CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compรฉtences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • VOIP
  • Key Features of VoIP:
  • How VoIP Works:
  • Examples of VoIP Services:
  • Benefits of VoIP:
  • Challenges:
  • Protocols used by VoIP
  • SIP
  • Key Features of SIP:
  • SIP Ports:
  • Pentest workflow
  • Preinstalled tools on Parrot OS for VoIP
  • enumiax - username enumeration
  • iaxflood - VoIP flooder
  • inviteflood - INVITE message flooding
  • msgsnarf
  • ohrwurm
  • protos-sip
  • rtpbreak
  • rtpflood
  • rtpinsertsound
  • rtpmixsound
  • sctpscan
  • siparmyknife
  • SIPp
  • voiphopper
  • SIPVicious
  • SIPVicious
  • Other things to try out
  • Resources
  • Blogs and articles
  • Tools & Exploits
  • PDF
  1. Networking, Protocols and Network pentest

VOIP and related protocols

This documentation has been made with notes from my practice and my research on the subject matter.

VOIP

VoIP (Voice over Internet Protocol) is a technology that allows voice communication and multimedia sessions over the Internet or other packet-switched networks. Instead of using traditional circuit-switched telephone networks, VoIP converts voice signals into digital data packets and transmits them over IP-based networks.

Key Features of VoIP:

  1. Cost-Effective: Calls made over the Internet can be significantly cheaper than traditional telephony, especially for long-distance and international calls.

  2. Flexibility: Users can make calls from various devices, including computers, smartphones, IP phones, or even traditional phones with VoIP adapters.

  3. Scalability: VoIP systems are easier to scale for businesses, accommodating growth without the need for additional physical infrastructure.

  4. Integration: It integrates with other digital services like video conferencing, instant messaging, and data sharing.

How VoIP Works:

  1. Signal Conversion:

    • Converts analog voice signals into digital data packets.

    • Compresses and encodes the data for efficient transmission.

  2. Transmission:

    • Transmits these packets over an IP network using protocols like RTP (Real-Time Transport Protocol) and SIP (Session Initiation Protocol).

  3. Reception:

    • The recipient's device decodes the packets back into audio signals.

Examples of VoIP Services:

  • Consumer-grade: Skype, WhatsApp, Google Meet, Zoom.

  • Enterprise-grade: Cisco Webex, Microsoft Teams, RingCentral.

Benefits of VoIP:

  • Reduced Costs: Lower call costs compared to traditional landlines.

  • Portability: Users can access VoIP services from anywhere with an Internet connection.

  • Advanced Features: Includes functionalities like call forwarding, voicemail, video conferencing, and integration with CRM systems.

Challenges:

  • Quality of Service (QoS): Call quality depends on the network's bandwidth and latency.

  • Reliability: Requires a stable Internet connection and can be affected by power outages.

  • Security: VoIP is susceptible to hacking, eavesdropping, and denial-of-service attacks without proper encryption and safeguards.

Protocols used by VoIP

VoIP typically relies on several protocols to ensure effective communication, with each playing a specific role in signaling, media transport, and session management. The most commonly used protocols in VoIP include:

1. SIP (Session Initiation Protocol)

  • Purpose: Handles call setup, management, and termination for VoIP sessions.

  • Features:

    • Establishes and maintains communication sessions.

    • Supports additional features like call forwarding, video, and messaging.

  • Ports: Typically uses port 5060 for unencrypted traffic and 5061 for encrypted traffic (SIP-TLS).

2. RTP (Real-Time Transport Protocol)

  • Purpose: Transports the actual media (voice or video) during a session.

  • Features:

    • Ensures low-latency delivery of media packets.

    • Often used with RTCP (RTP Control Protocol) for performance monitoring.

  • Ports: Dynamically allocated UDP ports, usually in the range of 1024โ€“65535.

3. H.323

  • Purpose: An older protocol suite for multimedia communications.

  • Features:

    • Provides signaling, control, and media transport.

    • Used in legacy VoIP systems, less common today compared to SIP.

  • Ports: Uses various ports for different functions, including TCP 1720 for call signaling.

4. MGCP (Media Gateway Control Protocol)

  • Purpose: Controls media gateways in VoIP systems.

  • Features:

    • Simplifies call control by centralizing signaling logic.

  • Ports: Typically uses UDP ports 2427 and 2727.

5. WebRTC

  • Purpose: A modern framework for real-time communication directly in web browsers.

  • Features:

    • Uses SIP or custom signaling protocols for session initiation.

    • Transports media using RTP or SRTP (Secure RTP).

  • Ports: Uses ICE (Interactive Connectivity Establishment) and STUN/TURN for NAT traversal.

6. Proprietary Protocols

  • Some VoIP systems use proprietary protocols such as Skype's custom signaling and media protocols or Microsoft Teams' optimized solutions based on SIP and other technologies.

SIP

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating real-time communication sessions that involve voice, video, and messaging applications. It is widely used in Voice over IP (VoIP) systems and multimedia communications.

Key Features of SIP:

  1. Session Setup: It establishes sessions between endpoints, including call setup, management, and teardown.

  2. Flexibility: SIP can be used for two-party (unicast) or multi-party (multicast) sessions.

  3. Protocol Independence: It works over various transport protocols such as TCP, UDP, or SCTP.

  4. Extensibility: SIP can integrate with other protocols like RTP for media transport and SDP for describing multimedia sessions.

SIP Ports:

SIP is typically exposed on the following ports:

  1. UDP/TCP Port 5060

    • Used for unencrypted SIP signaling.

  2. TCP Port 5061

    • Used for encrypted SIP signaling (SIP-TLS).

In real-world scenarios, firewalls and NATs are often configured to handle these ports, especially for SIP traffic. Advanced protocols like STUN, TURN, or ICE are also used in conjunction with SIP to traverse NATs and firewalls.

Pentest workflow

  • Enumerate with nmap with your usual command, mine is nmap -Pn -p- -sC -sV -iL ips.txt -oA output-all-ports-et-srv

    • With this you get all the details the file ips.txt needs to contain your list of ips.

  • Grep on the gnmap results to get the list of IP with the port 5060 open. grep "5060/open" output-all-ports-et-srv.gnmap | cut -d' ' -f2

Preinstalled tools on Parrot OS for VoIP

enumiax - username enumeration

iaxflood - VoIP flooder

inviteflood - INVITE message flooding

msgsnarf

I did not find the official repo. It seems to be a network sniffer. So it could be useful for mitm.

ohrwurm

"ohrwurm is a small and simple RTP fuzzer that has been successfully tested on a small number of SIP phones."

protos-sip

"The purpose of this test-suite is to evaluate implementation level security and robustness of Session Initiation Protocol (SIP) implementations."

rtpbreak

"With rtpbreak you can detect, reconstruct and analyze any RTP session."

rtpflood

"A command line tool used to flood any device that is processing RTP."

rtpinsertsound

rtpmixsound

"A tool to mix pre-recorded audio in real-time with the audio (i.e. RTP) in the specified target audio stream."

sctpscan

"SCTP network scanner for discovery and security"

siparmyknife

"SIP VoIP Protocol Fuzzer. Fuzzer that searches for cross site scripting, SQL injection, log injection, format strings, buffer overflows, and more. "

SIPp

"The SIPp testing tool. SIPp allows to generate one or many SIP calls to one remote system."

voiphopper

"A network infrastructure penetration testing security tool. A tool to test for the (in)security of VLANS. It can mimic the behavior of IP Phones to better understand business risks within an IP Telephony network infrastructure."

SIPVicious

svcracj svcrash svmap svreport and svwar are all part of SIPVicious. See below for more details on this tool.

SIPVicious

You will have to pay if you want the pro version

It is preinstalled on parrot. But otherwise you can install it as follow:

git clone https://github.com/EnableSecurity/sipvicious.git
cd sipvicious
python setup.py install

Once installed you can scan with:

python sipvicious/svmap.py 10.10.10.10

OR if you use the one preinstalled in Parrot

svmap 10.10.10.10

I did not find an option to use a hostfile (a file with my list of ips) with svmap so I made this bash script. You can launch it as follow: script.sh hostfile.txt if you want to save the results in a file you just need to script.sh hostfile.txt > result.txt

#!/bin/bash

FILE=$1

if [[ ! -f "$FILE" ]]; then
    echo "File $FILE can not be found."
    exit 1
fi

while IFS= read -r ip; do
    if [[ -n "$ip" ]]; then
        echo "Scanning $ip..."
        python sipvicious/svmap.py "$ip"
    fi
done < "$FILE"

Other things to try out

  • Identify a valid extension with svwar from SIPVicious (โš ๏ธwill actually call the phonesโš ๏ธ)

  • Try to bruteforce to guess the extension password

  • Try to MITM especially if communications are unencrypted

Resources

Blogs and articles

Tools & Exploits

PDF

PreviousSSHNextWinrm

Last updated 4 months ago

"enumIAX is an Inter Asterisk Exchange protocol username brute-force enumerator."

"A tool to perform SIP/SDP INVITE message flooding over UDP/IP."

enumiax - foreni-packages
iaxflood - foreni-packages
inviteflood - foreni-packages
ohrwurm
protos-sip
rtpbreak
rtpflood
rtpinsertsound - foreni-package
rtpmixsound
sctpscan
siparmyknife - foreni-packages
SIPp
SIPp - docs
voiphopper - iknowjason (no longer maintained)
voiphopper - the package for kali linux
SIPVicious PRO
Practical VoIP Penetration TestingMedium
Practical VoIP Penetration Testing - Vartai Security
VoIP Penetration Testing Part -I - Varutra
VoIP Penetration Testing - Info Gathering & identify IPVarutra Consulting
VoIP Penetration Testing - Scanning Against VoIP ServerVarutra Consulting
VoIP Penetration Testing Part-II - Varutra
SeeYouCM-Thief: Exploiting Common Misconfigurations in Cisco Phoneโ€ฆTrustedSec
SeeYouCM-Thief: Exploiting Common Misconfigurations in Cisco Phone Systems - Justin Bollinger - Trustedsec
Cisco IOS Penetration Testing with Metasploit | Rapid7 BlogRapid7 Blog
Cisco IOS Penetration Testing with Metasploit - rapid7
Logo
https://infosecwriteups.com/complete-take-over-of-cisco-unified-communications-manager-due-consecutively-misconfigurations-2a1b5ce8bd9ainfosecwriteups.com
Complete take-over of Cisco Unified Communications Manager due consecutively misconfigurations - hackthebox - infosecwriteup
Logo
Two Ways to Obtain a Phone's Configuration File from CUCMCisco
Two Ways to Obtain a Phone's Configuration File from CUCM
Logo
Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager Express and Cisco IOS Software H.323 and SIP DoS VulnerabilitiesCisco
Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager Express and Cisco IOS Software H.323 and SIP DoS Vulnerabilities - Cisco
Skinny Client Control Protocol - Wikipedia
mod_skinny SCCP - signalwire
VOIP Cheatsheet - puckel
SIPVicious PRO documentation
Logo
Skinny Client Control ProtocolWikipedia
mod_skinny | FreeSWITCH Documentation
Cheatsheets/Cheatsheet_VOIP.txt at master ยท puckel/CheatsheetsGitHub
SIPVicious PRO documentationenablesecurity
GitHub - EnableSecurity/sipvicious: SIPVicious OSS has been around since 2007 and is actively updated to help security teams, QA and developers test SIP-based VoIP systems and applications.GitHub
sipvicious - EnableSecurity
GitHub - 0x27/CiscoRV320Dump: CVE-2019-1652 /CVE-2019-1653 Exploits For Dumping Cisco RV320 Configurations & Debugging Data AND Remote Root Exploit!GitHub
CiscoRV320Dump CVE-2019-1653/CVE-2019-1652 Exploits For Dumping Cisco RV320 Configurations and getting RCE - 0x27
bluebox - jesusprubio
Enumerating and Breaking VoIP by startrinity.com
GitHub - jesusprubio/bluebox: Pentesting framework using Node.js powers, focused in VoIP.GitHub
Logo
Multiple vulnerabilities in Cisco Unified Communications Manager version 11.5.1 - Julien Egloff - Synacktiv
Logo
Okan YILDIZ on LinkedIn: VOIP Hackinglinkedin
VOIP Hacking - Okan YILDIZ
Okan YILDIZ on LinkedIn: VOIP Hacking (What is VOIP and How to Hack VOIP Services)linkedin
VOIP Hacking (slightly different from the one above) Okan YILDIZ
Hacking VoIP Exposed - David Endler, Mark Collier
VoIP tools on parrot
Logo
A SIP Security Testing Framework - startrinity.com
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo