I have a Polycom phone that is on the public internet, and is registered SIP/UDP to my Metaswitch. Wiresharking a mirrored port was showing normal SIP and RTP traffic. THEN- someone got into the phone via web, deleted the SIP Info so the phone was no longer registered, and started blasting the IP with TLS traffic, TLSv1 Client Hello packets, change sipher, and app data packets. I updated the SIP reg info, got the phone registered again and updated the web PW, the phone does work, however now all I see on wireshark is the TLS traffic, I dont see any SIP or RTP traffic. Why can't I see the SIP/RTP traffic?? asked 24 Mar '15, 08:28 GAS edited 29 Mar '15, 19:03 Guy Harris ♦♦ |
One Answer:
Probably the "someone" has also enabled SSL/TLS on the phone. Maybe you'd better factory default it and reinstall firmware in case the "someone" installed a custom firmware version. answered 24 Mar '15, 13:16 SYN-bit ♦♦ |
I looked at the phone, TLS is not enabled, it still has the Polycom firmware on it. I can run a call trace(in my switch) on the call to the phone and see SIP traffic to and from the phone, but its not showing up on wireshark.
Thanks
Still looks like the attacker tried to do more than just 'delete the SIP info', especially since they followed up with specific TLS traffic. Doesn't sound like some random script kiddie to me.
Also you didn't specify which 'IP' was blasted with TLS traffic. Be specific on your interfaces please.
The public IP of the phone is getting all the TLS traffic, from a Europena IP address. I guess whats odd to me is that the phone is working (they made a 1.5 hour call yesterday), I see SIP traffic in the call trace in my switch, but no SIP or RTP traffic on wireshark.
I restarted wireshark, made sure it in promisc mode, etc.
What do you see on the Wireshark capture? Any other SIP clients, just not yours? Nothing at all? A different VLAN? Is the mirror still intact, correctly configured? How long ago did you have a working SIP/RTP traffic capture of your phone?