cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
235
Views
0
Helpful
3
Replies
Highlighted
Beginner

Voip traffic sniffing

Hi, in a recent security audit, in a Catalyst 2960 switch with this config

 

interface FastEthernet0/4
switchport access vlan 30
switchport mode access
switchport voice vlan 20
no snmp trap link-status
spanning-tree portfast

The auditor has been able to get a voice conversation from a phone. The auditor is connected to this port in access mode to vlan 30 and capturing traffic with wireshark in his PC and the phone connected to other switchport (same switch).

 

 

i'm really surprised about this, if the voip traffic is in other vlan and not directed to the fa0/4 port.

¿How is it possible to sniff the traffic in this port where in theory voice traffic should not be directed?

 

And related to switch security recomendations, What do you think about security of CDP and DTP?

CDP is needed if you use voip phones in the port.

The security issues of CDP is only for network discovery or there are other reasons to disable it on the network?

And what about DTP? 

Can anyone guide me to best security practices in switch configurations? 

 

Thanks in advance.

 

 

 

 

 

CCNP R&S, CCNP Security, CCNA CyberOps
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Voip traffic sniffing

Hi again, mistery solved... the auditor has a little missunderstanding,

is NOT possible to capture voice traffic in a port in the data vlan without do any thing more, today i'm trying to sniff traffic in a switchport on a data vlan and voice, witch only data, with a phone connected to the port and always fail, no RTP captured.

 

The only way to capture voice data is:

1 (Easy way) - Doing a CAM attack to do the switch acts as a HUB, with this attack i successfully capture a voice conversation.

2- Vlan hopping, using CDP discovery protocol you can find out the voice VLAN, advertise a fake CDP packet and obtain an ip address in the voice VLAN, then with a MitM you can sniff traffic of other phones in the network.

 

Attack mitigation:

Disable cdp in data ports that have not ip phone

Configure a maximun number of MAC address that a port can be learn, and disable the port if this number is reached

Of course, encrypt RTP using SRTP

Use access control from data VLAN to VOICE, is a common mistake that people think that because both VLAN's are internal in the organizations this are safe and all traffic it's permitted.

 

What do you think about my investigation? i'm wrong?

 

Thanks

 

CCNP R&S, CCNP Security, CCNA CyberOps
Everyone's tags (5)
3 REPLIES 3
VIP Advisor

Re: Voip traffic sniffing

If this is on cucm. Can you see on the phones config to see if span to pc port is enabled? 

Please remember to rate useful posts, by clicking on the stars below.

Beginner

Re: Voip traffic sniffing

Hi Dennis, good point of investigation too, this "span to pc" is enabled by default? anyway this is not the problem.

 

The problem is that voice traffic can be captured in a data port only (no phone connected). I'll try to explain more:

 

For example in this escenario-

port fa0/1

interface FastEthernet0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 20
no snmp trap link-status
spanning-tree portfast

In port fa0/1 is connected a phone an then a PC connected to the phone.

 

Same configuration in port fa0/4 (this is auditor PC)

interface FastEthernet0/4
switchport access vlan 30
switchport mode access
switchport voice vlan 20
no snmp trap link-status
spanning-tree portfast

Why is possible to capture in port 4 with Wireshark a call that received the user in port fa0/1?

 

I'm going to capture traffic in the same escenario tomorrow because i don't understand why the pc is able to capture voice traffic that is not directed to this port.

 

 

 

CCNP R&S, CCNP Security, CCNA CyberOps
Beginner

Re: Voip traffic sniffing

Hi again, mistery solved... the auditor has a little missunderstanding,

is NOT possible to capture voice traffic in a port in the data vlan without do any thing more, today i'm trying to sniff traffic in a switchport on a data vlan and voice, witch only data, with a phone connected to the port and always fail, no RTP captured.

 

The only way to capture voice data is:

1 (Easy way) - Doing a CAM attack to do the switch acts as a HUB, with this attack i successfully capture a voice conversation.

2- Vlan hopping, using CDP discovery protocol you can find out the voice VLAN, advertise a fake CDP packet and obtain an ip address in the voice VLAN, then with a MitM you can sniff traffic of other phones in the network.

 

Attack mitigation:

Disable cdp in data ports that have not ip phone

Configure a maximun number of MAC address that a port can be learn, and disable the port if this number is reached

Of course, encrypt RTP using SRTP

Use access control from data VLAN to VOICE, is a common mistake that people think that because both VLAN's are internal in the organizations this are safe and all traffic it's permitted.

 

What do you think about my investigation? i'm wrong?

 

Thanks

 

CCNP R&S, CCNP Security, CCNA CyberOps
Everyone's tags (5)