04-25-2019 05:06 AM - edited 04-25-2019 05:07 AM
Hi, in a recent security audit, in a Catalyst 2960 switch with this config
interface FastEthernet0/4 switchport access vlan 30 switchport mode access switchport voice vlan 20 no snmp trap link-status spanning-tree portfast
The auditor has been able to get a voice conversation from a phone. The auditor is connected to this port in access mode to vlan 30 and capturing traffic with wireshark in his PC and the phone connected to other switchport (same switch).
i'm really surprised about this, if the voip traffic is in other vlan and not directed to the fa0/4 port.
¿How is it possible to sniff the traffic in this port where in theory voice traffic should not be directed?
And related to switch security recomendations, What do you think about security of CDP and DTP?
CDP is needed if you use voip phones in the port.
The security issues of CDP is only for network discovery or there are other reasons to disable it on the network?
And what about DTP?
Can anyone guide me to best security practices in switch configurations?
Thanks in advance.
Solved! Go to Solution.
04-26-2019 02:42 PM
Hi again, mistery solved... the auditor has a little missunderstanding,
is NOT possible to capture voice traffic in a port in the data vlan without do any thing more, today i'm trying to sniff traffic in a switchport on a data vlan and voice, witch only data, with a phone connected to the port and always fail, no RTP captured.
The only way to capture voice data is:
1 (Easy way) - Doing a CAM attack to do the switch acts as a HUB, with this attack i successfully capture a voice conversation.
2- Vlan hopping, using CDP discovery protocol you can find out the voice VLAN, advertise a fake CDP packet and obtain an ip address in the voice VLAN, then with a MitM you can sniff traffic of other phones in the network.
Attack mitigation:
Disable cdp in data ports that have not ip phone
Configure a maximun number of MAC address that a port can be learn, and disable the port if this number is reached
Of course, encrypt RTP using SRTP
Use access control from data VLAN to VOICE, is a common mistake that people think that because both VLAN's are internal in the organizations this are safe and all traffic it's permitted.
What do you think about my investigation? i'm wrong?
Thanks
04-25-2019 05:44 AM
If this is on cucm. Can you see on the phones config to see if span to pc port is enabled?
04-25-2019 10:29 AM
Hi Dennis, good point of investigation too, this "span to pc" is enabled by default? anyway this is not the problem.
The problem is that voice traffic can be captured in a data port only (no phone connected). I'll try to explain more:
For example in this escenario-
port fa0/1
interface FastEthernet0/1 switchport access vlan 30 switchport mode access switchport voice vlan 20 no snmp trap link-status spanning-tree portfast
In port fa0/1 is connected a phone an then a PC connected to the phone.
Same configuration in port fa0/4 (this is auditor PC)
interface FastEthernet0/4 switchport access vlan 30 switchport mode access switchport voice vlan 20 no snmp trap link-status spanning-tree portfast
Why is possible to capture in port 4 with Wireshark a call that received the user in port fa0/1?
I'm going to capture traffic in the same escenario tomorrow because i don't understand why the pc is able to capture voice traffic that is not directed to this port.
04-26-2019 02:42 PM
Hi again, mistery solved... the auditor has a little missunderstanding,
is NOT possible to capture voice traffic in a port in the data vlan without do any thing more, today i'm trying to sniff traffic in a switchport on a data vlan and voice, witch only data, with a phone connected to the port and always fail, no RTP captured.
The only way to capture voice data is:
1 (Easy way) - Doing a CAM attack to do the switch acts as a HUB, with this attack i successfully capture a voice conversation.
2- Vlan hopping, using CDP discovery protocol you can find out the voice VLAN, advertise a fake CDP packet and obtain an ip address in the voice VLAN, then with a MitM you can sniff traffic of other phones in the network.
Attack mitigation:
Disable cdp in data ports that have not ip phone
Configure a maximun number of MAC address that a port can be learn, and disable the port if this number is reached
Of course, encrypt RTP using SRTP
Use access control from data VLAN to VOICE, is a common mistake that people think that because both VLAN's are internal in the organizations this are safe and all traffic it's permitted.
What do you think about my investigation? i'm wrong?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide