SIPman : A penetration testing methodology for SIP and RTP

Sammanfattning: Background. SIP and RTP are two protocols that are widely used, and they play an important role in VoIP services. VoIP is an integral part of many communication services, e.g., Microsoft Teams, Skype, Discord, and communications over cellular networks (VoLTE and VoWiFi). Since these technologies are so widely used, a high level of security is paramount. Objectives. The aim of this study is threefold: (1) To investigate if it is possible to create a penetration testing methodology for SIP and RTP, where the target group is penetration testers with no previous knowledge of these protocols. (2) To identify previously discovered vulnerabilities and attacks. (3) Due to the lack of domain experts, a methodology of this kind will hopefully help penetration testers without prior knowledge, easing them into a new work area. Further, the aim is to increase awareness of potential vulnerabilities in such systems. Methods. Through a literature review, threat modeling, and exploratory penetration testing on three different testbeds, several vulnerabilities and attacks were identified and validated. From the results, a methodology was compiled. For evaluation purposes, it was evaluated by a third party, who tested it on a testbed and gave feedback. Results. The results from our research show that SIP and RTP are susceptible to a wide array of different attacks even to this day. From our literature study, it was determined that most of these attacks have been known for a long time. Using exploratory penetration testing, we managed to verify most of these attacks on three different systems. Additionally, we discovered a few novel attacks that we did not find in previous research. Conclusions. Our literature study suggests that SIP and RTP based systems are relatively susceptible to multiple attacks. Something we also validated during the exploratory testing phase. We successfully executed multiple existing attacks and some new attacks on three different testbeds. The methodology received mostly positive feedback. The results show that many of the participants appreciated the simplicity and concrete model of the methodology. Due to the low number of participants in the evaluation, an improvement to the study and results would be to increase the population and also have multiple novice penetration testers test several different systems. An increase in the number of testbeds would also further support the results and help generalize the methodology.