VoIP penetration testing targets the phone system most security programs forget they own. A modern PBX is just another set of network services (SIP signaling, RTP media, a web admin panel), and like any service it ships with default credentials, weak extension passwords, and unencrypted traffic. The payoffs for an attacker are real: free long-distance calls billed to you, recorded conversations, and a foothold on your voice VLAN.
This guide covers the VoIP recon and exploitation workflow: discovering the PBX, enumerating extensions, cracking SIP passwords, eavesdropping on RTP, and abusing the dial plan for toll fraud. It complements our network penetration testing overview and the broader internal network penetration testing guide.
VoIP penetration testing is the authorized assessment of an IP telephony deployment, covering the SIP signaling that sets up calls, the RTP streams that carry audio, and the servers (Asterisk, FreePBX, Cisco CUCM) that run it all. It looks for the same classes of flaws as any network test, applied to voice: enumeration, weak authentication, missing encryption, and dangerous configuration.
The attack surface is broader than it looks. A SIP server answers on UDP/TCP 5060 (and 5061 for TLS), RTP uses a wide dynamic port range, and the management interface is usually a web app with its own vulnerabilities. Voice traffic also frequently shares the network with data, so a compromise of the PBX can pivot into the rest of the enterprise.
Recon starts by finding the SIP infrastructure and mapping its services. nmap fingerprints the obvious ports (nmap -sU -sV -p 5060,5061 <range>) and its sip-enum-users and sip-methods scripts pull early detail. Then SIPVicious takes over: svmap 10.0.0.0/24 sweeps a network for live SIP devices and identifies the PBX software and version.
From there you enumerate valid extensions, which is the equivalent of username enumeration. svwar -m INVITE -e 100-999 <pbx> walks an extension range and reports which ones exist based on the server's differing responses. Knowing valid extensions sharply narrows the next phase. Also profile the management interface, the TFTP server phones provision from (often world-readable config files with credentials), and any SNMP exposure with default communities.
With valid extensions in hand, the next step is cracking their SIP passwords and abusing the dial plan. svcrack -u 101 -d wordlist.txt <pbx> brute-forces the registration password for an extension. Many deployments set the SIP secret equal to the extension number or a trivial default, so this often succeeds immediately.
A registered extension is an account on the phone system. The high-impact abuse is toll fraud: if the dial plan lets your extension reach external or premium-rate numbers, an attacker dials revenue-share numbers around the clock and runs up enormous bills, a well-documented attack pattern. You also test for SIP request fuzzing that can crash or hang the PBX, and for caller-ID spoofing by manipulating the SIP From header, which underpins vishing campaigns.
Yes, when media isn't encrypted, capturing and replaying calls is straightforward. RTP carries the audio, and by default it's unencrypted. On a flat or poorly segmented network, an attacker who can see the traffic (via ARP spoofing or a mirror port) captures the RTP stream and reassembles it into playable audio.
The tooling is simple: Wireshark has a built-in RTP player (Telephony > RTP > RTP Streams > Play), and tools like rtpbreak or ucsniff automate extraction. This is one of the more visceral findings to demonstrate in a report, since you hand the client a recording of an internal call. The defense is SRTP for media and SIPS over TLS for signaling, which together make passive eavesdropping impractical.
Securing VoIP comes down to encryption, segmentation, and credential hygiene. Encrypt signaling with SIPS (SIP over TLS on 5061) and media with SRTP so enumeration replay and eavesdropping both fail. Put voice on its own VLAN, isolated from data and management, so a compromised phone can't reach the rest of the network, which ties into network device configuration security.
Then fix the basics: strong, unique SIP passwords (never equal to the extension), disable unused SIP methods, lock down the dial plan to block international and premium-rate routes by default, and change default admin credentials on the PBX web panel. Rate-limit registrations to slow svcrack. Because VoIP infrastructure changes quietly as extensions and trunks get added, the continuous validation in agentic pentesting helps catch a newly exposed PBX before an attacker does.
