VOIP ( 5060 )

Resources

• VOIP Deep Dive
  • By hackingarticles : https://web.archive.org/web/20171009203740/https://www.hackingarticles.in/lab-setup-voip-penetration-testing/
• Exploitation
  • By hackingarticles : Part1 | Part2
  • By Vartai : https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4
  • By vskills : https://www.vskills.in/certification/tutorial/voip-hacking-countermeasures/
  • defcon-23 : https://www.slideshare.net/slideshow/the-art-of-voip-hacking-defcon-23-workshop/51569342
  • By trustedsec : https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems
  • Practice Machine : SIPVicious_pro

Cheat sheets

• awesome-rtc-hacking : https://github.com/EnableSecurity/awesome-rtc-hacking?tab=readme-ov-file#books
• checklist : https://infosecwriteups.com/voip-penetration-testing-checklist-890bb4e09bac || https://github.com/emadshanab/VOIP-Pentesting-checklist-Cheatsheet-Tools

Dependencies

• SIPVicious
  • A suite of tools for auditing SIP-based VoIP systems.

    pip install sipvicious

• Viproy VoIP Kit
  • A comprehensive toolkit for VoIP penetration testing.

    git clone [https://github.com/fozavci/viproy-voipkit.git](https://github.com/fozavci/viproy-voipkit.git)

• Password & Wordlist Tools
  • sipcrack: For offline cracking of captured SIP digests.
  • crunch: A powerful tool for generating custom wordlists.

Commands

• Scan for SIP Services
  • Use sipvicious_svmap to scan a subnet for responding SIP devices.

    sipvicious_svmap 192.168.99.0/24 -P 50 -s session_me
    sipvicious_svmap 10.0.50.0/24 -P 50 | awk -F'[: ]+' '/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:/ {print $2}' #Hosts 

• Metasploit Scanner
  • Use the Metasploit Framework to send OPTIONS requests and discover SIP servers.

    msf > use auxiliary/scanner/sip/options
    

• Enumerate Extensions
  • Use sipvicious_svwar to identify valid user extensions within a given range by sending INVITE requests.

    sipvicious_svwar -P 50 -e320,330 192.168.99.20 -m INVITE -v
    cat hosts | awk -F'[: ]+' '/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:/ {print $2}' # Extract IP's from the output
    cat ips.txt | xargs -I {} sipvicious_svwar -P 50 {} -e999-9999 -m OPTIONS -v

• Brute-Force Extension Passwords
  • Use sipvicious_svcrack to perform a dictionary attack against a specific user extension.

    sipvicious_svcrack -u 320 -d pass.txt 192.168.99.20 -v

• Offline Cracking
  • Capture SIP traffic containing authentication exchanges.

    sipdump -p Registration_success.pcap dumpme

  • Generate a custom wordlist with crunch.

    crunch 10 10 321abc_ > wordlist

  • Use sipcrack with your wordlist to crack the captured credentials offline.

    sipcrack -w /root/Trash/wordlist dumpme

• Flood with INVITE Requests
  • Use inviteflood to overwhelm a SIP server, potentially disrupting service.

    inviteflood eth1 320 192.168.99.2 192.168.99.20 10000

Tools

• sipvicious : https://github.com/EnableSecurity/sipvicious
• vipory-voipkit : https://github.com/fozavci/viproy-voipkit
• siptools : https://github.com/rbagrov/SIPTools
• SeeYouCM-Thief : https://github.com/trustedsec/SeeYouCM-Thief
• mr.sip : https://github.com/meliht/mr.sip | Docs | Vedio

Notes

Click to Expand: SIP Registration Sequence

sequenceDiagram
    participant Alice
    participant Server
    participant Bob

    Note over Alice, Server: Alice registers her location with the server
    Alice->>Server: REGISTER
    Server-->>Alice: 401 Unauthorized (sends challenge with a nonce)
    Alice->>Server: REGISTER (with Authorization credentials)
    Server-->>Alice: 200 OK

    Note over Alice, Server: Server periodically checks if Alice is still online
    loop Keep-Alive Check
        Server->>Alice: OPTIONS
        Alice-->>Server: 200 OK
    end

    Note over Bob, Server: Bob registers his location with the server
    Bob->>Server: REGISTER
    Server-->>Bob: 401 Unauthorized (sends challenge with a nonce)
    Bob->>Server: REGISTER (with Authorization credentials)
    Server-->>Bob: 200 OK

    Note over Bob, Server: Server periodically checks if Bob is still online
    loop Keep-Alive Check
        Server->>Bob: OPTIONS
        Bob-->>Server: 200 OK
    end

Click to Expand: Normal Call Sequence

sequenceDiagram
    participant Alice
    participant Server
    participant Bob

    Note over Alice, Server: Initial Call Attempt
    Alice->>Server: INVITE (with SDP)
    Server->>Alice: 100 Trying
    Server-->>Alice: 401 Unauthorized (Challenge)
    Alice->>Server: ACK

    Note over Alice, Server: Second Attempt with Authentication
    Alice->>Server: INVITE (with Auth & SDP)
    Server->>Alice: 100 Trying

    Note over Server, Bob: Server forwards the call to Bob
    Server->>Bob: INVITE (with SDP)
    Bob->>Server: 100 Trying
    Bob-->>Server: 180 Ringing
    Server-->>Alice: 180 Ringing

    Note over Alice, Bob: Bob answers, call is established
    Bob-->>Server: 200 OK (with SDP)
    Server-->>Alice: 200 OK (with SDP)
    Alice->>Server: ACK (completes Alice-Server leg)
    Server->>Bob: ACK (completes Server-Bob leg)

    Note over Alice, Bob: Two-way audio stream begins
    Alice->>Server: RTP (Audio)
    Server->>Bob: RTP (Audio)
    Bob->>Server: RTP (Audio)
    Server->>Alice: RTP (Audio)

    Note over Alice, Bob: Bob hangs up, call is terminated
    Bob->>Server: BYE
    Server->>Alice: BYE
    Alice-->>Server: 200 OK
    Server-->>Bob: 200 OK

Click to Expand: VoIP Penetration Testing Checklist

VoIP Penetration Testing Checklist

A comprehensive checklist for conducting a thorough security assessment of Voice over IP (VoIP) systems, based on common methodologies.

---

Phase 1: Information Gathering & Reconnaissance

• Identify the target organization’s VoIP infrastructure.
• Discover the IP range of VoIP servers and clients.
• Identify the VoIP technology in use (e.g., SIP, H.323, IAX, MGCP, Skinny).
• Gather information about the VoIP network architecture (e.g., presence of SBCs, gateways, firewalls).
• Identify VoIP phone models and client software being used.
• Search for public information, documentation, or known vulnerabilities related to the identified technology and hardware.

Phase 2: Service & User Enumeration

• Port Scanning
  • Scan for common VoIP ports (e.g., 5060 UDP/TCP for SIP, 5061 TCP for SIPS, 1720 TCP for H.323, 4569 UDP for IAX).
  • Scan for related service ports (e.g., 80/443 for web interfaces, 21 for FTP, 22 for SSH, 23 for Telnet, 161 for SNMP).
• Service Enumeration
  • Identify the specific VoIP services and software versions running on open ports.
  • Enumerate RPC services on port 111.
  • Check for web administration interfaces and identify the web server technology.
• User & Extension Enumeration
  • Use specialized tools to discover valid user extensions (e.g., via REGISTER, INVITE, or OPTIONS methods).
  • Attempt to brute-force common extension number ranges (e.g., 100-999, 1000-9999).
  • Test for default credentials on discovered user accounts and administrative interfaces.
  • Attempt password spraying with common or known weak passwords against valid extensions.

Phase 3: Vulnerability Analysis & Exploitation

• Known Vulnerabilities
  • Search for public exploits and CVEs related to the identified software and hardware versions.
  • Test for buffer overflows, command injection, or other known vulnerabilities in the VoIP services.
• Authentication & Authorization
  • Test for weak or non-existent authentication on administrative interfaces.
  • Check for insecure password policies (e.g., no complexity, short length).
  • Attempt to bypass authentication mechanisms.
  • Test for privilege escalation vulnerabilities within the administrative interface.
• Signaling & Media Exploitation
  • Attempt to capture VoIP signaling traffic (e.g., SIP packets) using a man-in-the-middle attack.
  • Analyze captured traffic for sensitive information like user credentials, call details, and network topology.
  • Attempt to capture and reconstruct RTP media streams to eavesdrop on calls.
  • Test if signaling (SIP) and media (RTP) streams are unencrypted.
• Call Manipulation & Toll Fraud
  • Attempt to spoof caller IDs.
  • Test for unauthorized call forwarding to external numbers.
  • Attempt to make unauthorized long-distance or premium-rate calls (Toll Fraud).
  • Try to inject calls or terminate existing calls.

Phase 4: Denial of Service (DoS) Testing

• Test the resilience of the VoIP server by sending a high volume of malformed packets.
• Attempt to flood the server with a large number of INVITE or REGISTER requests.
• Test for call disruption by sending BYE or CANCEL requests to active call sessions.

Phase 5: Reporting & Remediation

• Document all discovered vulnerabilities with clear, reproducible steps.
• Provide evidence, such as screenshots, traffic captures, and logs.
• Prioritize vulnerabilities based on their risk and potential impact.
• Provide clear and actionable recommendations for remediation (e.g., patching, configuration changes, network segmentation).

Click to Expand: VoIP Protocols & Traffic Analysis

Core Protocols

VoIP communication is split into two main functions:

• Signaling (The Control Plane): Sets up, manages, and tears down calls.
  • SIP (Session Initiation Protocol) - Most common
  • H.323
  • SCCP (Skinny Client Control Protocol) - Cisco proprietary
• Media (The Data Plane): Carries the actual voice/video data.
  • RTP (Real-time Transport Protocol) - Unencrypted media
  • SRTP (Secure Real-time Transport Protocol) - Encrypted media
  • ZRTP (Zimmermann Real-time Transport Protocol) - Encrypted media

---

Key Concepts & Ports

SIP (Session Initiation Protocol) By default, SIP uses port 5060 (UDP/TCP) for unencrypted signaling traffic. This is used when a phone registers with a server. For encrypted signaling, it uses port 5061 (TLS).

RTP (Real-time Transport Protocol) This protocol delivers the actual audio and video over the network. It does not have a single default port; instead, it uses a high-numbered port range, typically from 16384 to 32767.

RTCP (Real-time Transport Control Protocol) This protocol works alongside RTP to monitor the quality of the media stream and provide feedback. It does not carry any voice or video itself.

AMI (Asterisk Manager Interface) This allows a client program to connect to an Asterisk server to issue commands and read events. By default, AMI uses TCP port 5038.

---

Traffic Analysis: Encrypted Calls

Scenario 1: SIP over TLS & Plain RTP

Detect

In your traffic capture (e.g., Wireshark), you will see traffic on:

• Port 5061 (TLS) for the signaling.
• A high-numbered UDP port for the media stream.

Decrypt

1. Search for UDP packets between the two endpoints. The protocol may be listed as UDP, but it is actually RTP.
2. Right-click on a UDP packet and select “Decode As…”
3. Choose RTP from the list.
4. Go to Telephony > RTP > RTP Streams to analyze the call and play the audio.

Scenario 2: SIP & SRTP (Secure RTP)

Detect

When you follow the steps above and play the RTP stream, the audio will be just static or noise. This indicates the media stream itself is encrypted with SRTP.

Decrypt in clear text within the SIP signaling messages.

The encryption keys for SRTP are often exchanged

1. In your traffic capture, find the SIP messages exchanged during the call setup (e.g., INVITE and 200 OK).
2. Look inside the Session Description Protocol (SDP) portion of these packets for the a=crypto line. This line contains the encryption key.
3. Tools like Wireshark can automatically extract these keys and decrypt the SRTP stream if the SIP traffic was captured unencrypted.

Nodes

• VOIP-C