-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all! In the network of my house I was testing the security with my Asterisk installation. The first test that I'm doing is an man in the middle attack. In this scenary, the attacker is a virtual machine that it tries to see the SIP traffic between a PC with a softphone and a Grandstream BT200 telephone. But it draws attention to me between the PC with softphone and the telephone I see traffic ARP or ICMP that could make to try between the equipment but does not see RTP. Is there some special consideration that it must to observe? I am doing it to the capture with: # tcpdump -i eth0 -n host 10.1.0.65 -w dump where 10.1.0.65 is the PC with softphone. Thanks in advance for your reply. Regards, Daniel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkvPpYAACgkQZpa/GxTmHTenpwCfcL3gBTTf0jRiEpv0k+jf2GkP WR8An2RxSdFdkdyRntOmVUof5kOygLYB =EG9x -----END PGP SIGNATURE-----
Hi!> But it draws attention to me between the PC with softphone and the > telephone I see traffic ARP or ICMP that could make to try between the > equipment but does not see RTP. Is there some special consideration that > it must to observe?Your English is seriously twisted, making your question impossible to understand. My feeling is that you have used a machine translation service. Your question is probably: "I can see ARP and ICMP, but not RTP, what am I missing?" How did you place your virtual "listening" machine into the network, is it connected to an old hub, or a switch, or the mirroring port of a switch, or does it use the same NIC (and computer) as the softphone? You will first need to get "in between" the two endpoints in order to be able to capture that point-to-point RTP traffic - there are "normal" and "malicious" ways to achieve that. Philipp
On Thu, 22 Apr 2010, Philipp von Klitzing wrote:> Hi! > >> But it draws attention to me between the PC with softphone and the >> telephone I see traffic ARP or ICMP that could make to try between the >> equipment but does not see RTP. Is there some special consideration that >> it must to observe? > > Your English is seriously twisted, making your question impossible to > understand. My feeling is that you have used a machine translation > service. > > Your question is probably: > "I can see ARP and ICMP, but not RTP, what am I missing?" > > How did you place your virtual "listening" machine into the network, is > it connected to an old hub, or a switch, or the mirroring port of a > switch, or does it use the same NIC (and computer) as the softphone? You > will first need to get "in between" the two endpoints in order to be able > to capture that point-to-point RTP traffic - there are "normal" and > "malicious" ways to achieve that.Depends on what you consider malicious :) ARP Cache poisoning is considered fairly normal by some these days... However the easiest way to capture data is on the asterisk server itself... Gordon