A special thanks goes out to all of the developers, contributors, and authors of Ettercap. Ettercap is simply an awesome security tool. We re-used the ARP Poisoning, dissector design, and re-direction capabilities of Ettercap within UCSniff.
UCSniff GUI simplifies eavesdropping security tests, making it incredibly easy to run UCSniff. Here are some informal instructions on some basic usage instructions for running UCSniff.
You can specify the default interface, or a vlan interface that has been already created with another program. In the screen shot below, I could select eth0 or the voice vlan interface, eth0.99.
After selecting "Learning Mode", all you need to do is hit the "Start UCSniff" button.
Target mode is the recommended way to run UCSniff during an authorized pentest, with lowest risk of service impact. When you select Target mode, you will be prompted from a list of Targets. You can manually build the targets list, or you can run UCSniff in Learning Mode, letting UCSniff automatically build it. The file 'targets.txt' is parsed when you launch UCSniff GUI from the working directory.
Select the user you would like to target, and then the red X button, as shown below. Then, select "Start UCSniff" button.
These users were selected from the following targets.txt file:
Make sure you always select the "Stop UCSniff" button after you are finished using UCSniff. This re-ARPs the victims.
If you are sniffing on a flat network and the interface of your station already has an IP address in the voice network, then there is no need to VLAN Hop. However, if you need to VLAN Hop such as in an environment that uses Voice VLANs with CDP, then set VLAN Hop to 'Yes'. You will then have the option to spoof CDP, Sniff CDP, or Specify the VLAN ID.
To specify download of the VoIP Corporate directory, you can input the MAC Address of the Cisco Unified IP Phone. This feature works in environments that use Cisco UCM with the VoIP Corporate directory feature enabled. For more information on ACE, see here.
After you have started UCSniff and the Unified Sniffing has started, you should see several new tabs at the top of UCSniff.
When UCSniff detects an active SIP call, you should see information on the call appear in the main "Status and Output" window. When this happens, you can tab over to the Active Calls tab. You will see information displayed about the active calls, as shown below. Double-clicking one of the column headers (Destination Username) will refresh this display.
To start the Realtime Monitor for the active call that is in progress, simply scroll down on the Live Monitor drop down column, selecting Start.
The screen shot below depicts what this looks like in action.
To stop the Live Monitor for the active call, simply select "Stop" from the Live Monitor drop down menu, as shown below.
There are several miscellaneous options that can be enabled for UCSniff. Make sure that you select these options before starting UCSniff. For a description of these options, see the USAGE file.