A special thanks goes out to all of the developers, contributors, and authors of Ettercap. Ettercap is simply an awesome security tool. We re-used the ARP Poisoning, dissector design, and re-direction capabilities of Ettercap within UCSniff.
Here are some clever and basic usage examples of how to use UCSniff. In a CDP infrastructure, you can do the following:
If Voice VLANs are used, UCSniff will automatically (and immediately) Hop into the Voice VLAN and do it's work.
You can check on the LCD screen interface of the IP Phone to see if the "Corporate Directory" feature is enabled. If it is, all you need to do is supply the MAC Address of the IP Phone and UCSniff will load the entries automatically.
ucsniff -i eth0 -c 1 -a -m 00:00:00:00:00:00 // //
You could set up two physical ethernet interfaces on a station running UCSniff. The 1st interface could be used for remote management. The second interface could be used for UCSniff fun activities.
Another way that I use UCSniff all of the time is in a CDP infrastructure, with VLAN Hopping. Using a different system (Windows, for example), you can SSH to the eth0 interface of the Linux station running UCSniff (with SSH listening on eth0). You then run UCSniff, 'ucsniff -i eth0 -c 1 // //', and after it hops into the Voice VLAN (200, for example), UCSniff listens for voice traffic on eth0.200, while the SSH session is forwarded over eth0 (the data / access VLAN). In this demo configuration, UCSniff on a dedicated Linux system is sniffing traffic while the demo presentation can run in the Windows OS environment with a remote shell account on the UCSniff host transmitted over SSH.
Currently, the Corporate Directory tool only supports Cisco directories, and the targets file entries are based in part on directory entries; however, there are many fun possibilities for using the targets.txt file in creative ways. Directory entries are less likely to change for an extension than are the IP address for an IP Phone that is mapped to an extension. In UCSniff Learning Mode, targets are still mapped to the 'targets.txt' file independent of a directory entry. The targets.txt file just won't include the directory entry if it wasn't downloaded. Therefore, you can create your own targets.txt file and customize directory names!
If you are a pentester (or whoever you are ;-) ), you can use the same method that an internal user follows in order to find an extension. People don't call random numbers until they get the person they are trying to reach. They either have a utility in the phone, a corporate Intranet web application, or something printed up in hard copy to lookup users. Whatever the method, the pentester just uses the same method. If you don't know, simply play dumb and ask an internal user. You can then import these entries into targets.txt, or manually edit the file.
When you run the tool in learning Mode, you'll see the format of the extensions as decoded in the SIP URI. These entries will be maped into targets.txt. Then you can run the tool in Target Mode to *target* specific users. The format of the targets.txt file is:
So you can use your imagination on how to use this file,it has some great possibilities for fun. Here are two sample entries:
bt src#cat targets.txt
172.16.96.18,1004,John (CEO) Rodgers,sccp
You don't always have to run Learning Mode. If you know for certain the IP address and extension for a given endpoint, you never have to run "Learning Mode" - run "Target Mode" instead. You can set up UCSniff 'targets.txt' manually to ARP Poison and intercept only the endpoint traffic you are looking to inspect.
UCSniff runs just fine in VMWare, but I have never been able to get the VLAN Hop support to work through a Windows Host OS VMWare instance. This is likely because although Windows does support 802.1q VLAN Tagging, you have to use a special driver or tool. Please let me know if anyone figures out how to use UCSniff VLAN Hopping through VMWare.