[basic-voip-protocols](basic-voip-protocols/)

{% endcontent-ref %}

* **`nmap`** is capable of scanning UDP services, but because of the number of UDP services being scanned, it's very slow and might not be very accurate with this kind of services.

* **`svmap`** from SIPVicious (`sudo apt install sipvicious`): Will locate SIP services in the indicated network.

* `svmap` is **easy to block** because it uses the User-Agent `friendly-scanner`, but you could modify the code from `/usr/share/sipvicious/sipvicious` and change it.

svmap 10.10.0.0/24 -p 5060-5070 [--fp]

[!] IP/Network: 10.10.0.0/24

[!] Port range: 5060-5080

[!] Protocol: UDP, TCP, TLS

[!] Method to scan: REGISTER

[!] Customized User-Agent: Cisco

[!] Used threads: 200

* **metasploit**:

svwar 10.10.0.10 -p5060 -e100-300 -m REGISTER

* **metasploit**: You can also enumerate extensions/usernames with metasploit:

Having discovered the **PBX** and some **extensions/usernames**, a Red Team could try to **authenticate via the `REGISTER` method** to an extension using a dictionary of common passwords to brute force the authentication.

svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions

* **Metasploit**:

* [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb)

The same will happen if **SRTP** and **ZRTP** is used, **RTP packets won't be in clear text**.

{% endhint %}

[Check this example to understand better a **SIP REGISTER communication**](basic-voip-protocols/sip-session-initiation-protocol.md#sip-register-example) to learn how are **credentials being sent**.

sipcrack sip-creds.txt -w dict.txt

Moreover, by default the **`sip.conf`** file contains **`allowguest=true`**, then **any** attacker with **no authentication** will be able to call to any other number.

{% endhint %}

For example, if your Asterisk server has a bad context configuration, you can accept INVITE request without authorization. In this case, an attacker can make calls without knowing any user/pass.

{% code overflow="wrap" %}

{% endcode %}

Therefore, a call to the extension **`101`** and **`123123123`** will be send and only the first one getting the call would be stablished... but if an attacker use an **extension that bypasses any match** that is being performed but doesn't exist, he could be **inject a call only to the desired number**.

The SIP Digest Leak is a vulnerability that affects a large number of SIP Phones, including both hardware and software IP Phones as well as phone adapters (VoIP to analogue). The vulnerability allows **leakage of the Digest authentication response**, which is computed from the password. An **offline password attack is then possible** and can recover most passwords based on the challenge response.

**[Vulnerability scenario from here**](https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf):

2. The attacker sends an INVITE to the IP Phone

3. The victim phone starts ringing and someone picks up and hangs up (because no one answers the phone at the other end)

4. When the phone is hung up, the **victim phone sends a BYE to the attacker**

5. The **attacker issues a 407 response** that **asks for authentication** and issues an authentication challenge

6. The **victim phone provides a response to the authentication challenge** in a second BYE

7. The **attacker can then issue a brute-force attack** on the challenge response on his local machine (or distributed network etc) and guess the password

[!] Target: 10.10.0.10:5060/UDP

[!] Caller: 100

exten => h,1,System(/tmp/leak_conv.sh &)

**RTCPBleed** is a major security issue affecting Asterisk-based VoIP servers (published in 2017). The vulnerability allows **RTP (Real Time Protocol) traffic**, which carries VoIP conversations, to be **intercepted and redirected by anyone on the Internet**. This occurs because RTP traffic bypasses authentication when navigating through NAT (Network Address Translation) firewalls.

For more info check [https://www.rtpbleed.com/](https://www.rtpbleed.com/)

There are several ways to try to achieve DoS in VoIP servers.

* [**IAXFlooder**](https://www.kali.org/tools/iaxflood/): DoS IAX protocol used by Asterisk

* [**inviteflood**](https://github.com/foreni-packages/inviteflood/blob/master/inviteflood/Readme.txt): A tool to perform SIP/SDP INVITE message flooding over UDP/IP.

* [**rtpflood**](https://www.kali.org/tools/rtpflood/): Send several well formed RTP packets. Its needed to know the RTP ports that are being used (sniff first).

* [**SIPp**](https://github.com/SIPp/sipp): Allows to analyze and generate SIP traffic. so it can be used to DoS also.

* [**SIPsak**](https://github.com/nils-ohlmeier/sipsak): SIP swiss army knife. Can also be used to perform SIP attacks.

* Fuzzers: [**protos-sip**](https://www.kali.org/tools/protos-sip/), [**voiper**](https://github.com/gremwell/voiper).

* [https://github.com/Pepelux/sippts/wiki](https://github.com/Pepelux/sippts/wiki)

* [http://blog.pepelux.org/](http://blog.pepelux.org/)

* [https://www.rtpbleed.com/](https://www.rtpbleed.com/)

* [https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4](https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4)