Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Cain&Abel provides support for MitM attack on SIP TLS

I started using Cain&Abel for so many years ago for analyzing and troubleshoot WLAN. It has rich support for different WLAN protocols and also general network protocols. Visiting their webpage today, reveals that they are definitely keeping the speed up on the updates, especially on VoIP. From

Cain & Abel v4.9.31 released

  • SIPS Man-in-the-Middle Sniffer (TCP port 5061; successfully tested with Microsoft Office Communicator with chained certificates).
  • Added support for RTP G726-64WB codec (Wengo speex replacement ) in VoIP sniffer.
  • X509 certificate’s extensions are now preserved in chained fake certificates generated by Certificate Collector.
  • Extended ASCII characters support for SSID in Passive Wireless Scanner.

This tool makes “The Man in the Middle” attack easy. Redirect the DNS address for a SIP Server to this tool, then proxy the traffic to the right server. You will gather all passwords for all clients “passing by”. So,  always, always use proper signed certificates on your servers. The VoIP client (SIP UA) should not (easily) accept connections from a SIP TLS server where the certificate can not be validated.

Older release news are interested for those handling the Microsoft OCS:

  • Added support for the following codecs in VoIP sniffer: G722, Speex-16Khz, Speex-32Khz, AMR-NB, AMR-WB.
  • Added SIREN codec support in VoIP sniffer (the default one used by Windows Messenger).  (from 207…)

Cain&Abel is an excellent tool for debugging voice problems in the full HD voip world as well now!
Thanks to MAO in Oxid for providing this great tool!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: