[Voptalk] RE: Looking for Unique VOIP tools.

Gould, Aaron aaron.gould at ngc.com
Tue Mar 27 13:02:42 EDT 2007 

i'll share this peter, but on one condition, you let me test and use your unistim tools and utilities once you get them ready for trial/release (please)  :)   btw, do you remember me?  i was doing some sip/h323 voip vulnerability anlysis work 4 or 5 months ago and you and i passed email occassionally....matter of fact i think we may have even spoke on the phone at some point.....anyway
 
if you are going to capture unistim (nortel proprietary voip sig prot) and it's carrier protocol rudp (nortel's proprietary sequencing mechanism real-time udp) which rides over standard udp.....so it's unistim over rudp over udp....you'll need ethereal 0.10.9 http://oldapps.com/Wireshark.php with the attached plugin.....Install this plugin .dll in the directory <Ethereal install dir>\plugins\0.10.9 ... e.g.  C:\Program Files\Ethereal0109\plugins\0.10.9    ....from what i saw it will overwrite the existing rudp.dll file which is fine   ....using wireshark 0.99.4 i see unistim packets erroneously as Cross Point Frame Injector (CPFI) PDU's.....i searched hi and low for a ethereal/wireshark decode and this is what i've come up with.
 
i currently have a live Nortel VoIP network that I test with...... i2050 softphone and i2004 regular (grey) and phase 2 (black) hardphones also 2 seperate Nortel IP PBX (like call management systems).... 1 - BCM200 (business communications manager 200) and 2 - CS1K for short....or Communications Server 1000....also known as Succession 1000S.....which is comprised of a Sig Server (runs VXWorks OS on a intel platfrom) and this sig srv communicates with a Nortel Call Server which is a 1 slot chassis which has the SSC processor for call routing.  The sig srv is where the unistim dialogues take place and the phones register, i think it does some sort fo unistim proxying and communicates with the call server on the backend over a seperate out of band lan (could be a vlan, which is what it is in my case)....i never really sniffed that sig server to call server traffic to see if it's some other protocol
 
i have some sniffs of i2050 registration.....then i2050 calling i2004.....etc
 
i2050 softphone registering with Succession 1000/CS1K (udp port 4100 on CS1K and udp port 5000 on i2050, then switches to, still udp/5000 on i2050 but udp 7300 on CS1K, then switches again to still udp/5000 on i2050 but udp/5100 on cs1k.....i have the .cap files showing all these dialogues
 
Aaron

________________________________

From: voptalk-bounces at lists.vopsecurity.org on behalf of Peter Thermos
Sent: Mon 3/26/2007 9:37 PM
To: voptalk at lists.vopsecurity.org
Subject: [Voptalk] RE: Looking for Unique VOIP tools.



It will also be helpful even if someone can capture UNISTIM traffic.
I can develop some utilities around it.

Peter

> -----Original Message-----
> From: Nimrod Sasson [mailto:NimrodS at comsecglobal.com]
> Sent: Monday, March 19, 2007 5:16 AM
> To: pthermos at vopsecurity.org; Shawn Merdinger;
> voptalk at lists.vopsecurity.org
> Subject: Looking for Unique VOIP tools.
>
> Do you know any tools for Cisco (skinny) and Nortel (Unistim) tools?
> They use specific protocol which is based on SIP and H323,
> but they changed Something and many of the tools get only noises.
>
> Thanks a lot
>
> Nimrod.
>
>
> -----Original Message-----
> From: voptalk-bounces at lists.vopsecurity.org
> [mailto:voptalk-bounces at lists.vopsecurity.org] On Behalf Of
> Peter Thermos
> Sent: Thursday, March 15, 2007 9:30 PM
> To: 'Shawn Merdinger'; voptalk at lists.vopsecurity.org
> Subject: RE: [Voptalk] New: VoIP Security tools list
>
> Thanks Shawn!
>
> Just a note to the group, SIVus fits in all the following categories:
>
> -VoIP Scanning and Enumeration Tools
> -VoIP Packet Creation and Flooding Tools -VoIP Fuzzing Tools
> -VoIP Signaling Manipulation Tools
>
> although it is listed only under VoIP Scanning and Enumeration Tools.
> 
> Peter
>
> > -----Original Message-----
> > From: voptalk-bounces at lists.vopsecurity.org
> > [mailto:voptalk-bounces at lists.vopsecurity.org] On Behalf Of Shawn
> > Merdinger
> > Sent: Thursday, March 15, 2007 1:29 AM
> > To: voptalk at lists.vopsecurity.org
> > Subject: [Voptalk] New: VoIP Security tools list
> >
> > FYI -- hope this is useful for folks :)
> >
> > Thanks,
> > --scm
> >
> > ---------- Forwarded message ----------
> > From: David Endler <david.endler at voipsa.org>
> > Date: Mar 14, 2007 8:34 AM
> > Subject: New: VoIP Security tools list
> > To: pen-test at securityfocus.com
> >
> >
> > The VoIP Security Alliance (VOIPSA) is pleased to announce
> the public
> > release of its VoIP security tool list.  Check it out at:
> >
> > http://www.voipsa.org/Resources/tools.php
> >
> > This list was developed to address the current void of VoIP
> security
> > testing resources and sites, for vendors and VoIP users
> alike.  It is
> > separated into the following seven broad
> > categories:
> >
> >   * VoIP Sniffing Tools
> >   * VoIP Scanning and Enumeration Tools
> >   * VoIP Packet Creation and Flooding Tools
> >   * VoIP Fuzzing Tools
> >   * VoIP Signaling Manipulation Tools
> >   * VoIP Media Manipulation Tools
> >   * Miscellaneous Tools
> >
> > Special thanks to VOIPSA members Shawn Merdinger and Dustin
> Trammell
> > who created the list and have graciously agreed to maintain it. For
> > more information about the tools list, you can listen to
> Dan York and
> > Jonathan Zar discuss it in Blue Box Podcast #54 and also with Shawn
> > Merdinger in Blue Box Special Edition #16 both available at
> > http://www.blueboxpodcast.com <http://www.blueboxpodcast.com/> 
> >
> >
> > David Endler
> > VOIPSA Chairman
> > http://www.voipsa.org <http://www.voipsa.org/> 
> >
> > --About VOIPSA
> > The Voice over IP Security Alliance (VOIPSA) aims to provide VoIP
> > security related resources through a unique collaboration
> of VoIP and
> > Information Security vendors, providers, and thought
> leaders. VOIPSA's
> > mission is to drive adoption of VoIP by promoting the
> current state of
> > VoIP security research, VoIP security education and awareness, and
> > free VoIP testing methodologies and tools.
> > _______________________________________________
> > - The VoPSecurity Forum -
> >
> > To post a message to the mailing list send an email to [
> > voptalk_at_lists.vopsecurity.org ]
> >
>
>
> _______________________________________________
> - The VoPSecurity Forum -
>
> To post a message to the mailing list send an email to [
> voptalk_at_lists.vopsecurity.org ]
> **************************************************************
> ************************************
> The contents of this email and any attachments are confidential.
> They are intended for the named recipient(s) only.
> If you have received this email in error please notify the
> system manager or  the
> sender immediately and do not disclose the contents to anyone
> or make copies.
>
> ** eSafe scanned this email for viruses, vandals and
> malicious content. **
> **************************************************************
> ************************************
>
>


_______________________________________________
- The VoPSecurity Forum -

To post a message to the mailing list send an email to [
voptalk_at_lists.vopsecurity.org ]


-------------- next part --------------
------------------------------------------------------------------------
Installation:
* Install this plugin .dll in the directory
  <Ethereal install dir>\plugins\0.10.9

  Eg:  C:\Program Files\Ethereal0109\plugins\0.10.9


------------------------------------------------------------------------
Mar 21, 2005	v282
* Bug fix for Network Manager Server Info Report msg.
* Update for encrypted rudp header.
* Built for ethereal-0.10.9

------------------------------------------------------------------------
Mar 10, 2005	v281
* Bug fix for intermittant missing INFO column
* Built for ethereal-0.10.9

------------------------------------------------------------------------
Feb 25, 2005	v280
* Updates to decode UNIStim spec 2.8.
* Built for ethereal-0.10.9

------------------------------------------------------------------------
Sep 20, 2004	v276
* Bug fix for AEM Icon Update msg.
  Icon state and cadence not decode properly.
* Built for ethereal-0.10.2

------------------------------------------------------------------------
Sep 13, 2004	v275
* Bug fix for Network Manager Server Info Report msg.
  Only one server id element in msg.
* Built for ethereal-0.10.2

------------------------------------------------------------------------
May 17, 2004	v274
* Add support for uftp.
* Built for ethereal-0.10.2

------------------------------------------------------------------------
Mar 18, 2004	v273
* Bug fix for rudp payload length
* Built for ethereal-0.10.2

------------------------------------------------------------------------
Nov 04, 2003	v272
* Bug fix for Audio Mgr: Mute/Unmute msg.
  Parsing rx/tx corrected to be tx=0; rx=1;
* Built for ethereal-0.9.16.

------------------------------------------------------------------------
Jun 11, 2003	v271
* Full decoding of UNIStim spec 2.7.
* Built for ethereal-0.9.8. (also runs upto 0.9.15)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rudp.dll
Type: application/octet-stream
Size: 394752 bytes
Desc: rudp.dll
Url : http://lists.vopsecurity.org/pipermail/voptalk/attachments/20070327/fe256bef/rudp-0001.obj

More information about the Voptalk mailing list