VoIP Sniffing with UCSniff

As the acronym says VoIP (Voice over IP) is based on IP networks! It means that the protocols used by this technology travel across links and routers like HTTP, SMTP or any other IP based protocols. With classic telephony (based on copper cables), tapping was very easy to perform but often required a physical access to devices and/or cables. And what about VoIP?

UCSniff is a nice tool developped as a PoC to demonstrate the risks of VoIP. It can be used to conduct audits or penetration tests on VoIP networks. It compiles and runs on any Linux and proposes an impressive list of features like:

  • VoIP Sniffer
  • Automated Voice VLAN Discovery (CDP)
  • VLAN Hopping Support
  • Sniffing across Ethernet Switches
  • Recording and saving of conversations
  • MitM mode (ARP poisining)
  • Monitor Mode (Span Session, Hub)
  • Tracking and tracing of users, with logging
  • Corporate Directory Tool and functions (ACE)

There are two ways to use it:

Monitor mode – In this case, UCSniff acts as a normal IP sniffer. This means that you can be able to use a monitoring port or span-port on your network. Not very efficient and less interesting.

Man-in-the-Middle mode – The mode is much more funny and will be preferred by pentesters. No network switch reconfiguration is needed. But a physical access to an IP phone is required (the phone will be replaced by the host running UCSniff).

As I don’t have access to a VoIP infrastructure right now, I did not test it at the moment. Anybody has some feedback? UCSniff is available here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.