Calling Comdial - Part 2

by Metalx1000

Hello all, once again.

I've learned some things since my last article on Comdial phones.  Comdial was founded in 1977 and went defunct in 2005.  Now owned by Vertical Communications, they still make VoIP phones and I've seen the identical models released with a different logo on them.  Now, instead of saying Comdial at the top of the phone, they say "Vertical".  Also, the model is now "Edge 300" instead of "CONVERSip EP300".  Other than the different logos they seem to be the same phones, so I am confident that these techniques will work on these new phones as well.

Last time I went over logging into the phone remotely using Netcat on port 9027.  This time I'm going to show you a little more you can do with port 9027 and then I'll explain how you can use Ettercap to remotely record conversations from most VoIP phones through the local network.  But first, here is a quick review and some commands I did not go over last time.

Each button on the Comdial phone has an LED light on it.  If you send the L command to the phone on port 9027, it will make the LEDs all flash in a cool pattern.  It's very Christmas-light like.  You can connect to the phone with Netcat, as I showed you last time, and press the L key (it is case sensitive) and Enter like so:

$ nc 9027
[12:29:21.778] command_poll: got listenfd event
[12:29:21.790] command_poll: action->fd_ptr=9 accepted
[12:29:21.790] Connected to station 237
[12:29:21.789] Phone Version: 3.0.026
[12:29:21.789] Phone Build Date: 01/16/2009 12:29:21
[12:29:21.789] Phone MD5Sum: 3777ad4b3ac20ae9b56391267e81bb90
[12:29:21.799] Boot Version: 1.04
[12:29:21.800] Boot Build Date: 05/03/2005 22:40:17
[12:29:21.800] Boot MD5Sum: 5b84e34dcf06235e3763c755a9c57e9c
[12:29:23.009] ServiceSubscriptions: Started
[12:29:23.009] ServiceSubscriptions: Ended
[12:29:24.218] Test LED enabled:
Use 'u' and 'd' keys to select a cadence, then press an LED
[12:29:24.229] Current cadence: R

To get the phone to stop flashing just send the L command a second time.

Now, you can also pipe the command in, connect, and disconnect all in one shot like so:

$ echo L | nc 9007 -q1

This sends the L key to the phone and the -q1 is a switch telling Netcat to disconnect after one second.

Now let's say you have a bunch of phones that you want to make flash all at once.  We can do this with a few simple commands.  But first, we need to get a list of all the phones.  Let's use Nmap, the networking Swiss army knife, and save the output to a file like this:

$ nmap 192.168.22.* -p 9027 > comdial.lst

This may take a little while, so be patient.  It will create a text file called "comdial.lst" and the contents of that file will look something like this:

Host appears to be up ... good.
Interesting ports on
9027/tcp closed unknown

Host appears to be up ... good.
Interesting ports on
9027/tcp open unknown

Host appears to be up ... good.
Interesting ports on
9027/tcp open unknown

The Comdial phones are the addresses with the "9027/tcp open unknown" lines.

So, now we need to run a command that will find the "9027/tcp open unknown" lines in our "comdial.lst" file, strip away everything except the IP addresses of the Comdial phones, and then input those addresses into our Netcat command.

I've used a combination of grep, cut, and awk to do this:

cat comdial.lst | grep open -B 2 | grep "Inter" | awk '{print $4}' | cut -d\: -f1 | while read ip; do echo L | nc $ip 9027 -q1; echo "$ip...check"; done

So, we cat out our list and use grep to grab the lines with "open" and the two lines before them.  Then we use awk to grab the IP address and cut to remove the tailing colon.  We then pipe "L" into Netcat for each IP address that we grabbed.  The echo "$ip...check" is just a visual output for the user to know how far along in the process they are.  I know that's a long line, but it will run through each IP pretty fast and you will have a bunch of flashing lights all over your office.  And to stop them, just run it again.

That was fun, but this is where the real fun starts.

Let's use Ettercap and Wireshark to remotely capture voice conversations from the phone.  Both Ettercap and Wireshark are free and open-source.  I'm using a Linux machine, but I believe that they both run on Windows as well, if you're one of those people.  You will need a halfway decent computer and a good connection for this.  This is because if your computer runs slowly, the conversation will break up and the people talking will hang up and redial, which can also be fun to do.  I'm using my Eeepc 900 by Asus, which has a 900 MHz Celeron Mobile processor and 1 GB of RAM.  Sometimes it works great, sometimes it runs a little slow so, to use this technique reliably, I would suggest something a little faster.

I'm going to show you how to use Ettercap to capture the traffic and Wireshark to decrypt the conversation.  You could use Wireshark to do both, but I prefer using Ettercap to capture packets.  One reason I prefer Ettercap over Wireshark for capturing is that its command line interface is simple to use and it is easily installed on computers as well as hand-held devices.  One such device is the Nokia N800/N810 Internet tablet.  I have one of these and it works great with Ettercap, and can fit easily into your pocket.

Here is the command you will type for capturing the packets:

$ ettercap -T -Q -M arp:remote -i ath0 / -w comdial.cap

The -T tells Ettercap to run in text mode, instead of GUI mode, and the -Q tells it to run in quiet mode.  If you don't use the -Q switch, it will try to display all the packets captured on the screen.  This will bog down your computer and most likely slow down the whole network as well as bump the people on the phones off.  The -i ath0 is your network interface and may change depending on your computer.  The / tells Ettercap to capture all info between the two IP addresses.  One of the IP addresses is the phone and the other is the router it's connected to.  So basically, it is capturing all the traffic for that phone.  If you were to change that to //// it would try to capture all network traffic for the entire network.  Unless you have a very fast computer, this will bring the network to a halt.  And finally the -w comdial.cap is telling Ettercap to save all packets captured to a file called comdial.cap.

You have to be on the same local network as the VoIP phone to capture packets from it.  I'm not going to go into detail on how packet capturing works, but that's just how it is.  So, you can do this to phones in your office while you are at the office.  You won't be able to do it from home or another office location, since you have to be on the same local network, but you will be able to capture any incoming calls to the targeted phone.

Once you are done capturing the info you want, press q to quit Ettercap.  You can also use the good old Ctrl+C to quit Ettercap, but this will give you a message that says "User requested a CTRL+C... (deprecated, next time juse proper shutdown)".  I have used Ctrl+C to quit before, and it didn't cause any problems, but I would just suggest using q since that is the proper way to do it and you never know what might go wrong if you don't.

Now we can open Wireshark to decode and listen to any conversations that may have taken place on the phone while we were capturing.  You can either run "wireshark comdial.cap" at the command line, or open Wireshark and do the regular "File --> Open" from the menu.

Now that you have the files open, you will see a list of all packets captured.  There will be a lot there and you may want to look through it to see if you can find anything interesting.  But for now, we're just going to be listening to voice conversations.

Click "Statistics" from the menu bar and go down to "VoIP Calls".  Wireshark will scan through all the packets and find any VoIP calls for you.  Select one from the list and then press "Player".  A new window will open.  There is a box that says "Jitter Buffer" and it defaults to 50 milliseconds.  I've changed this number and it didn't seem to change the audio output at all.  So, just press the "Decode" button and, though it may take a few seconds, it will display two audio tracks.  At first you might think that these are left- and right-audio channels, but they are not; they are caller and receiver channels.  That's right, both parts of the conversation are recorded to separate files.

To play the tracks, check the check box under the audio track or tracks you want to listen to.  Then press "Play".  You should hear the conversation you recorded.  The recording may play back a little slow, but that is normal.

Well, this has been Part 2 of my Comdial articles.  I hope you liked it because I plan on writing another on how to call a Comdial (or any SIP phone) from your computer or hand-held device.

Thanks to Canola & Gun_Smoke for your help and support.

Calling Comdial - Part 1