Awesome Real-time Communications hacking & pentesting resources

Covers VoIP, WebRTC and VoLTE security related topics.

Please create a PR if you think anything should be added to this list. Let us know if you think anything should be removed.

Table of Contents

• Newsletters
• Presentation Slides
• Videos
• Advisories
• Open-source tools
• Papers
• Blogs
• Notable blog posts and articles
• Books
• Commercial tools
• Vulnerabilities
• Related lists

Newsletters

• RTCSec Newsletter

Presentation Slides

• Hacking VoIP Exposed from Black Hat USA 2006.
• Mobile network hacking – All-over-IP edition from SRLabs at Blackhat EU 2019
• Monitoring SIP Traffic Using Support Vector Machines

Videos

• OpenSSL DoS (CVE-2022-0778) versus WebRTC infrastructure
• TAD Summit EMEA Americas 2020: Getting offensive: a different approach to RTC security - Sandro Gauci
• HITBHaxpo D1: VoLTE Phreaking - Ralph Moonen
• Kamailio World 2019: The Various Ways Your RTC May Be Crushed - Sandro Gauci
• Kamailio World 2018: A tale of two RTC fuzzing approaches - Sandro Gauci
• Kamailio World 2017: Listening By Speaking - Security Attacks On Media Servers And RTP Relays - Sandro Gauci
• Kamailio World 2016: 9 Years Of Friendly Scanning And Vicious SIP - Sandro Gauci
• Kamailio World 2015: VoIP Security – Bluebox ng Continuous Pentesting - Sergio García Ramos
• Kamailio World 2013: VoIP Security Tools - Anton Roman
• Blackhat EU 2019: Mobile network hacking - All-over-IP edition - Karsten Nohl, Luca Melette & Sina Yazdanmehr
• Jailbreak Brewing Company Security Summit: Whatsup with WhatsApp: A Detailed Walk Through of Reverse Engineering CVE-2019-3568 - Maddie Stone
• RhurSec 2016: Eavesdropping on WebRTC Communication - Martin Johns
• Hak5 1813: SSL Hack Workarounds and WebRTC Flaws
• media.ccc.de: WebRTC Security - Stephan Thamm (language: german)

Advisories

• Cisco IOS and IOS XE SIP Protocol Denial of Service Vulnerability
• Polycom Phones SIP Registration Credential Abuse
• Cisco IOS XE Software NAT SIP Application Layer Gateway Denial of Service Vulnerability
• Cisco TelePresence Video Communication Server SIP DoS Vulnerability
• Voice over LTE implementations contain multiple vulnerabilities
• Asterisk RTP Bleed
• Asterisk pjSIP CSeq Overflow
• Juniper Junos Router OS DoS
• OpenScape Desk Phones HFA and SIP CSRF and Privilege Escalation
• Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA
• Interaction SIP Proxy Buffer Overflow in SIPParser() Leads to DoS
• Asterisk pjSIP Multi Parser Out-of-Bound Memory Access
• Asterisk Skinny Memory Exhaustion
• Asterisk Stack Corruption in subscribe Message
• Asterisk Segfault with Invalid SDP fmtp Attribute
• Asterisk Segfault with Invalid Media Format Descriptiom
• Asterisk Segfault with INVITE Replay Attack
• Kamalio Off-By-One Heap Overflow
• New RCS technology exposes most mobile users to hacking
• Zoom Communications user enumeration

Open-source tools

• SIPVicious OSS - A set of tools to audit SIP based systems.
• SIPPTS - Another set of tools to audit VoIP servers and devices using SIP protocol.
• bluebox-ng - Pentesting framework using Node.js powers, focused in VoIP.
• SigPloit - Tool which covers all used SS7, GTP (3G), Diameter (4G) or even SIP protocols for IMS and VoLTE infrastructures.
• vsaudit - VoIP security assessment framework.
• rtpnatscan - Tool which tests for rtpbleed vulnerability.
• VIPROY - VoIP pentest framework which can be used with the metasploit-framework.
• SIP Proxy - A VoIP security testing tool.
• Metasploit auxiliary modules
• SIPp: SIP based test tool / traffic generator.
  • SIPp digest leak scenario
• Mr.SIP - SIP based audit and attack tool.
• VoIPShark - Open Source VoIP Analysis Platform
• Turner - PoC for tunnelling HTTP over a permissive/open TURN server.
• sipsak - SIP swiss army knife, has some features that can be used for security testing (e.g. flood more or random mode)
• turnproxy - Tool to abuse open TURN relays
• SeeYouCM Thief - download and parse configuration files from Cisco phone systems searching for SSH credentials
• stunner - a tool to test and exploit STUN, TURN and TURN over TCP servers.
• VoIP Hopper - a tool to exploit insecure VLANs that are often found in IP Telephony infrastructure.

Papers

• Performance Analysis of SIP Based VoIP Networks (local copy)
• Abusing SIP Authentication
• Multiple Design Patterns for Voice over IP (VoIP) Security
• Adaptive VoIP Steganography forInformation Hiding within Network Audio Streams
• Realtime Steganography with RTP (local copy)
• A Lossless Steganography Technique for G.711 Telephony Speech
• CallRank: Combating SPIT Using Call Duration, SocialNetworks and Global Reputation
• Steganography of VoIP streams
• Steganalysis of compressed speech to detect covert VoIP channels
• Securing Voice over Internet Protocol
• Protecting SIP Proxy Servers from Ringing-based Denial-of-Service Attacks
• An ontology description for SIP security flaws
• Analysis of DDoS Attacks in Heterogeneous VoIP Networks: A Survey
• Change Point Detection for Monitoring SIP Networks
• Network security systems to counter SIP-based denial-of-service attacks
• Multilayer Secured SIP Based VoIP Architecture
• Battling Against DDoS in SIP
• Billing Attacks on SIP-Based VoIP Systems
• Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems
• An Analysis of Security Threats and Tools in SIP-Based VoIP Systems
• Fast Detection of Denial-of-ServiceAttacks on IP Telephony
• VoIP Security: Threat Analysis & Countermeasures (local copy)
• Voice Over IP - Security and SPIT

Blogs

• Communication Breakdown - A blog about VoIP, WebRTC and real-time communications security by Enable Security; (formerly SIPVicious blog)
• Pepelux blog (Spanish)

Notable blog posts and articles

• Understanding DTLS Usage in VoIP Communications
• How we abused Slack's TURN servers to gain access to internal services
• Analyzing WhatsApp Calls with Wireshark, radare2 and Frida
• Adventures in Video Conferencing Part 1: The Wild World of WebRTC
• Adventures in Video Conferencing Part 2: Fun with FaceTime
• Adventures in Video Conferencing Part 3: The Even Wilder World of WhatsApp
• Adventures in Video Conferencing Part 4: What Didn't Work Out with WhatsApp
• Adventures in Video Conferencing Part 5: Where Do We Go from Here?
• Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platforms
• Analyzing two FreeSWITCH vulnerabilities – CVE-2021-41157 & CVE-2021-37624
• Abusing Microsoft Teams Direct Routing
• Kamailio’s exec module considered harmful

Books

• Hacking Exposed Unified Communications & VoIP Security Secrets & Solutions, Second Edition 2nd Edition (published December 20, 2013)
• Hacking VoIP: Protocols, Attacks, and Countermeasures (published March 21, 2008)
• SIP Security (published April 27, 2009)

Commercial tools

• SIPVicious PRO

Vulnerabilities

The following are generic or common vulnerabilities that are related to either signalling, media or infrastructure.

• RTP bleed
• SIP Digest Leak

CTFs and playgrounds

• SIPVicious PRO demo server - for testing RTC attacks
• CSAW CTF Qualification Round 2020 / Tasks / WebRTC - a CTF that featured a WebRTC related challenge

Related lists

• Awesome Cellular Hacking
• Awesome RTC
• Awesome Telco
• VoIP Security Resources