UCSniff is a VoIP/UC Sniffer / Assessment / Pentest tool with some useful new features, such as IP Video Sniffing. UCSniff is a Proof of Concept tool to demonstrate the risk of unauthorized recording of VoIP and Video - it can help you understand who can eavesdrop, and from what parts of your network. It is intended for next generation enterprise VoIP/UC Infrastructures that rely on Voice VLANs to segment UC applications for QoS requirements. UCSniff was born from pentesting and the "VoIP Hopper" tool as an idea to combine automated Voice VLAN Discovery and VLAN Hop with MitM, along with targeted VoIP attacks against users in the VoIP Corporate Directory. Eavesdropping is one of many potential UC-specific attacks that can take place, and UCSniff can be used by other researchers and security professionals as a base tool to explore this idea. UCSniff is a text and GUI application, written in C/C++, that runs in the Linux and Windows OS environment. It is freely available under the GPLv3 license for anyone to download and use.

• UC Sniffer with VoIP and IP Video Support
• Realtime Video and VoIP Monitor (SIP)
• Automated Voice VLAN Discovery (CDP)
• VLAN Hop Support
• Sniffing across Ethernet Switches
• Automatic creation of forward and reverse RTP audio streams into a single wav file
• Automatic creation of two avi files (forward and reverse video) for H.264 Video codec
• Automatic recording and saving of conversations using G.711 u-law and a-law codec
• Automatic recording and saving of conversations using G.722, G.729, G.726, G.723 codec (Note: G.729, G.723, G.726 codecs only work with a 32-bit Linux OS)
• MitM ARP Poisoning and host management support
• Monitor Mode (Span Session, Hub)
• Tracking and tracing of users, with logging
• Support for Cisco SIP, Cisco Skinny, RFC 3261 SIP
• Support for Cisco UCM 6.1, 7.0, 7.1
• Target Mode (Target User)
• Corporate Directory Tool and functions (ACE)
• ARP Saver Tool to restore network in emergencies
• Gratuitous ARP Disablement Bypass
• TFTP MitM Modification of IP Phone Settings
• GUI Support in Windows and Linux
• Only requires 1 phone (not both) in source VLAN in order to capture entire conversation
• New VideoSnarf tool outputs media files (audio, video) from pcap
• Sniffing and logging of Microsoft OCS IM Conversations
• Support for eavesdropping on Avaya SIP, Avaya H.323 media re-construction

Windows Feature Limitations

Please note that Windows UCSniff is limited on the following features:

• No Audio or Video Live Monitor support
• No wireless eavesdropping (Depends on wireless card/drivers)
• No G729/G723 codec support

To understand risk, in order to mitigate. UCSniff is intended to help understand the risk of VoIP Eavesdropping so that security in the VoIP Infrastructure and applications can be improved to a level of acceptable risk. VoIP exists on the network like any other TCP/IP client-server application (yet with special QoS requirements), and VoIP owners should apply similar best practices. VoIP offers tremendous cost-saving potential, and it actually can be made "secure" to the acceptable risk tolerance level.

UCSniff is the first ever IP Video Sniffer to be released under the GPL (and possibly the first IP Video Sniffer). It is the first security assessment tool to implement features that allow the testing for unauthorized eavesdropping on private IP video calls. UCSniff video support works very similar to regular VoIP conversation eavesdropping. After the signaling protocol is dissected (SIP, SCCP), the RTP ports used for H.264 video are dynamically added to the video decoder. When the call ends, UCSniff automatically outputs two avi files. One file is the reconstructed video seen by the calling video user; the other file is the recontructed video seen by the called video user. Both avi files contain the one-way audio experienced by the end user. Then, the entire 2-way audio conversation is recontructed into a single wav file.

UCSniff is the first ever security tool to do realtime monitoring of IP Video calls. UCSniff supports this exciting new feature, which allows a security professional to test for the ability of an insider to eavesdrop on a private IP video call and hear both audio and video while the call is in progress. Currently the feature only works with SIP, and it is only supported on the Linux platform.

UCSniff now has GUI support in both Windows and Linux OS environments. The GUI is built upon the Juce Libraries, and it makes running UCSniff even easier than before. Take a look at some of the screen shots of UCSniff GUI in action.

We have a Windows port of the UCSniff code now. UCSniff Windows is available as binary release or source code. See the installation instructions for Windows for more information.

Please note that Windows UCSniff is limited on the following features:

• No Audio or Video Live Monitor support
• No wireless eavesdropping (Depends on wireless card/drivers)
• No G729/G723 codec support

We have developed a new feature in UCSniff to help defeat the new GARP Disabled security feature which is configured by default in some new VoIP environments. The security feature itself means that the IP Phone will not populate its ARP cache when Gratuitous ARP (reply) packets are sent by an attacker sourced from the same VLAN towards the IP Phone. So this security feature helps prevent successful ARP Poisoning. What this new feature does is help defeat the "GARP Disabled" security feature. It does this by intercepting traffic from the network to the phone, and winning the race condition for when the IP Phone will ARP for the remote RTP peer (remote IP Phone). This feature works perfectly when both phones are in the same VLAN. However, when 1 IP phone or RTP peer is in a remote VLAN, it will not work and you can only receive the RTP stream from network to phone. See the USAGE file/link for more information on how to use this nice feature.

Originally presented and announced at DefCon 17 conference, UCSniff 3.0 now supports a nice new feature in which you can modify IP Phone settings in Cisco Unified IP Phone environments. This feature currently enables GARP if GARP is in fact disabled, but the parameters that can be changed are within your imagination of what is contained in the SEP CNF xml file. See the USAGE link/file for more information on how to use this new feature.

VideoSnarf is a new tool first released with UCSniff 3.0. Presented for the first time at DefCon 17, this tool takes an offline pcap as input and outputs all detected media streams, including first of its kind support for decoding H.264 RTP Video streams. This tool is good for pentesters that want to use other tools like tshark/wireshark and ettercap to capture VoIP/Video traffic but want to decode these streams. VideoSnarf supports G711ulaw, G722, G729, G723, and G726 codecs. See the VideoSnarf page for more details here.

Development and testing OS for UCSniff is BT Linux and Ubuntu 9.04.
UCSniff was intended for BackTrack/Ubuntu Linux, but it should compile and run on other platforms as well.

Tested Call Servers:
Cisco UCM 6.1 (SIP, Skinny)
Cisco UCM 7.0, 7.1(3) (Skinny)
Cisco CCM 4.1 (Skinny)
Asterisk SIP
Avaya Communication Manager (SIP)
SIPfoundry sipXecs 4.0.2

Tested IP Phones:
Cisco Unified IP Phone (7971G-GE, 7961G-GE, 7941G-GE, 7945G, 7942G)
Cisco 7940, Cisco 7940
Avaya 9620, 9630
Snom 320, Snom 200

Tested IP Video Phones:
Cisco Unifed IP Phone 7985G
Polycom Soundpoint VVX 1500C (Realtime Video Monitor works)
Grandstream GXV3000 (Realtime Video Monitor works)
Ekiga SIP Client
Counterpath Eyebeam and Bria SIP Client configured for H.264 Codec

Tested OS Environment:
Ubuntu 9.04 (UCSniff 3.0)
BT3 (UCSniff 2.4)
BT4 (UCSniff 2.4)
VIPER Lab VAST (UCSniff 3.0)
Windows XP Pro SP3 (UCSniff 3.0)

Tested FFmpeg SVN Version:
root@thor:/usr/src/ucsniff-2.6# ffmpeg -v
FFmpeg version SVN-r20182, Copyright (c) 2000-2009 Fabrice Bellard, et al.
Built on Oct 6 2009 13:54:34 with gcc 4.3.3
configuration: --enable-libx264 --enable-gpl
libavutil 50. 3. 0 / 50. 3. 0
libavcodec 52.36. 0 / 52.36. 0
libavformat 52.39. 0 / 52.39. 0
libavdevice 52. 2. 0 / 52. 2. 0
libswscale 0. 7. 1 / 0. 7. 1

See the USAGE file/link for a detailed description of how to use UCSniff.

All Ettercap authors and contributors
All authors and contributors of SoX (Sound eXchange)
IMTelephone ~ http://www.imtelephone.com
VLC Authors ~ http://www.videolan.org/vlc/
Evin Hernandez, for testing feedback
Julian Storer (JUCE Library Author)
Steve Underwood - SpanDSP (DSP components for telephony/G.722 decoder)
FFmpeg Authors
VoIP Hopper Credits