MITM unencrypted RTP → call eavesdropping
Most internal SIP deployments still use RTP without SRTP. From the same VLAN, ARP-spoof the IP phone + PBX, capture RTP, decode in Wireshark to .wav.
§ Context
Assumed environment: foothold on the office LAN. SIP/RTP runs unencrypted between desk phones and PBX. ARP / DHCP guard not configured on the switch.
§ Steps
- 01Exfil sensitive audioExfiltrationT1041— Exfiltration Over C2 Channel
- 02LAN footholdInitial AccessT1078— Valid Accounts
- 03ARP-spoof phone + PBXCredential AccessN-ARP-SPOOF— ARP Spoofing / Cache Poisoning
- 04Wireshark RTP → audioCollectionT1056— Input Capture
- 05Capture RTP streamsCollectionVOIP-RTP-CAPTURE— RTP Stream Capture
§ References
- T1041Exfiltration Over C2 Channel
- T1078Valid Accounts
- T1056Input Capture
§ Frequently asked
- What is the "MITM unencrypted RTP → call eavesdropping" attack path?
- Most internal SIP deployments still use RTP without SRTP. From the same VLAN, ARP-spoof the IP phone + PBX, capture RTP, decode in Wireshark to .wav. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Exfil sensitive audio (T1041) — a exfiltration primitive. Assumed environment: foothold on the office LAN.
- What is the final impact of this kill-chain?
- The final step lands on Capture RTP streams (VOIP-RTP-CAPTURE), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
Cloudflare account compromise → Worker rewrite → mass cred theft
Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.
- Shared techniques2
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
- Shared techniques2
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
- Shared techniques2
Apple Pay Express Transit relay → high-value contactless fraud
Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.
- Shared techniques2
Insider admin panel coercion → mass account takeover (Twitter 2020)
Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.
- Shared techniques2
MITM HL7 v2 → tamper lab orders / results
HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result.