SIP / VoIP
aka voip, sipvicious
Session Initiation Protocol on 5060/udp — the signalling for VoIP. Enumerate extensions, then brute-force their auth passwords with the SIPVicious suite to register rogue phones or eavesdrop.
Ports
| Port | Proto | Notes |
|---|---|---|
5060 | udp | SIP |
5061 | tcp | SIP over TLS |
Fingerprint
- nmap sip-methods returns supported SIP verbs + server header
- svmap identifies SIP devices/PBXes
Exploitation primitives
- svmap to find SIP devices on the network
- svwar to enumerate valid extensions (users)
- svcrack to brute-force an extension's auth password → register and place/intercept calls
Overview
SIP on 5060/udp sets up VoIP calls. The flow: find the PBX, enumerate extensions, crack an extension password, then register as that phone. Often fronts Asterisk/FreePBX — see those notes for the management side.
Enumeration
Identify SIP devices:
svmap <TARGET>nmap methods + recon:
nmap -sU -p5060 --script sip-methods,sip-enum-users <TARGET>Enumerate valid extensions:
svwar -m INVITE -e 100-999 <TARGET>Crack an extension
svcrack -u 101 -d /usr/share/wordlists/rockyou.txt <TARGET>Hardening
Require strong SIP secrets, rate-limit/alert on REGISTER floods, restrict by IP, and put SIP behind a session border controller.