The VoIP Pentest cheat sheet was created to provide concise collection of high value information on specific VoIP penetration testing topics.

• Reconnaissance and Enumeration
• Attacks against VoIP
• Exploitation
  • Extension Enumeration & Number Harvesting
  • Identification of insecure services
  • Testing for Default Credentials
  • SIP attacks
    • Rogue SIP B2BUA
    • SIP rogue as a proxy
    • SIP registration hijacking
    • Capturing SIP Authentication
  • Application level vulnerabilities
  • Denial of Service (DoS) attacks
    • Smurf flooding attack
    • TCP SYN flood attack
    • UDP flooding attack
  • Registration Manipulation and Hijacking
  • Authentication attacks
  • Caller ID spoofing
  • Man-in-the-middle attacks
  • VLAN Hopping
  • Passive and Active Eavesdropping
  • Spamming over Internet Telephony (SPIT)
  • VoIP phishing (Vishing)
  • RTP injection
  • Signaling Manipulation
  • Voice Mail Attacks
  • Phone Firmware Analysis
• VoIP Security Papers
• Strategic Mitigation
• VoIP Penetration Testing Lab
• Contribution
• License

Enumerate entire implementation, The devices connected to the VoIP network, their open ports, and running services users information (extension, the device information, and logs).

In this phase, also concentrate on finding extensions and usernames/passwords for users across the VoIP network. The main focus of this phase is to find your way(s) in. Utilizing who and how someone uses the VoIP is key when trying to get in. And many more questions also below,

• What types of phones are in use?
• Who makes them?
• Model of devices?
• Where is the SIP Server implemented?
• What’s the software in use?
• Are they using TCP or UDP for traffic?
• Are they sending it through secure means?
• What are their IPs and what other ports are open on these devices? etc. These are all questions that need to be answered during the initial phase of the VoIP assessment and pentest.

In this phase, Let's focus to identify the security vulnerability on the implementation of the VoIP according to our organization standard and know standards.

• Extension Enumeration & Number Harvesting
• Identification of insecure services
• Testing for Default Credentials
• SIP attacks
  • Rogue SIP B2BUA
  • SIP rogue as a proxy
  • SIP registration hijacking
  • Capturing SIP Authentication
• Application level vulnerabilities
• Denial of Service (DoS) attacks
  • Smurf flooding attack
  • TCP SYN flood attack
  • UDP flooding attack
• Registration Manipulation and Hijacking
• Authentication attacks
• Caller ID spoofing
• Man-in-the-middle attacks
• VLAN Hopping
• Passive and Active Eavesdropping
• Spamming over Internet Telephony (SPIT)
• VoIP phishing (Vishing)
• RTP injection
• Signaling Manipulation
• Voice Mail Attacks
• Phone Firmware Analysis

This is the phase let's exploited the found flaws and try to get more information or impact using the vulnerability/issue and also try to get persistence access.

• Sniffing VoIP calls using Raspberry pi - Vighnesh Raje
• Paper: Enumerating and Breaking VoIP - Sohil Garg
• VoIP Security - Methodology and Results - Barrie Dempster
• Cisco VoIP Phones - A Hackers Perspective - chap0
• TARGETING VOIP - Kendric Tang

In this phase, we retest the vulnerabilities whether they fixed not and also try to bypass the current mitigation to reverify the mitigation is properly implemented.

• VULNVOIP - VulnVoIP is based on a relatively old AsteriskNOW distribution and has a number of weaknesses. The aim is to locate VoIP users, crack their passwords and gain access to the Support account voicemail.

Your contributions and suggestions are welcome.

This work is licensed under a Creative Commons Attribution 4.0 International License