Tutorial: Hacking/Troubleshooting VoIP and ISDN

October 12, 2015 | Views: 6723

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Phone hacking has been around since creation of the phone line. Now, with VoIP technology, we face new issues.

Let’s take a closer look at Cisco connections and troubleshooting of basic problems. Much depends on the connection and hardware you’re working with. Cisco phones are connected to the switch and managed via CME or CUCM.

Below, you’ll find basic ways and commands to troubleshoot VoIP issues. I also added few basics of ISDN troubleshooting.


How is Your IP Phone Connecting?

  1. The Cisco IP Phone connects to an Ethernet switchport. If the IP phone and switch support PoE, the IP phone receives power through either Cisco-proprietary PoE or 802.3af PoE.
  2. As the Cisco IP Phone powers on, the Cisco switch delivers voice VLAN information to the IP phone using CDP as a delivery mechanism. The Cisco IP Phone now knows what VLAN it should use.
  3. The Cisco IP Phone sends a DHCP request asking for an IP address on its voice VLAN.
  4. The DHCP server responds with an IP address offer. When the Cisco IP Phone accepts
    the offer, it receives all the DHCP options that goes along with the DHCP request. DHCP options include items such as default gateway, DNS server information, domain name information and so on. In the case of Cisco IP Phones, a unique DHCP option is = Option 150. This option directs the IP phone to a TFTP server.
  5. After the Cisco IP Phone has the IP address of the TFTP server, it contacts the TFTP
    server and downloads its configuration file. Included in the configuration file is a list
    of valid call processing agents (such as Cisco Unified Communications Manager or
    Cisco Unified Communications Manager Express CME agents).
  6. The Cisco IP Phone attempts to contact the first call processing server (the primary
    server) listed in its configuration file to register. If this fails, the IP phone moves to the
    next server in the configuration file. This process continues until the IP phone registers
    successfully or the list of call processing agents is exhausted


Basic Commands:

sh ephone att
sh ephone phone
sh voice call sum
sh voice port sum
sh voice call
sh dial-peer voice sum
sh isdn stat
sh ephone
sh log


More Commands:

sh ver | i upt
! <check for uptime of router/switch>
sh power inline
! <is the phone getting power?>
sh int desc
! <every interface should have description – anything useful?>
sh cdp nei
! <can you see the phone in CDP?>
sh cdp nei det
sh cdp entry <cdp name>
! <ip address of phone can be found here>
sh env all
! <check enviroment – all ok?>
sh log


Router Commands:

sh arp
! <can you see phone’s MAC?>sh ephone
sh run | s e-phone
! <check config! CME case…>



  • FAX / PSTN line
    debug vpm signal
    This command is used to collect debug information for signaling events and can be useful in resolving problems with Analog PSTN lines or device connected to analogue FXS ports. tam kde neni ISDN, ale jen FXO/FXS trunky
  • Ephones
    debug ip dhcp server events
    debug tftp events
    debug tftp packets
    show telephony-service tftp-bindings
    debug ephone register  (useful! – CME IP, DATE and TIME, SOFTKEYS, CODEC CAPABILITIES, EXTENSIONS)
    debug ephone state
  • How to verify ephone extension status
    debug vpm signal + debug ephone state
    – Call the main number (voice port number)
    – Watch voice port status – which one is going up?
    – Connection plar opx (redirection to huntgroup handling incoming callu)
    – Adjust connection plar on exact voice portu for exact non-working extension
    – Call the main number again and only the exact extension will ring
  • ISDN
    debug isdn q931
    The Bearer Capability (or bearer cap) is the layer 3 service indication, which defines the characteristics of a given call. The Bearer Cap of a call is indicated by the telco in the Q.931 SETUP messages. The Bearer cap is often used to distinguish among 64k voice (analog), 56k data calls and 64k data calls.
    Bearer Cap Description:
    0x8890 ISDN 64K call – Used for ISDN BACKUP
    0x8890218F ISDN 56K call
    0x8090A2 Voice/Speech call (u-law)
    0x9090A2 Voice/Speech call (u-law) – 3.1 kHz Audio
    0x8090A3 Voice/Speech call (A-law)
    0x9090A3 Voice/Speech call (A-law) – 3.1 kHz Audio
    debug voice ccapi
    term mon
    – from your phone call the external number
    – debug ongoing…
    debug voice ccapi
    term mon
    csim start 1011    – e.g. call number 1011 internal extension <of course external calls possible>csim start 988XXXXXXX


Unregistered – TCP Socket:: [-1]

# sh ephone phone – verify the firmware version
# sh ephone sum | i mac
# dir flash:/phone/7940-7960
# restart    causes the phone to perform a warm reboot and redownload its configuration file from the TFTP server

– Verify the phone has its PoE, voice VLAN access port, TFTP reachable, correct MAC address assigned
– Bounce the switchport on switch, check if CME has the correct MAC in ephone config
– Verify IP address if from IP DHCP pool, because it can stuck in boot cycle due to bad IP
– CME router must have DHCP pool, option 150 for TFTP
– Check for bugs on DN: sh voice call sum


DECEASED status is shown in the ephone output. The CME router has lost connectivity with the IP phone through a TCP keepalive failure

UNREGISTERED status indicates the CME router closed the connection to the IP phone in a normal manner

! When unregistered from router. it’s ok. But, in the case they would not reach CUCM primary server they would stay registered to router in SRST mode.


Troubleshooting ISDN More Deeply

sh int desc
# sh isdn status
# sh run | i string

#isdn test call int BR0/1/0 02083852668
# sh isdn history
# sh isdn active
# sh controllers BRI 0

– Time to check with your Telco

ISDN check process
#sh isdn status                  >>> defined SWITCHTYPE?  or ISDN not used
#sh isdn history
#sh run | i string
dialer string 02XXXXXXXXX

#terminal monitor
#debug isdn q931
#isdn test call int BRI <?> string – After a test call, one BRI int has to go up/up. It may happen that the router will shutdown.

#sh controller BRI <?>
# debug isdn q931
# debug isdn q921


FACTORY Reset of Cisco IP Phones

This can be very helpful 😉

1 – Unplug cable, plug it back in and press # key until red light starts blinking
2 – Release # and type 123456789*0# in sequence
3 – Ephone should be restarted after this – approximately 2 times. Solved?

It will take time to factory reset itself.
!! During factory reset, do not power down the phone until it completes the factory reset process and the main screen appears. You will brick the phone@!


Importance of Voice Peers

#sh dial-peer voice sum
Without good configured Dial Peers, the CME will match inbound voice traffic to default peer 0, which features all the negatives and problems:

• Any voice codec: Dial peer 0 handles any incoming voice codec; it is not hardcoded to any specific codec
• No DTMF relay: DTMF relay sends dialed digits outside of the audio stream. This is useful because compressed codecs often distort dialed tones on the call
• IP Precedence 0: This is probably the most painful default of dial peer 0. Setting the traffic to IP Precedence (IPP) to 0 strips all QoS markings. The router now treats the voice traffic the same as the data traffic
• Voice Activity Detection (VAD) enabled: VAD allows you to save bandwidth by eliminating voice traffic during periods of silence on the call
• No Resource Reservation Protocol (RSVP) support: The lack of RSVP goes right along with the lack of any QoS for the voice calls. The router does not reserve any bandwidth specifically for dial peer 0 calls
• Fax-rate voice: The router limits the bandwidth available to fax signals to the maximum allowed by the VoIP codec. This could devastate fax calls if you are using a low bandwidth compressed codec
• No application support: Dial peer 0 cannot refer calls to outside applications, such as an Interactive Voice Response (IVR) system
• No DID support: Dial peer 0 cannot use the DID feature to automatically forward calls from an outside PSTN carrier to internal devices


The Phone Doesn’t Ring – But All Looks Good?

Magical command is sh ephone 😉
Search for DnD (Do Not Disturb) and for CFA (Call Forward All)

If active – found respective DNs and adjust configuration…



…to be continued….let me know, lads, if you’re interested in this topic 🙂

Kouzelnik CybPavl

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. This is very helpful at the workplace as it’ll save a lot of time trying to figure out a solution for issues. I would appreciate if you can make a tutorial explaining more in depth about the Cicsco IP phones configuration files and all that stuff. Thanks for your effort.

  2. This is extremely useful, thanks for posting!

  3. Good read. Some of the basics of the workplace. Can save you time from Googling solutions. Nice one

  4. Nice one 🙂

  5. good information

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?