May 8, 2015

Messing With VoIP Calls Using NFQUEUE

For the project of one of my students we need to intercept and modify SIP messages. Our first idea was to configure a proxy in the SIP user agent (soft phone) and to modify an existing SIP proxy to our liking. Unfortunately this approach did not work reliably as the soft phone seemed to be faulty: some SIP messages were sent via the proxy we configured, other were sent directly to the server. Not good for us. We need all messages.

I got the idea to use Netfilter for our purpose. Basically you can register filter rules using the iptables command that push matching packets to your application. Once you have your packets there, you can modify them to your liking and finally send them to their original destination. Or to another destination. Or to nowhere.

So I created a small python SIP “MitM” script for my educational pleasure that intercepts and modifies SIP messages. The script replaces the number of the called party in outgoing SIP messages with another number I can choose. This substitution is undone when SIP messages come in from the SIP server, so the script is entirely transparent to the soft phone. The phone calls number X but gets connected to number Y.

Unfortunately there’s a small problem: Typically, the SIP server of your phone company sends a cryptographic challenge (nonce) to the soft phone. The response to this challenge depends on the nonce, the called phone number and some other things. As the soft phone does not know about the replaced number it computes the response depending on the original number. Hence, the response does not match with the expectation of the server. Oh bother.

So we need to replace the original response with the expected response. Unfortunately, these responses also depend on the secret/password of the calling SIP account. Typically we do not have this secret, but as this is a simplified example that demonstrates NFQUEUE usage we just assume that I have the secret :) Under this precondition, the script is easily able to compute the response that depends on the replaced number and our little VoIP “attack” succeeds.

© ho1ger 2015 - 2022