Linking via ATI Lync 2013
Microsoft Lync 2013 (formerly Microsoft Office Communicator) is an instant messaging client used with Microsoft Lync Server or Lync Online that comes bundled with Microsoft Office 365. Lync is an enterprise-level communication solution and some of its features include: instant messaging, voice over IP, video conferencing, file sharing, integration with the majority of Microsoft Office software, as well as other collaboration tools such as desktop sharing or whiteboards.
SIPe (SIP Extended), Microsoft’s specific adaptation of the SIP protocol, is the main control protocol used in Lync for exchanging instant messages and establishing calls, as well as other important features. The protocol is encrypted via TLS 1.2, runs on TCP port 5061, and features some Microsoft-specific SIP headers, along with a compression scheme called LZ77-8K, which is derived from the popular Microsoft Point-to-Point Compression (MPPC) used in RDP. For audio calls, Lync uses RTP (and its secured counterpart, SRTP).
How MPPC (MS-SIPCOMP) Compression Works
At a high level, the MPPC compression scheme works by replacing chunks of data already seen in a data stream with an offset and length pointing to the original uncompressed data. That being said, the initial data present in a stream will appear uncompressed on the wire while subsequent data will be compressed with offsets and lengths pointing to chunks at the beginning of the stream.
To calculate offsets, the MPPC algorithm uses a compression history window of 8192 bytes maximum, meaning that offsets can only reference data that has been seen at most 8K bytes before. A header is also introduced by MPPC at the beginning of each compressed chunk of data. An example of what the header looks like on the wire is shown in Fig. 1.
The flags representing the first 4 bits of the first byte by the MPPC decompression algorithm delimit a series of compressed chunks that share the same compression history and can have the following values (as well as combinations of these):
In our example in Fig. 1, the flag value is 6, meaning PACKET_AT_FRONT and PACKET_COMPRESSED, indicating that the content following it is compressed and this is the first packet in a series of compressed packets. The concept of a series of compressed packets is introduced because the subsequent compressed packets can reference offsets of data from the previous data chunks (after they have been decompressed and added to the compression history buffer). Subsequent compressed packets in the same series will use only the PACKET_COMPRESSED flag.
The following 4 bits of the MPPC header indicate the type of compression algorithm to use and right now, only type 0 is valid and defined. Next, we have 3 more reserved bytes.
The last 2 bytes of the header indicate the length of the uncompressed data and are usually used as a check to ensure data has been successfully decompressed.
More information about the MPPC compression scheme may be found in this reference.
Examples of Custom Microsoft SIP Headers
Ixia’s Application and Threat Intelligence (ATI) includes an implementation of Lync where we’ve focused mainly on the SIPe protocol and have managed to emulate it statefully with full support for building and customizing the SIP messages.
The example below illustrates an example of a typical decompressed SIPe INVITE message. In this particular case, the first message that firstname.lastname@example.org sends to email@example.com is present in the Ms-Text-Form header, more specifically the ms-body value (aGVsbG8NCg==), which when decoded as base64 indicates “hello.”
An example SIPe INVITE message:
INVITE sip:firstname.lastname@example.org SIP/2.0
Via: SIP/2.0/TLS 10.215.165.208:59163
CSeq: 1 INVITE
User-Agent: UCCAPI/15.0.4551.1507 OC/15.0.4551.1507 (Microsoft Lync)
Ms-Text-Format: text/plain; charset=UTF-8; ms-body=aGVsbG8NCg==
Supported: ms-delayed-accept, ms-renders-gif, ms-renders-mime-alternative
Supported: timer, histinfo, ms-safe-transfer, ms-sender, ms-early-media
EndPoints: <sip:email@example.com>, <sip:firstname.lastname@example.org>
Allow: INVITE, BYE, ACK, CANCEL, INFO, MESSAGE, UPDATE, REFER, NOTIFY, BENOTIFY
Proxy-Authorization: Kerberos qop="auth", realm="SIP Communications Service", opaque="9B4FACA1", targetname="sip/WIN-0P1EBRLA5PQ.ati.ixiacom.com", crand="cebf13be", cnum="13", response="040400ffffffffff0000000000000000985d81302a06a86589ac5289"
o=- 0 0 IN IP4 10.215.165.208
c=IN IP4 10.215.165.208
m=message 5060 sip null
a=accept-types:text/plain multipart/alternative image/gif text/rtf text/html application/ms-imdn+xml text/x-msmsgsinvite
In this example, we can also see that Lync is using a Kerberos ticket for authenticating to the server. Since ATI token support is available for our implementation of Microsoft Lync 2013, building a 1-arm testing scenario against a real Lync 2013 server is also feasible.
Next Steps with Lync Testing
Our exploration into the protocols behind Lync goes further than this basic first implementation and our next focus will be on analyzing how file transfers, video conferences, and the other plethora of collaboration tools built into Lync work and emulating them in our ATI — so keep tuned for new updates of our product.
Leverage subscription service to stay ahead of attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.