We have all seen the bad movies where bad guys intercept a video feed from security cameras and replace the live video stream with a false video stream. This was possible using simple CCTV networks, but not easy with video streaming over large IP networks. Now, it’s relatively trivial.
Most of these can be migrated by using VLAN’s to separate data. Unfortunately, tools exist for VLAN hopping. For VoIP specific applications, voiphopper (http://voiphopper.sourceforge.net) can be used to gain access to Voice VLAN ID by emulating a Cisco, Avaya or Nortel IP phone. Most commonly, it is used to spoof an IP Phone CDP packet and create a new Ethernet port based off the VVID. Once access is granted to the VLAN containing voice or video IP phones, VideoJak (http://videojak.sourceforge.net), UCSniff (http://ucsniff.sourceforge.net) or other applications can then be used for interception, man-in-the-middle attacks, replay, or any other desired usage. Increasingly, such tools are rolling VLAN hopping into their functionality for ease of usage.
UCSniff
UCSniff has two modes. Monitoring is of only mild interest as unless the enterprise is using hubs or has SPAN turned on, it is not a serious threat. If an attacker gains access to the switches, however, usage of the tool could be more worrisome. Man-In-The-Middle (MitM) mode is more worrisome. UCSniff works by ARP poisoning the network and re-direct traffic to itself. Unless an enterprise is specifically monitoring for ARP poisoning, the effect is entirely transparent to the user. The most effective hostile deployment is to replace an IP phone with a laptop containing UCSniff. This usually guarantees being on the Voice VLAN and therefore, bypasses any necessity for VLAN hopping. Once on the voice VLAN and in MitM mode, a malicious user can passively intercept, jam, alter, or otherwise manipulate the video streams as they see fit using the tool. One can target a specific user or a specific conversation. UCSniff incorporates automatic VLAN discovery via CDP as well as VLAN hopping capacities.
Another interesting usage of the tool, in a Cisco Unified IP Phone environment, is to collect corporate directories. These directories are very helpful in mapping names to specific devices, and can offer a hostile party a more concise list of targets. This is done through an incorporated tool called ACE, Automated Corporate Enumerator, which mimics the behavior of a phone to acquire all of the necessary personnel information in a very short period of time.
One noticeable method of detention is the cessation of UCSniff without re-ARP’ing the targeted clients. They will all crash. If all IP phones crash at one time without any corresponding server or network issues, a hostile party using ARP poisoning may have disconnected without properly resolving clients back to their original information.
VideoJak
VideoJak is a lightweight tool specifically designed for IP video hijacking or denial of service. Its purpose is to intercept video from a feed, capture a stream, and then replay it on the network. It can also be used to intentionally degrade video IP traffic to varying levels. Very simple and straightforward application, but with problematic implications for IP video surveillance and security systems.
Auxiliary Methods
A cruder but efficient method is to use Wireshark to intercept CDP packets, look for “VOIP VLAN Reply”, and use VLAN hop (http://www.candelatech.com/~greear/vlan/vlan.1.9.tar.gz) or VOIPHopper to alter one’s assigned VLAN to the corresponding VLAN ID found in the intercepted packets. If a switch is insecurely configured, flooding the CAM tables can make a switch perform like a hub allowing an attacker to intercept additional communication.
Countermeasures for a Cisco environment:
• Turn off CDP if possible
• Do not use default VLAN’s under any circumstances
• Restrict VLAN trunking to strictly the VLAN’s used on that specific switch
• Turn on BPDUguard and rootguard
• Set switchport port-security to prevent CAM table attacks, which may be useful in alleviating ARP poisoning
• Apply a VTP domain password
• Monitor for ARP poisoning
• Isolate corporate phone networks from phones in public spaces
• Follow Cisco’s Phone Hardening guidelines (http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/4_0_1/secuphne.pdf)
• Follow NSA’s Switch Configuration Guide (http://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf)
Tags: VOIP VLAN Cisco
This is an excellent and well researched article.
Thank you for this, I don’t usually comment but I want to show some real appretiation for your posts.
Hi – I don’t comment on many blogs but had to on yours. It’s very well-done! I really like how you write – very to the point, unlike a lot of other sites. Thanks for having this site. I’ll bookmark it and visit regularly. Keep up the fine work!