maZZoo maZZoo's blog
very low frequency tech postings  -  security/ohrwurm.writeback

    code [12]
    dect [4]
    hard [8]
    meta [5]
    security [5]

Fri, 25 Aug 2006

ohrwurm-0.1 - an RTP fuzzer
ohrwurm is a small and simple RTP fuzzer, I tested it on a small number of SIP phones, none of them did withstand.
  • reads SIP messages to get information of the RTP port numbers
  • reading SIP can be omitted by providing the RTP port numbers, sothat any RTP traffic can be fuzzed
  • RTCP traffic can be suppressed to avoid that codecs learn about the "noisy line"
  • special care is taken to break RTP handling itself
  • the RTP payload is fuzzed with a constant BER
  • the BER is configurable
  • requires arpspoof from dsniff to do the MITM attack
  • requires both phones to be in a switched LAN (GW operation only works partially)

Send feedback on anything ohrwurm broke to ohrwurm/at/mazzoo/dot/de, even if it was a famous packet sniffer ;)

5 writebacks


vignesh wrote
Re: Tool Usage
Hello Mazzoo,
I am planning to use ohrwurm tool to test the SIP phones. In your blog, you have mentioned that the SIP phones have to be in the same lan and also you have mentioned that the Gateway functionality works partially. In my topology, I have set up a Router that acts as a Gateway and the Attacker is present between the Call originator and the Gatway.
Originator --- Gateway (router) --- Call Terminator

I have tested and found out that attacker succesfully sniffs the packets going between originator and the gateway. Since i have spoofed the gateway and the originator to believe in the Attacker. My question is will ohrwurm tool successfully fuzz RTP packets between orginator and terminator even though they are not in the same lan ??

Hung wrote
Could you change the blue color of this site ????
Mark wrote

Hi, are you going to be updating this tool, or have you stopped developing it. Thanks.
mazzoo wrote

Mark, the tool is perfect, no need to develop :P no, but seriously . what is missing? mazzoo
Mark wrote

Nothing in particular, I was just looking through the code and noticed some FIXMEs so I wondered if you were still actively working on it since I saw no updates since 2006. Thanks :)


URL/Email: (optional)
Title: (optional)
Save my Name and URL/Email for next time

validate HTML