maZZoo maZZoo's blog
very low frequency tech postings  -   08 2006
 
    home
    blog
    feed
    eyes
    info
    code [12]
    dect [4]
    hard [8]
    meta [5]
    security [5]
jul 2009 (1)
jun 2009 (1)
jan 2009 (2)
dec 2008 (1)
oct 2008 (1)
jan 2008 (1)
oct 2007 (1)
jun 2007 (1)
feb 2007 (3)
jan 2007 (3)
nov 2006 (2)
aug 2006 (2)
jul 2006 (1)
may 2006 (1)
nov 2005 (2)
oct 2005 (1)
apr 2005 (2)
mar 2005 (2)
feb 2005 (1)
jan 2005 (1)
may 2004 (1)
jan 2004 (1)
apr 2003 (1)
jan 2003 (1)

Fri, 25 Aug 2006

ohrwurm-0.1 - an RTP fuzzer

ohrwurm is a small and simple RTP fuzzer, I tested it on a small number of SIP phones, none of them did withstand.
Features:

  • reads SIP messages to get information of the RTP port numbers
  • reading SIP can be omitted by providing the RTP port numbers, sothat any RTP traffic can be fuzzed
  • RTCP traffic can be suppressed to avoid that codecs learn about the "noisy line"
  • special care is taken to break RTP handling itself
  • the RTP payload is fuzzed with a constant BER
  • the BER is configurable
  • requires arpspoof from dsniff to do the MITM attack
  • requires both phones to be in a switched LAN (GW operation only works partially)


Send feedback on anything ohrwurm broke to ohrwurm/at/mazzoo/dot/de, even if it was a famous packet sniffer ;)



posted in /security  |  link  |  comments [5]   
Sat, 05 Aug 2006

ICMP3, and cisco insecurity

I am at ICMP3 a nice hacker's event meeting nice people and having fun with lots of HW and SW. I will give a speech tomorrow, for which I still have to prepare some slides.

blowfish_ph_neutral
I was assuming I can find a lot of VoIP/SIP HW here to play around with, but I was a little bit disappointed not to find too much. I had prepared a piece of SW to stress VoIP phones (later there will be more on this), I also had success on all of them (as in crashing them).

The only exception is a Cisco 7905 SIP phone, where I couldn't even get to the point of attacking the SIP stack or codecs. The market leader in IP networking HW has implemented a remote reboot procedure:

# arpspoof 194.150.169.59
44:44:44:44:44:44 ff:ff:ff:ff:ff:ff 0806 42: arp reply 194.150.169.59 is-at 44:44:44:44:44:44

Sigh. I need that command to run my stress test SW. Model and version are:
CP-7905G
App Load ID
  CP7905080000SIP060111A
Boot Load ID
  LD0100BOOT021112A


posted in /security  |  link  |  comments [0]   

validate HTML