Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cracking Net2Phone and other VoIP technologies by Todd Moore.

Similar presentations


Presentation on theme: "Cracking Net2Phone and other VoIP technologies by Todd Moore."— Presentation transcript:

1 Cracking Net2Phone and other VoIP technologies by Todd Moore

2 Cracking Net2Phone Net2Phone and many other VoIP technologies are not safe from wiretaps Dialed phone numbers easily decrypted Conversations can be reconstructed for playback

3 Net2Phone Dialed Numbers : 5E 6E C 6C 34 5F 65 6D [^newcall4_em 192] : 2E E 30 2E [ ] : [ ] : [ ] < : [F90DB1F2D ] < : [7F90811F7E998114] : [7E D91 ce3] a6 : 2E 30 2F [.0/45 S ] b6 : [ B ] c6 : [7341F ] d6 : [57F90DE1F7D93DF5] e6 : E [722D0 NPCD01R210] f6 : E 20 4E F 6D 5C 33 [ en N2P 0 from\3] : C C 74 [Dbeheader2\20alt] : 63 6F C C C [codec\3D50,60,20] : 2C C C E 5C [,30,10\20pin\3Df] : 61 6C A [alse.] 1=key 2=encoded phone number Captured packet containing phone number

4 Net2Phone Algorithm Key: k1k2k3k4 Code: c1c2c3c4 c1c2c3c4 c1c2c3c4 … Decode: k1k2k3k4 xor c1c2c3c4 = r1r2r3r4 Order: r4r2r1r3 Dialed: 1 (123) Key: 33BB6E01 Code: 33BB6F01 = = B16C01 = 010A0200 = 000A BF6802 = = AB36E06 = =

5 Conversation Playback RTP is commonly used protocol for Voice- over-IP (VoIP) communications struct RTP_Header { // byte 1: unsigned char csrc_count:4; unsigned char extension :1; unsigned char padding :1; unsigned char version :2; // byte 2 unsigned char payload_type:7; unsigned char marker:1; // byte 3-4 unsigned short seq_num; // byte 5-8 unsigned int timestamp; // byte 9-12 unsigned int ssrc; } rtp

6 Conversation Playback Most important fields are Payload_Type and Timestamp Payload type will tell you the type of audio codec to use (0=ULAW, 2=ADPCM, 4=G.723, 8=G.711 ALAW, etc) Timestamp will tell you when the audio should be played and if there are silence gaps (silence is not transmitted)

7 Conversation Playback 5 Steps for audio replay from capture 1.Reassemble 2.Decompress 3.Fill Silence Gaps 4.Adjust Starting Time 5.Mix & Play

8 Conversation Playback 1. Reassemble - Reassemble RTP packets into two streams ip1:port1 to ip2:port2 and ip2:port2 to ip1:port1 Stream 1 Stream : > : : > : rtp

9 Conversation Playback 2. Decompress - Determine the audio codec used and uncompress payload of each packet RTP PT=4 uncompressed G.723 compressed CODEC Decompression

10 Conversation Playback 3. Fill Silence Gaps - Determine the minimum timestamp interval for each individual stream and fill in any silence gaps rtp Time: (min: 300) 1 gap 2 gaps rtp Time: rtp Insert silence for each gap

11 Conversation Playback 4. Adjust Starting Time - Add silence gap to the late starting stream based on packet capture time Stream 1 Stream 2 rtp +2 seconds Stream 2 rtp First packet of this stream was captured +2 seconds after the other stream Fill in silence gap so the two streams are in sync Stream 1 rtp

12 Conversation Playback 5. Mix & Play - Mix both uncompressed streams for audio playback Stream 2 Stream 1 Mix

13 Demo of VoIP Replay Demo of VoIP replay using NetWitness® Reader NetWitness® Reader with demo data available for download at


Download ppt "Cracking Net2Phone and other VoIP technologies by Todd Moore."

Similar presentations


Ads by Google