VoIP Traffic Analysis: SIP + RTP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
halal welcome to the VoIP traffic analysis course on pentester academy now in this video we will begin with analyzing VoIP traffic and will specifically pick up sip an RTP and look at a two caller conversation okay so before we begin it's kind of important to classify the different kind of traffic that we are going to encounter in this course so as we mentioned our focus is going to be sip an RTP and there are four cases depending on if sip or RTP or both are encrypted or not so the first case which we have is sipping RTP both are unencrypted then you have sip encrypted but RTP is not encrypted and then sip is not encrypted but RTP is and that's actually called s RTP or secure RTP and then finally both of them are encrypted now depending on the network you may actually end up seeing a combination of all of these basically you know in different networks so you know one network could be sip RTP and the other could be c plus s RTP now for each of these we will also look at different samples so wherever applicable will look at voicemails to caller calls conference calls and then finally sip messaging and DTMF now in this video our focus is going to be sip an RTP and we are going to look at a two-person call so on the server side the configuration really is that we've set the transport layer to go ahead and listen on all interfaces and it will use UDP and media encryption is actually set to none on the client side we go ahead mention the IP addresses and along with again make sure that media encryption is disabled and transport is UDP now at the very end of this course there will be a couple of videos on how you can create your own home set up but for this class I already have a pre created pcap file which we will use so right now what is the scenario we have Bob and Alice 21:32 20.1 and they communicate why are the Asterix now server in between which is at 20.1 30 now before we begin analyzing this conversation and understanding how everything weaves in together let's go ahead you know use a simple block diagram to understand what is it that we want to learn so we have Bob we have Alice you have the voice server in between now the most important thing here is that there are four streams which are responsible for a to caller communication so the first stream is really between Bob and the server and the second stream is server to Alice the third stream is going to be Alice back to the server and then finally stream four is server back to Bob now why this is important is that when we look at encryption of our TP with SRTP what you'll notice is that each of these streams are independently encrypted with a different key and this is important because we will have to deal with every stream separately now as far as the port numbers are concerned between Bob and server you know they'll have to go ahead and decide which ports to use for voice data communication and the same is between server and Alice's realm now note that this what I am talking about right now is either RTP or SRTP right above this and then after the call you know it's done and they want to end the call with a bye message you really have SIP okay so now let's actually jump in I apologize in advance this is going to be a long video but I'd like to go ahead and cover all the basics in one sitting so I'm going to launch command line prompt we're going to go inside the VoIP class directory and then we go into the sample calls directory and then into SIP RTP and let's open up normal call to parties so we see that this actually has sip there's also RTP in here now what we've done is we've actually put in captures both between Bob and the server and server and Alice on the real world of course you know you'd probably be only collecting on one side but because we are still understanding this topic in great detail it is important to know what is happening on both sides so to begin our analysis I'm going to click on telephony sip flows I'm going to select all the flows click on flow sequence you know bring this down a bit close this window widen this up a bit okay so the first thing to notice is you know Bob is 20.1 32 and 20.1 is Alice and this is the server in between so we can clearly see that the phone is actually registering this is Bob registering and then you have Alice registering here right and when you select any packet over here the corresponding packet actually gets selected in the traffic pin like we saw in the last video so the phone's get registered scroll down here and let's actually start with the call getting initiated so we can clearly see that the very first packet is an invite packet which is going from Bob to the server and really this is to initiate a call with Alice right so they actually end up talking through the server now if you remember port five zero six zero was the UDP port number that we had actually set up I think was a UDP or yeah this is actually UDP which we had set up and you would actually notice that down here this is the first invite message from Bob to the server the server immediately sends back an unauthorized the server basically says hey you know what I I don't know you you know go ahead and authenticate yourself once again and what you notice is in this message and I'm just going to go ahead put up a filter here for sip or RTP just so that you know we don't have to see all the other messages so I'm still selecting the 401 unauthorized message and what you'd find is that inside this message the authenticate header is actually being sent back to the client right so the client then sends an acknowledgement which doesn't contain much and then it reinitiate s' the invite message but this time around it makes sure that it is responding to the authentication request so all the message digests stuff that we've seen in a previous video is actually happening here and in comparison if you see the first invite message with the client had sent oops the first invite message the client had sent that actually does not contain anything which is there's really no authentication of any kind okay so now the client sends it and because the authorization and authentication succeeds the server now goes ahead and basically tells the client that it's going to try ringing Alice and then it goes ahead and initiates a connection out to Alice so if you notice this invite message now is actually from the server to Alice so we can see it right here here we go now let's scroll down a bit now after that Alice receives the message you know her application sends back trying and ringing we can see this here right we have trying we have ringing and this is actually forwarded to Bob as well simply because Bob needs to know that there is some progress being made now once Alice picks up the phone call her application sends a 200 okay SDP message the server acknowledges that to Alice and then sends a 200 okay SDP to Bob to actually tell him that the call has succeeded and Alice has decided to pick up the phone Bob acknowledged that with an AK and then he sends an update SDP message which she receives a 200 okay for now after that what you'd find is that we have RTP messages so if we were to scroll down RTP so this is containing the actual voice data and this is actually going now from Alice to the server and then the server is forwarding that back to Bob right and then Bob sending voice data to the server which gets forwarded back to Alice even though you can currently only see these four packets there are actually a bunch of other RTP packets in here the slip flow interface which is actually there which is what we are using here only shows you the first couple just to tell you that hey you know what there are basically these four flows right as you can see there is one two three four right now after the call is complete and you can see there are lot of RTP packets in here after that but after the whole phone call has been completed one of the callers is going to generate the bye message to indicate that the call is over and the server acknowledges that and after that the server forwards the buy to the other caller who also acknowledges it now once this is done basically the call has been completely torn down now after that as I mentioned in a previous video we may actually see the phones go back and reread Easter you know telling the registry or the server that they're available to receive calls fantastic so this is how you can take a sip flow sequence and actually map it to the packets now my recommendation having worked with VoIP traffic for quite some time is use sip flows as the definitive way to start navigating VoIP traffic if you are going to look at individual packets you're only going to be confused okay so now let's actually look at some of the other things which we were discussing so the idea that there are four streams is clear right stream one stream two stream 3 stream 4 now in this case because there is no encryption everything is fine I mean we really aren't even counting the streams but how can we see that there are 4 streams so let us go back in here let's close this I'm going to once again click on telephony RTP and then RTP streams and what you'd find here is that we have these 4 streams now keep in mind that this peak app has been distilled down to ensure that you know we only capture one single exchange between two callers right when you are going ahead and mining traffic we're going to be getting a lot of data and which means you're probably going to get you know many many streams from many many callers so you will have to make sure you apply those filters etc now what you'd notice is that the streams they have a source port and a destination port and they have something else called an SSRC I will come to what this is and after that you have the number of packets in the stream couple of other things so it's actually going here and understand how to look at these streams I'm going to once again go in here click on sip flows okay and now I'm actually gonna go all the way over here to when the call has just been initiated so here it is the invite SDP packet now let's actually start looking at what is actually in there so SDP is basically the session description protocol and this is actually used to describe the session so sip actually internally studying as DP and SDP has a lot of parameters required to set up the session correctly so if you were to look at the first SDP packet and this is basically from Bob to the server I'm going to remove this pin what you end up finding is there are a bunch of parameters in here you know you have codec information and whatnot but if you wanted to locate the port numbers which are going to be used then you should look at media description so what you'd notice here that Bob basically tells the server that hey when I'm going to use RTP I'm actually going to use port 4000 as the source port right so this is actually sent back to the server and what you would notice is that when the actual exchange begins RTP then Bob is using port number 4000 as you can see which is also mapped in the flow sequence diagram you can see that clearly here put four thousand right now it is important to note that I am talking about RTP all these sip messages still before that are actually using you know some random port on the client side and on the server side are using port five zero six zero which is what we had configured on the server if you remember in the slides I showed you the configuration right so now let's go down here okay so if you ought to select the STP packet as I said from Bob to the server we can clearly see that they have chosen port 4000 Baba's chosen port 4000 similarly if I were to look at the SDP packet basically going from the server to Bob and that's actually the 200 okay SDP packet this is it from the server to Bob you would actually see that the port number being requested is 1 to 262 so this is the port number the server plans to use and if you just scroll down you'll actually see that this is the port number the server is using to send and receive data packets or rather RTP packets from and to Bob similarly what we have is SDP packets between Bob and Alice so sorry the server and Alice so if you notice this is the invite SDP from the server to Alice and the server tells Alice it plans to use port 1 7 0 0 4 which is really what it ends up using here we just scroll down a bit there you go 1 7 0 0 4 and then Alice in her 200 ok message back to the server says that she wants to use port 4000 right it's a very common port for VoIP traffic RTP traffic so 4000 right most of the times you might end up seen 4000 but nothing stops the client from changing this so now what we have established is there are these 4 streams and we've also established how port numbers are being dynamically chosen so actually firewalls on the edge they look into these packets and even they can figure out these associations and actually know which out born ports to allow right okay so now the last thing how do you identify each stream so what you would actually find is that if we pick up the RTP direction so let's actually pick up for Bob to the server first so here it is Bob to the server what you would notice if we look at any of the RTP packets is that this has a little field called synchronization source identifier right here it is now this field is really important because for a given stream it ends up remaining constant so if you wanted to just look at all RTP packets going from Bach to the server and you identified that the synchronization source identifier is this value all you have to do is apply a filter for this and now if you were to look at all of this traffic you'd find that all of these RTP packets are going from 20 dot 132 to xx dot 130 which is bought to the server now it's actually remove this filter now similarly if you wanted to look at from server to Bob select that on the flow sequence go back on the packet pane here is the RTP packet @ly a filter on the source identifier okay I have no clue why it isn't allowing me to selected as a filter all of us are on laughter you and now you can see all traffic RTP traffic between the server 132 Bob now again similarly you could actually find out between the server and Alice so here is Alice to the server will have to make sure that the filter is gone Alice to the server we can see this as a different SSRC and then server to Alice a different necess RC right fantastic so so far what we've actually learned is that we can very very easily figure out all four streams we can figure out the port numbers so that we understand how all of these entities are communicating over the network now last but not the least where is the voice data right so all of these pains is really to make sure that we can listen to the actual phone call right so probably wondering you know where is the actual phone call so many ways to do it you can click sip flows select click on play streams and this will actually open up all the four streams now I'd like to caution you that Wireshark is not really an audio clear so a lot of times you'll see that this interface can be very very sluggish when you try to play it so the important thing here to note is that we will talk about other ways to extract this audio out and listen to it on a regular player for what it's worth might as well listen to it so I'm going to hit play so let's listen to the conversation right there you go again I have made sure that I don't lose any chance to shamelessly promote pentester academy every minute now if you want to look at just each of the individual streams you could do that as well if you if you just select it it'll tell you the source is 132 to 130 here is the second stream here is the third stream and the fourth stream right and could hit play button spirit sometime if you notice now this has become like sluggishly slow and this is to be expected so don't worry if this is happening and again as I said you know it didn't kind of end up playing properly we will solve all of these in the course of this entire series and it's important that you understand that you are going to face this again and again and again now the other way to look at all these streams is to click on telephony RTP streams and then you could look at these streams individually so you can click on any of these streams click analyze and then click play streams now in this case only that stream is actually shown and again you could try to play it and if this is sluggishly slow it is to be expected right as I mentioned you will see this a lot and in the next video I will show you two techniques by which we can easily take out the audio from the packets so I'm just well that's all I had in mind for this video we've learnt a lot I know this has been a very long video but I really wanted to look at all the important things in one sitting and in the next video we look at how we can extract audio using the simplest possible technique and as we move along we look at other techniques when we come into encryption so that's all thank you please recommend Pentastar academy
Info
Channel: Pentester Academy TV
Views: 52,990
Rating: undefined out of 5
Keywords: voip, sip, rtp, basics, tutorial, security, hacking, pentester academy
Id: aKkYc7PwY-U
Channel Id: undefined
Length: 24min 50sec (1490 seconds)
Published: Tue Jul 10 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.