by VoIP phones are implemented in every major organization and they are providing an attack surface for every malicious user that’s knows the basics of hacking. If there is no encryption in the communication media then an attacker could eavesdrop phone conversations which might impact the business in case that calls are classified as confidential.
A pentester should be able to identify if eavesdropping is possible on the voice network via the following technique.
ARP Poisoning
The first step before implementing a Man-in-the-Middle attack is to enable IP forwarding in order to be able to route traffic from your system to the gateway with the following command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now you can perform a Man-in-the-Middle attack in order to be able to intercept VoIP traffic. This can be achieved really easy with the command below:
Capturing and Decoding VoIP Traffic
Now that the traffic is being routed to your box you can use Wireshark in order to sniff any SIP traffic. We are particularly interested for the RTP packets as they contain the actual conversation of a VoIP call.
Wireshark contains a built-in utility called VoIP calls which can decode RTP data into a playable audio format.
Conclusion
As we saw it is very easy and fast to eavesdrop a phone call conversation just by performing a MiTM attack and having a tool like wireshark to sniff the traffic. In a VoIP assessments pentesters should try to implement this attack in order to identify if eavesdropping is possible. To prevent this attack companies should use the SRTP which is a secure protocol and provides encryption of the data being transferred so even if an attacker is able to capture the call it will be difficult to decrypt the data and to listen the message.
Penetration Testing Lab 
the 2 ip’s in arpsnoop command can you explain what the ip’s represent is the 1st ip the sip server and the 2nd ip the sip client ip? please reply.
The first IP is the local IP and the second IP is the IP of the gateway in the network.