Awesome Real-time Communications hacking & pentesting resources
Covers VoIP, WebRTC and VoLTE security related topics.
Please create a PR if you think anything should be added to this list. Let us know if you think anything should be removed.
Table of Contents
- Newsletters
- Presentation Slides
- Videos
- Advisories
- Open-source tools
- Papers
- Blogs
- Notable blog posts and articles
- Books
- Commercial tools
- Vulnerabilities
- Related lists
Newsletters
Presentation Slides
- Hacking VoIP Exposed from Black Hat USA 2006.
- Mobile network hacking – All-over-IP edition from SRLabs at Blackhat EU 2019
- Monitoring SIP Traffic Using Support Vector Machines
Videos
- OpenSSL DoS (CVE-2022-0778) versus WebRTC infrastructure
- TAD Summit EMEA Americas 2020: Getting offensive: a different approach to RTC security - Sandro Gauci
- HITBHaxpo D1: VoLTE Phreaking - Ralph Moonen
- Kamailio World 2019: The Various Ways Your RTC May Be Crushed - Sandro Gauci
- Kamailio World 2018: A tale of two RTC fuzzing approaches - Sandro Gauci
- Kamailio World 2017: Listening By Speaking - Security Attacks On Media Servers And RTP Relays - Sandro Gauci
- Kamailio World 2016: 9 Years Of Friendly Scanning And Vicious SIP - Sandro Gauci
- Kamailio World 2015: VoIP Security – Bluebox ng Continuous Pentesting - Sergio GarcÃa Ramos
- Kamailio World 2013: VoIP Security Tools - Anton Roman
- Blackhat EU 2019: Mobile network hacking - All-over-IP edition - Karsten Nohl, Luca Melette & Sina Yazdanmehr
- Jailbreak Brewing Company Security Summit: Whatsup with WhatsApp: A Detailed Walk Through of Reverse Engineering CVE-2019-3568 - Maddie Stone
- RhurSec 2016: Eavesdropping on WebRTC Communication - Martin Johns
- Hak5 1813: SSL Hack Workarounds and WebRTC Flaws
- media.ccc.de: WebRTC Security - Stephan Thamm (language: german)
Advisories
- Cisco IOS and IOS XE SIP Protocol Denial of Service Vulnerability
- Polycom Phones SIP Registration Credential Abuse
- Cisco IOS XE Software NAT SIP Application Layer Gateway Denial of Service Vulnerability
- Cisco TelePresence Video Communication Server SIP DoS Vulnerability
- Voice over LTE implementations contain multiple vulnerabilities
- Asterisk RTP Bleed
- Asterisk pjSIP CSeq Overflow
- Juniper Junos Router OS DoS
- OpenScape Desk Phones HFA and SIP CSRF and Privilege Escalation
- Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA
- Interaction SIP Proxy Buffer Overflow in SIPParser() Leads to DoS
- Asterisk pjSIP Multi Parser Out-of-Bound Memory Access
- Asterisk Skinny Memory Exhaustion
- Asterisk Stack Corruption in
subscribe
Message - Asterisk Segfault with Invalid SDP
fmtp
Attribute - Asterisk Segfault with Invalid Media Format Descriptiom
- Asterisk Segfault with
INVITE
Replay Attack - Kamalio Off-By-One Heap Overflow
- New RCS technology exposes most mobile users to hacking
- Zoom Communications user enumeration
Open-source tools
- SIPVicious OSS - A set of tools to audit SIP based systems.
- SIPPTS - Another set of tools to audit VoIP servers and devices using SIP protocol.
- bluebox-ng - Pentesting framework using Node.js powers, focused in VoIP.
- SigPloit - Tool which covers all used SS7, GTP (3G), Diameter (4G) or even SIP protocols for IMS and VoLTE infrastructures.
- vsaudit - VoIP security assessment framework.
- rtpnatscan - Tool which tests for rtpbleed vulnerability.
- VIPROY - VoIP pentest framework which can be used with the metasploit-framework.
- SIP Proxy - A VoIP security testing tool.
- Metasploit auxiliary modules
- SIPp: SIP based test tool / traffic generator.
- Mr.SIP - SIP based audit and attack tool.
- VoIPShark - Open Source VoIP Analysis Platform
- Turner - PoC for tunnelling HTTP over a permissive/open TURN server.
- sipsak - SIP swiss army knife, has some features that can be used for security testing (e.g. flood more or random mode)
- turnproxy - Tool to abuse open TURN relays
- SeeYouCM Thief - download and parse configuration files from Cisco phone systems searching for SSH credentials
- stunner - a tool to test and exploit STUN, TURN and TURN over TCP servers.
- VoIP Hopper - a tool to exploit insecure VLANs that are often found in IP Telephony infrastructure.
Papers
- Performance Analysis of SIP Based VoIP Networks (local copy)
- Abusing SIP Authentication
- Multiple Design Patterns for Voice over IP (VoIP) Security
- Adaptive VoIP Steganography forInformation Hiding within Network Audio Streams
- Realtime Steganography with RTP (local copy)
- A Lossless Steganography Technique for G.711 Telephony Speech
- CallRank: Combating SPIT Using Call Duration, SocialNetworks and Global Reputation
- Steganography of VoIP streams
- Steganalysis of compressed speech to detect covert VoIP channels
- Securing Voice over Internet Protocol
- Protecting SIP Proxy Servers from Ringing-based Denial-of-Service Attacks
- An ontology description for SIP security flaws
- Analysis of DDoS Attacks in Heterogeneous VoIP Networks: A Survey
- Change Point Detection for Monitoring SIP Networks
- Network security systems to counter SIP-based denial-of-service attacks
- Multilayer Secured SIP Based VoIP Architecture
- Battling Against DDoS in SIP
- Billing Attacks on SIP-Based VoIP Systems
- Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems
- An Analysis of Security Threats and Tools in SIP-Based VoIP Systems
- Fast Detection of Denial-of-ServiceAttacks on IP Telephony
- VoIP Security: Threat Analysis & Countermeasures (local copy)
- Voice Over IP - Security and SPIT
Blogs
- Communication Breakdown - A blog about VoIP, WebRTC and real-time communications security by Enable Security; (formerly SIPVicious blog)
- Pepelux blog (Spanish)
Notable blog posts and articles
- Understanding DTLS Usage in VoIP Communications
- How we abused Slack's TURN servers to gain access to internal services
- Analyzing WhatsApp Calls with Wireshark, radare2 and Frida
- Adventures in Video Conferencing Part 1: The Wild World of WebRTC
- Adventures in Video Conferencing Part 2: Fun with FaceTime
- Adventures in Video Conferencing Part 3: The Even Wilder World of WhatsApp
- Adventures in Video Conferencing Part 4: What Didn't Work Out with WhatsApp
- Adventures in Video Conferencing Part 5: Where Do We Go from Here?
- Exploiting CVE-2022-0778, a bug in OpenSSL vis-Ã -vis WebRTC platforms
- Analyzing two FreeSWITCH vulnerabilities – CVE-2021-41157 & CVE-2021-37624
- Abusing Microsoft Teams Direct Routing
- Kamailio’s exec module considered harmful
Books
- Hacking Exposed Unified Communications & VoIP Security Secrets & Solutions, Second Edition 2nd Edition (published December 20, 2013)
- Hacking VoIP: Protocols, Attacks, and Countermeasures (published March 21, 2008)
- SIP Security (published April 27, 2009)
Commercial tools
Vulnerabilities
The following are generic or common vulnerabilities that are related to either signalling, media or infrastructure.
CTFs and playgrounds
- SIPVicious PRO demo server - for testing RTC attacks
- CSAW CTF Qualification Round 2020 / Tasks / WebRTC - a CTF that featured a WebRTC related challenge