Background For this lab, we will be analyzing some Wireshark capture files that were captured using the ARP Poisoning technique on Cisco VIOP (Voice Over IP) phones As this lab took special equipment (i.e. Cisco phones, etc.) I will explain how it was set up and worked but we won t have access to that equipment, just the capture file, for this lab. To capture the VOIP packets we used the same ARP Poisoning method as was done in the last lab, but this time the end hosts that were poisoned where the Cisco VOIP phones That placed us in the middle of their transmissions and allowed us to capture a copy of the packets. Note you could also have done this through the span port of the switch. A good reference for this is: http://everythingvoice.blogspot.de/2010/04/sniffing-and-eavesdropping-using.html Lab Overview: You will use Wireshark to open a network capture file (.pcap) and then use Wireshark s built in ability to replay them so that you can hear the conversations between the two people. Lab Procedures: 1. From Sakai, download the bankpin.pcap file to your laptop. 2. From your own laptop (or desktop) open Wireshark. Page 1
3. Under File menu Open the pcap file you downloaded earlier (bankpin.pcacp) 4. From within the packet capture, you will need to look for an RTP packet. Select (highlight) one of those RTP packets and choose from the menu on top of Wireshark Telephony, then RTP and finally Stream Analysis 5. Now choose Player Page 2
6. Then Choose Decode 7. Now the voice streams should be visible 8. Choose both streams selection box and then click on the Play button and you should here the conversation between the bank and it s customer. In particular, list for the account and PIN number 9. Deliverables: Please enter the bank account and PIN number via Assignments button in Sakai. Page 3
Appendix A Cisco Phone Appliance Config File C1861#show run Building configuration... Current configuration : 2999 bytes Last configuration change at 13:56:14 UTC Wed Jan 29 2014 version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname C1861 boot-start-marker boot-end-marker enable secret 4 eaop83n/avy2eas2tg7jbhlcx5t8h39e3gwbetdw5sy no aaa new-model mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 crypto pki token default removal timeout 0 dot11 syslog ip source-route ip cef ip dhcp excluded-address 192.168.50.1 192.168.50.10 ip dhcp pool VOICE network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 option 150 ip 192.168.50.1 no ipv6 cef multilink bundle-name authenticated voice-card 0 license udi pid C1861-SRST-C-F/K9 sn FTX1219Z04R username root password 0 root interface FastEthernet0/0 Page 4
shutdown duplex auto speed auto interface Integrated-Service-Engine0/0 shutdown interface FastEthernet0/1/0 interface FastEthernet0/1/1 interface FastEthernet0/1/2 interface FastEthernet0/1/3 interface FastEthernet0/1/4 interface FastEthernet0/1/5 interface FastEthernet0/1/6 interface FastEthernet0/1/7 interface FastEthernet0/1/8 interface Vlan1 ip address 192.168.50.1 255.255.255.0 ip forward-protocol nd ip http server no ip http secure-server control-plane voice-port 0/0/0 voice-port 0/0/1 Page 5
voice-port 0/0/2 voice-port 0/0/3 voice-port 0/1/0 voice-port 0/1/1 voice-port 0/1/2 voice-port 0/1/3 voice-port 0/4/0 auto-cut-through signal immediate input gain auto-control description Music On Hold Port mgcp profile default telephony-service max-ephones 10 max-dn 30 ip source-address 192.168.50.1 port 2000 cnf-file location flash: cnf-file perphone time-zone 23 time-format 24 date-format dd-mm-yy max-conferences 4 gain -6 transfer-system full-consult create cnf-files version-stamp Jan 01 2002 00:00:00 ephone-dn 10 dual-line number 1000 label Lab Phone 1 name Lab Phone 1 ephone-dn 20 dual-line number 2000 label Lab Phone 2 name Lab Phone 2 ephone 1 device-security-mode none mac-address 000B.BEB3.7395 speed-dial 1 2000 label "Dial Lab Phone 2" Page 6
type 7940 button 1:10 ephone 2 device-security-mode none mac-address 000B.BEB3.72E0 speed-dial 1 1000 label "Dial Lab Phone 1" type 7940 button 1:20 line con 0 no modem enable line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh line vty 0 4 password Cisco login transport input all line vty 5 15 password Cisco login transport input all monitor session 1 source interface Fa0/1/0 monitor session 1 destination interface Fa0/1/7 Page 7