UCSniff is a tool to test security in a security environment. It runs Linux and has two main modes that allow to test the vulnerability:
- The monitor mode
- mode “Man in the Middle”
The monitor mode works just like any software to sniff network packets. He listens to all frames arriving on a switch port and creates a single conversation file based on RTP packets recovered. In this mode of use, it is however necessary to establish a hub that will get the traffic generated by the IP Phone or to set up a monitor port on the switch in question. Note that this method has no side effects possible for the system, it is completely passive.
The attack Man-In-the-middle, or “The Man in the middle” for most of you speaking, consists in inserting a machine hacker between two machines that exchange flows and that of the most transparent as possible. In our case, it is to make the ARP poisoning (ARP spoofing).
On an Ethernet network, when a machine tries to reach another machine using its IP address, it uses the ARP protocol which will allow it to know the destination MAC address associated with the IP address it seeks to join. In the case of an ARP poisoning, the attacker will generate ARP response packets to communicate to the source machine’s IP address as it seeks to join is associated with its own MAC address. The source machine will then insert the association in its cache for a while to accelerate subsequent exchanges.
Of course, this attack is only possible when the attacker and the source machine are in the same broadcast domain.
UCSniff will therefore be used to manufacture the ARP poisoning on the LAN to intercept a virtually seamless RTP packets between two phones during initialization of a communication.
There are some subtleties concerning UCSniff of use, which allows for example to select a man-in-the-middle to intercept all communications from a particular user. I invite you to discover its use directly on the page UCSniff: http://ucsniff.sourceforge.net/usage.html
Finally, the tool integrates UCSniff relatively few interesting modules:
- VLAN Hopping: This is to automatically discover the VLAN ID assigned to IP telephony in a Cisco environment and make the tag Ethernet frames directly in this VLAN
- ARP Saver: To restore the original ARP entries by reinjecting ARP packets with the right associations.
Finally, it should be noted that the method of Man-In-the-middle can generate the DoS and therefore the service interruption. I’m tempted to recommend this tool for testing purposes only, and that this be done only by people with the accreditation of the network administrator.