so i really like wireshark. every time i open it up i find something else very cool and practical to make my job easier.
for example: we are testing a phone system out that is based on asterisk called digium switchvox.
overall, i have been pretty impressed with the setup, options, and tools digium gives us and from a functionality point of view, its great.
looking at it from a security point of view, though, yields a different impression.
the first thing i noticed right off the bat was user passwords. they stink. they have to be numeric, and can only be a maximum of 10 digits, which makes bruteforcing user accounts pretty trivial.
the other thing that got my attention was how open the sip/sdp/rtp protocols are. i fired up wireshark and sniffed a few calls (off a spanned port on a switch) and found very quickly that you can easily record, playback, and dissect any voip calls. here is what i did:
- opened the pcap in wireshark 1.2.6, went to Telephony -> VoIP Calls
- selected the call i wanted to look at, clicked Player then Decode
- now click Play, and you are listening to both sides of a phone conversation, just like you were on the call
one other feature in wireshark i just found was the graph of the conversation. for troubleshooting and just understanding the traffic for future endevors, i found the Graph option to be very useful. instead of clicking on the Player option, just select the Graph option from the VoIP Calls list, and you have the details of what happened on a call (from the packets point of view). since a picture is worth a thousand words:
i did end up calling digium and tried to see if they could run sip over ssl, but no such luck.
here is a link for wireshark: http://www.wireshark.org. their documentation is pretty good, and they have some videos that can be of some help as well.