Skip to main content

Decrypt SDES SRTP from pcap

If you have a pcap file with encrypted RTP (SDES SRTP) and have access to the SIP signalling to see the keys, these instructions will help you decrypt the RTP payload and save it as raw audio. Optionally, depending on the codec, you can then import the raw audio in Wireshark and save it as an audio file.

Steps

Build ‘srtp-decrypt’

These are the steps:

  1. Build ‘srtp-decrypt’

  2. Get crypto key for each direction

  3. Use the decrypt.sh bash script to decrypt into raw audio

  4. Import the raw audio into Wireshark as hex dump

  5. Generate the wav file

  6. Generate the wav file as two separate channels, one per direction


Follow instructions here:

https://github.com/gteissier/srtp-decrypt


Assume the binary will be produced in a path like ‘/root/code/srtp-decrypt/srtp-decrypt’


Get crypto key for each direction

Access the SIP involved and take note of the ‘crypto’ line from the SDP for each direction.

e.g.:


v=0

...

m=audio 16398 RTP/SAVP 96 8 97

c=IN IP4 xxxxx

...

a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:K7oAZZ5Fm9fePS5/t1ac00000000000000000000

...


The crypto key for the RTP stream produced by this party is K7oAZZ5Fm9fePS5/t1ac00000000000000000000


Use a bash script to decrypt into raw audio

Use this simple bash script to perform the actual decryption:


#!/bin/bash

set -x


SRTP_DECRYPT_BIN=/root/code/srtp-decrypt/srtp-decrypt

HEADER_SIZE=48


CRYPTO_KEY=5eKSVpIOePOgjjfep21R3b000000000000000000

RTP_PCAP=outbound.pcap

RAW_DATA=outbound.raw


${SRTP_DECRYPT_BIN} -d ${HEADER_SIZE} -k ${CRYPTO_KEY} < ${RTP_PCAP} > ${RAW_DATA}


Where:

CRYPTO_KEY needs the value of the crypto key seen earlier.

RTP_PCAP has the pcap with the RTP stream that you want to decrypt.

RAW_DATA is the output file where to put the decrypted raw audio.


HEADER_SIZE may vary, depending on the presence of the SLL header in the capture.

Import the raw audio into Wireshark as hex dump


In Wireshark:

  • File → Import from Hex Dump

  • Select the file with the raw audio

  • Offsets: Hexadecimal

  • Timestamp format: %M:%S.%f

  • Encapsulation type: Ethernet

  • UDP: source port 10000, destination port 20000

  • Import


Then go to:

  • Telephony → RTP → RTP Streams

  • Play

  • Select stream

  • Export as Synchronised audio file


If for example you have two RTP streams, one per direction for the same call, you can generate the wav file with two separate channels, one per direction.


Once you have the raw audio for both directions, you can use Audacity (https://www.audacityteam.org/) to import the audio.


  • Open the first file.

  • File → Import Audio for the second file.

  • Select the first audio, right click, “Set as Stereo file”

  • Save
Labels:

Popular posts from this blog

Troubleshooting TURN

  WebRTC applications use the ICE negotiation to discovery the best way to communicate with a remote party. I t dynamically finds a pair of candidates (IP address, port and transport, also known as “transport address”) suitable for exchanging media and data. The most important aspect of this is “dynamically”: a local and a remote transport address are found based on the network conditions at the time of establishing a session. For example, a WebRTC client that normally uses a server reflexive transport address to communicate with an SFU. when running inside the home office, may use a relay transport address over TCP when running inside an office network which limits remote UDP targets. The same configuration (defined as “iceServers” when creating an RTCPeerConnection will work in both cases, producing different outcomes.
Read more

VoIP calls encoded with SILK: from RTP to WAV

SILK is a codec defined by Skype, but can be found in many VoIP clients, like CSipSimple . It comes in different flavours (sample rates and frame sizes), from narrowband (8 KHz) to wideband (24 KHz). Since Wireshark doesn't allow you to decode an RTP stream carrying SILK frames, I was curious to find a programmatic way to do it. In fact, this has also allowed to me to earn a "tumbleweed" badge in stackoverflow . You may argue that a Wireshark plugin would be the right solution, but that's probably for another day. Initially I thought it was sufficient to read the specification for RTP payload when using SILK ; the truth is that I had to reverse engineer a solution by looking at SILK SDK's test vectors. There, I discovered that a file containing SILK audio doesn't have the file header indicated in the IETF draft ("!#SILK"), but a slightly different one ("!#SILK_V3"). More importantly, each encoded frame is not preced...
Read more

Extracting Opus from a pcap file into an audible wav

From time to time I need to verify that the audio inside a trace is as expected. Not much in terms of quality, but more often content and duration. A few years ago I wrote a small program to transform a pcap into a wav file - the codec in use was SILK. These days I'm dealing with Opus , and I have to say things are greatly simplified, in particular if you consider opus-tools , a set of utilities to handle opus files and traces. One of those tools, opusrtp , can do live captures and write the interpreted payload into a .opus file. Still, what I needed was to achieve the same result but from a pcap already existing, i.e. "offline". So I come up with a small - quite shamlessly copy&pasted - patch to opusrtc, which is now in this fork . Once you have a pcap with an RTP stream with opus (say in input.pcap ) you can retrieve the .opus equivalent (in rtpdump.opus ) with: ./opusrtp --extract input.pcap Then you can generate an audible wav file with: ./opusd...
Read more