VoIP Pen-Testing


Voice over Internet Protocol (VoIP), also known as IP telephony, is a technique for the delivery of voice communications & multimedia sessions over IP networks. In other words, It is a technology that converts your voice into a digital signal which allows you to make a call straight from a computer or any other data-driven devices. However, in most VoIP environments, It is possible to classify the IP phones by their SNMP signature.

VoIP Risks and Vulnerabilities:

a) Reconnaissance Attacks
    Gathers information about network vulnerabilities and the behavior of network devices and services.

b) Call Hijacking and Redirection
     Call intended for one user is redirected to a different user.

c) Protocol Fuzzing
     Test the software system for bugs and sees what it’s response will be.

d) Denial of Service (VoIP Spam)
     Spamming the network with large number of unsystematic messages.

e) Session Anomalies
     Improper arrangement of received messages.

f) Eavesdropping
     Unauthorized interception of RTP (Real-Time Protocol) media streams & voice packets.



Techniques applied in VoIP Penetration Testing:

1) Test for Eavesdropping

     Decode signaling messages in RTP (Real-Time Protocol) media streams or voice packets.

2) Test for Logic Attacks and Flooding

     2.1) Use the flooding techniques such as SIP (Session Initiation Protocol) Invite or Register packets to overload the devices with VoIP protocol packets.
     2.2) The TCP Synchronization Flood exploits the working of the TCP connection process.

3) Test for Call Hijacking and Redirection Attack

     3.1) Manipulate the registration related to the victim SIP URI.
     3.2) Check for the 3xx Response Code classes  to redirect the victim’s call.

4) Test for ICMP Ping Sweeps

     4.1) Indentify the active hosts by sending ICMP ECHO REQUEST packets or send REPLAY packets for the same if  in case ICMP is blocked by the firewall.

5) Test for SNMP Sweeps

     5.1) Take the advantage of  Public Community Strings to gather sensitive information.

6) TCP SYN Scan

     6.1) Send a TCP SYN packet to a specific port to establish TCP connection.
     6.2) SYN/ACK Flagged response packet indicates that the port is open.
     6.3) RTP packet indicates a closed packet.

7) Tests for SIP User/Enumeration

    7.1) It provides a valid user names and extensions of SIP phones.
    7.2) Easy way to gain the user’s registration.

8) Test for Enumerating and Sniffing TFTP Servers

    8.1) Locate the server within the network.
    8.2) It can be done by reading the TFTP Server IP address from the web-based configuration.

9) SNMP Enumeration

    9.1) Provides Config. Information such as Vendor Type, OS, MAC Address & Open Ports.

10) Test for Number Harvesting and Call Pattern Tracking

       10.1) An effortless to do this is to sniff all the SIP traffic on TCP/UDP port 5060 and analyse the ‘ From: ‘ & ‘ To: ‘ header fields.


VoIP Pen-Testing Tools:

1) Wireshark & VoIPong (Sniffing)
2) SNScan, Nessus & Nmap (VoIP scanning)
3) SipRogue & IAXAuthJack (VoIP Signaling Manipulation)
4) VoIPER & Ohrwurm (VoIP Fuzzing Tools)



1) Maintain current patch levels.
2) Run VoIP traffic on VPN’s.
3) Apply encryption selectively
4) Enforce SIP security.
5) Use IDP systems.
6) Install application-layer gateways between internal & external zones.
7) Use VLANs to protect voice traffic.
8) Maintain confidentiality for calls and voice.
9) Ensure proper security for voice gateway system and PSTN.
10) Design & develop appropriate network architecture.
11) Make sure that the VoIP security system can track back the communication ports.

Leave a Reply

Your email address will not be published. Required fields are marked *