long story short, VLAN tagging worked in UNR.

I tried to find newer atl2 drivers and load them manually into BT3, but couldnt find any readily and couldnt really be bothered searching too hard. I downloaded BT4 and made another persistent usb drive. Due to the newer Debian kernel used in BT4, VLAN tagging worked without a problem.

VLAN tagging and therefore voiphopper now worked. Next intercepting SCCP conversations. In my previous testing I was using UCsniff 2.4 to record SCCP conversations via ARP poisoning (MitM). This worked infrequently, and in my production environment (Clustered Cisco Call Manager 4.2(sr3a)) complained about GARP being disabled and that it would not record the conversation. Since then i’ve been hanging out for UCSniff 3.0 which was due to be released on the 24/10/09. They released it early! 😀

Another long story short, UCSniff 3.0 works under BT4 under an EEE 701 and happily records SCCP from CCM4.2.

Happy days!

I’ve yet to test packet injection on BT4, but dont expect too many problems with this.

Heres a step by step of the processes involved.

Create persistent BT4 on USB
Followed the directions outlined here:

http://www.infosecramblings.com/backtrack/backtrack-4-usbpersistent-changesnessus

VLAN Support + VLAN Hopping

Firstly modprobe to enable VLAN tagging in the environment

modprobe 8021q

Connect to a cisco switchport with a similar switch config

switchport mode access
switchport access vlan 10
switchport voice vlan 20

Try VLAN hopping with voiphopper

voiphopper -i eth0 -c 0

Download and compile UCSniff 3.0
Download UCSniff here:

http://ucsniff.sourceforge.net/

Compiling

tar zxvf ucsniff-3.01.tar.gz
cd ucsniff-3.01
./configure
make
make install

MiTM SCCP
To record all SCCP conversations on the voice VLAN

ucsniff -i eth0.20 --garpdb // //

Or to target a particular IP phone, without enumerating the targets on the voice VLAN first

ucsniff -i eth0.20 --garpdb /XXXX.XXXX.XXXX.XXXX/ //

Finally play back the file from the commandline

play filename.mp3