After playing with UCSniff 3.0 detailing from my last entry, i still got the error:

Not saving conversation media file because either forward or reverse media not received.

This caused ucsniff to only generate a forward wave file.

I looked around for a solution, but it was already built into ucsniff.

One of the problems with this new UCSniff feature is that it is ineffective against intercepting any Skinny messages from the phone to the network. This is because the IP Phone ARPs for its remote IP gateway when it boots up and registers for the first time, and any subsequent spoofed ARP packets are ineffective.

All we have to do is run:

ucsniff -i eth0.20 --tftpm -T -D

One thing that I observed was that –tftpm would only be correctly applied in targeted mode. Even though we can target using the ettercap options /x/ // it still wouldnt work.

When it works properly it will show:

Receiving SEP CNF XML file via TFTP MitM attack
Modified the GARP Setting to GARP Enabled
UCSniff running GARP Disablement bypass flood for IP Phone xxxx

You can still target a single host MitM without ARPing the whole VLAN by generating a targets.txt file.

I may make a basic bash script and post it for generating a targets.txt file, but its easily hand editable and would show something like:

XXXX.XXXX.XXXX.XXXX,ext,name,sccp