MITM unencrypted RTP → call eavesdropping

§ Context

Assumed environment: foothold on the office LAN. SIP/RTP runs unencrypted between desk phones and PBX. ARP / DHCP guard not configured on the switch.

§ Steps

1. 01
   Exfil sensitive audioExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   LAN footholdInitial Access

   T1078— Valid Accounts
3. 03
   ARP-spoof phone + PBXCredential Access

   N-ARP-SPOOF— ARP Spoofing / Cache Poisoning
4. 04
   Wireshark RTP → audioCollection

   T1056— Input Capture
5. 05
   Capture RTP streamsCollection

   VOIP-RTP-CAPTURE— RTP Stream Capture

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts
• T1056Input Capture

§ Frequently asked

What is the "MITM unencrypted RTP → call eavesdropping" attack path?

Most internal SIP deployments still use RTP without SRTP. From the same VLAN, ARP-spoof the IP phone + PBX, capture RTP, decode in Wireshark to .wav. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil sensitive audio (T1041) — a exfiltration primitive. Assumed environment: foothold on the office LAN.

What is the final impact of this kill-chain?

The final step lands on Capture RTP streams (VOIP-RTP-CAPTURE), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Cloudflare account compromise → Worker rewrite → mass cred theft

  Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques2

  MITM HL7 v2 → tamper lab orders / results

  HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result.