Security script to test OXE

Did you say hacking ?
Post Reply
Posts: 4
Joined: 14 Dec 2007 16:19

Security script to test OXE

Post by cedric_baillet » 23 Apr 2008 07:21

Dear all,

It happens that i wrote some scripts to play with UA Noe protocol and automate voice vlan penetration using AVA. They bring, i think, through many imperfections, novelties to the ALU security testing world, since there was nearly nothing there on the web (or let say that i didn't find anything ...). you can find them on the following web site:

I would really enjoy sharing those scripts and have feed back on them.

I’ve develop AlcatelCallBreaker for a security demo exposed during the 2008 Alcatel forum. The idea was to have a script that let me play with the proprietary UA Noe signaling protocol to show that encryption of signaling protocol was important.

This script is only effective in a small lab of two or tree ip phones.

The idea there is to do a man in the middle attack to identify signaling flows between the call server and the ip phones. Once they are identified, the script will send the on hook UA Noe sequence to ip phones. They will be frozen and should reboot a few minutes later.

This script was developped under linux kubuntu 7.10.

It need:

scapy (1.1)


python (2.5)

Plawava (Playing with AVA) is a script dedicated to Alcatel Lucent voip environment. I’v�one it to present a security demo at the 2008 Alcatel forum. The idea was to reproduce the voiphopper functionnality, meaning introduce as simply as possible a PC in the voice vlan. Considering the fundamental difference between Cisco And Alcatel solution, it is clear that they do not work with the same mechanisms.

The first step of this script send a DHCP message to make the DHCP server react and receive a DHCP answer with the voice vlan number.

The second step is to capture the answer and analyze it.

Final step consist of configuring the pc network interface in the voice vlan using the vconfig linux command.

The script was develop under linux kubuntu 7.10 using

FAVV (Find Active Voice VLAN)
FAVV (Find Active Voice VLAN) is the script of last chance if voiphopper or plawava are not working. The idea there is to create subinterface in all the VLAN and see if we can obtain an ip address. If you’ve � one, the chance are important that it’s the�ice vlan :-)

FAVV was developped under linux Kubuntu 7.10 with perl. You will need the vlan util package to create the subinterfaces.

Posts: 4
Joined: 14 Dec 2007 16:19

Re: Security script to test OXE

Post by cedric_baillet » 02 Jul 2008 18:08

Plawava_v0.2 is out. The instability problem has now found its solution. It was a problem of timing between the sending of DHCP discover and a too short time to start the sniffing function and intercept the DHCP offer.

The documentation has been translate from french to english. You will find it attached to to this post.

Just go to for the script if you're intrested.
You do not have the required permissions to view the files attached to this post.

User avatar
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 7007
Joined: 14 Sep 2005 19:45
Location: Brasil, Porto Alegre

Re: Security script to test OXE

Post by cavagnaro » 02 Jul 2008 18:17

Very interesting, thanks for the info :D
Ignorance is not the problem, the problem is the one who doesn't want to learn

OTUC/ICS ACFE/ACSE R3.0/4.0/5.0/6.0
Certified Genesys CIV 8.5
Certified Genesys Troubleshooting 8.5
Certified Genesys BEP 8.x
Genesys Developer

Post Reply

Return to “System Hacking”