VoIP phones are implemented in every major organization and they are providing an attack surface for every malicious user that’s knows the basics of hacking. If there is no encryption in the communication media then an attacker could eavesdrop phone conversations which might impact the business in case that calls are classified as confidential.

A pentester should be able to identify if eavesdropping is possible on the voice network via the following technique.

ARP Poisoning

The first step before implementing a Man-in-the-Middle attack is to enable IP forwarding in order to be able to route traffic from your system to the gateway with the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Now you can perform a Man-in-the-Middle attack in order to be able to intercept VoIP traffic. This can be achieved really easy with the command below:

MiTM attack
MiTM attack

Capturing and Decoding VoIP Traffic

Now that the traffic is being routed to your box you can use Wireshark in order to sniff any SIP traffic. We are particularly interested for the RTP packets as they contain the actual conversation of a VoIP call.

RTP Traffic
RTP Traffic


Wireshark contains a built-in utility called VoIP calls which can decode RTP data into a playable audio format.

Decoding RTP Traffic-Wireshark
Decoding RTP Traffic-Wireshark



As we saw it is very easy and fast to eavesdrop a phone call conversation just by performing a MiTM attack and having a tool like wireshark to sniff the traffic. In a VoIP assessments pentesters should try to implement this attack in order to identify if eavesdropping is possible. To prevent this attack companies should use the SRTP which is a secure protocol and provides encryption of the data being transferred so even if an attacker is able to capture the call it will be difficult to decrypt the data and to listen the message.


  1. the 2 ip’s in arpsnoop command can you explain what the ip’s represent is the 1st ip the sip server and the 2nd ip the sip client ip? please reply.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s