Skip navigation
Cisco Learning Home > Network Sheriff > 2009 > August > 27
Currently Being Moderated

VOIP Eavesdropping from Start to Finish

Posted by Jimmy Ray Purser on Aug 27, 2009 8:54:56 AM

Eavesdropping VOIP is the equivalent of "Just wait until your Father gets home" on the network. When folks talk about VOIP security they tend to immediately go straight to eavesdropping without considering the more valuable and resellable vectors like Toll Fraud. But without a doubt, eavesdropping is a great demo to do at a trade show or customer pre-sales call. Man, the purchase orders will just start flying out of pockets! Let's just get real here, eavesdropping is a very time consuming process for a low yield. Personally, I will take email over voice for information stealing. Heck, the only real reason for me to eavesdrop is to gather metadata on a SIP call so I can look for other vectors.

 

But what if I wanted to record calls on a VOIP network either for records or just to hack into the network to steal information from Executives to use for insider trading. Of course we can use tools like Cain http://www.oxid.it/cain.html to gather info, but that is really time consuming and with fishing season in full swing, I am looking for a plug in and access remotely VOIP recorder. I can use UCSniff http://ucsniff.sf.net but that is good for local installs. BUT where UCSniff beats other open source products is in video eavesdropping and it is the STUFF….I’ll save that for another blog….  If folks are using Skype, I can download and compile the source for Skype tapping at: http://www.megapanzer.com/2009/08/25/skype-trojan-sourcecode-available-for-download/ but to be honest, this code requires a bunch of work to get up and going. The history behind it is more interesting then the code… Google ERA IT and DigiTask.  For remote VOIP recording, there is only one name that rings true for this type of mission: Oreka. http://oreka.sourceforge.net/

 

Oreka is an open source VOIP recorder that can be used on Windows, Gentoo, Debian and RedHat. It is broken into three parts for scalability on your network:
- OrkAudio: This is the workhorse that processes the calls and does the actual recording
- OrkWeb: This is the XML based Web U/I to access and manage the system
- OrkTrack: This is the master database (MySQL) that records the call records, metadata, etc. You can use other DB's if you are into that sorta thing...

 

It is possible to place each of these on a separate server if you need to. For my deployment, I am placing a central server here in the Tundra of Wisconsin and a OrkAudio recorder in Mainz, Germany so I can test this system with both a-Law and u-Law algorithms.

So lets get started! Clock check: 1042CST too early for a Newcastle and to late for more coffee. I chose to install Oreka on Debian. Like any *nix install it's the dependencies that get ya, so I brushed off my apt-get skills and typed:
sudo apt-get install libace-dev
sudo apt-get install libboost-dev
sudo apt-get install liblog4cxx10-dev
sudo apt-get install libpcap0.8
sudo apt-get install libxerces-c28
sudo apt-get install libsndfile1-dev


I also plan to modify the source code to interact with Cisco Call Manager to use JTAPI and call the Built In Bridge to silently record calls on a SIP trunk. So I also installed:
sudo apt-get install sox
sudo apt-get install g++
sudo apt-get install libtool
sudo apt-get install libxml2-dev
sudo apt-get install automake

 

Now I download the latest and great Oreka binary and installed it on both machines. On the machine in Germany I installed Oreka via
svn co https://oreka.svn.sourceforge.net/svnroot/oreka/trunk oreka both methods worked without a problem. Now I just config the VOIP capture plugins to tell Oreka which IP addresses are phones and which are not.

 

The start up test! Did I install everything? Well lets see; I went to the term and typed: orkaudio and BOOM everything fired off! Woot woot!! I ran few tests to see how it worked here in my lab and I had a few failures, but they were ID10t PEBKAC errors. For example, I couldn't get it to record so checked out the orkaudio.log and I noticed my interface did not start. The majority of the config on OrkAudio is in the config.xml file. So a quick vi config.xml edit to the devices section to add my interface fixed that problem. I webbed into the OrkWeb server at http://myIPaddress:8080/orkweb U:admin P:admin and set the system recorded my very first SIP call and it worked great! PLUS it gathered the metadata and stored it in the OrkTrack DB. Oh yeah...I am liking this BIG TIME!

 

Now I am going to tie the two systems together to see if I have a solid distributed VOIP recorder. The real test is:
- Can I capture both u-Law and a-Law
- I am using a Cisco Call Manager 6 system here and Germany is using a Siemens HiPath
- I need the German system to report into the Wisconsin OrkTrack server.
- Complete this in three Newcastles or less...hopefully more, this is not a hard and fast requirement….

 

To get the systems to talk to the OrkTrack server, once again I jump back into the OrkAudio config.xml file and set the tag line: EnableReporting=TRUE

TrackerHostname=IP Address of OrkTrack server, stop/restart the services.

 

I start the testing and sure enough! Both ends work great!! I needed to config the VOIP plugins a bit different at each end but this system works as advertised. I was easily able to replay calls from the German server thru Audicity and even filter out the **** as well.

 

In the end, my objective was to capture and record remotely. Although, I did this, it was a ton of work. This is a very nice system to record local VOIP calls with. The chances of someone using this to hack your VOIP system remotely are very rare. I tried to do this with a MiTM attack and the call quality was noticeably poor and I dropped more calls then I stole. I need physical access to the network for this to be effective. I had to use a SPAN/Mirror port or network TAP to get bidirectional traffic flow. I used a TAP in my lab and a SPAN port in Germany with equal results on a TEST network. Hey money is tight so if you need a TAP just build one man! You can easily build a passive TAP with the design guide from the Snort folks at: http://www.snort.org/docs/tap/ I would certainly recommend that you get to know Oreka. It has some very nice features, it is easy to set up, config and operate. My next step is to integrate into Call Manager to use the BiB function. Although Oreka is coded in C++ and man do I **** at C++ coding...looks like another Newcastle run...

 

Jimmy Ray Purser

 

Trivia File Transfer Protocol
The Voynich Manuscript believed to be from the 15th century has never been decrypted. It contains maps, recipes, beautiful graphics and nobody knows what even a single word is.

 

Comments (0)