TL;DR
We built DVRTC (Damn Vulnerable Real-Time Communications), a hands-on vulnerable lab environment for learning VoIP and WebRTC security. It packages a complete, intentionally vulnerable RTC deployment with exercises, documentation, and a live instance at pbx1.dvrtc.net. If you’ve ever wanted to practice SIP enumeration, RTP eavesdropping, TURN abuse, or credential cracking in a safe environment, this is for you.
Why we built this
VoIP penetration testing is what we do, and have done for years. One thing that keeps coming up is that WebRTC and VoIP security can feel abstract until you actually get your hands dirty. Reading about RTP bleed is one thing. Watching packets leak media from a live call is something else entirely.
The truth is, there hasn’t been a good way to practice RTC security testing without setting up your own infrastructure from scratch. Web application security has DVWA, WebGoat, and friends. VoIP security? Not so much. We wanted to change that.
DVRTC is our answer: a complete, dockerized VoIP/WebRTC environment that is intentionally vulnerable and comes with guided exercises to walk you through real attack techniques.
Who is this for?
- Security researchers who want to explore RTC attack paths without needing to build a lab from scratch
- Pentesters looking to sharpen their VoIP/WebRTC testing skills
- WebRTC and VoIP developers who want to understand what attackers actually do, so they can build more secure systems
What’s inside
The first scenario, pbx1, deploys a full VoIP stack with Kamailio, Asterisk, rtpengine, coturn, Nginx, and MySQL. The whole thing runs on Docker Compose and covers 12 attack paths across 7 guided exercises:
- SIP extension enumeration - discover valid extensions through response analysis
- Traffic analysis and packet capture - capture and inspect SIP/RTP traffic
- RTP bleed - recover leaked media from the RTP port range
- Online SIP credential cracking - brute-force weak SIP passwords
- SIP digest leak - exploit digest authentication to capture crackable material
- TURN relay abuse - access restricted resources through a misconfigured TURN server
- Offline credential cracking - crack captured digest material offline
Each exercise includes step-by-step instructions and uses tools available in the included testing container. Of course, you’re free to use your own tools too.
Warning
DVRTC is intentionally vulnerable. Deploy it only on isolated, dedicated systems. Expect weak credentials, exposed services, and vulnerable behavior by design.Try it out
Option 1: use the live instance
We have a public deployment running at pbx1.dvrtc.net that you can test against right away. The web interface includes a browser-based softphone, voicemail directory listing, and user-agent logs. Do keep in mind that this is a shared instance, so be considerate of other users.
Option 2: run your own
To deploy locally on a Linux host:
git clone https://github.com/EnableSecurity/DVRTC.git
cd DVRTC
# set up networking, passwords, and certificates
./scripts/setup_networking.sh
./scripts/generate_passwords.sh
./scripts/init-selfsigned.sh
# start the stack
docker compose up -d
The setup needs Docker 20.10+, host networking (Linux), and about 4 CPU cores with 8 GB RAM. macOS users can use Colima as a workaround. Full setup instructions are in the README.
What we hope to achieve
We’re hoping that DVRTC helps make RTC security more approachable. If people use it to understand attack paths, improve their testing methodology, or teach others about VoIP/WebRTC security, then we’ve done our job.
VoIP and WebRTC security has always been a niche topic and getting started can be hard. Perhaps DVRTC can help lower that barrier.
What’s next
The pbx1 scenario is just the beginning. We plan to add more scenarios covering different attack surfaces and more complex deployments. If you have ideas for scenarios you’d like to see, open an issue on GitHub or reach out to us directly.
Give it a try and let us know what you think!
