What is the difference between the
rtp bleed and
rtp inject commands?
In the case of RTP Bleed, the objective of the tool is to receive the media by overwriting the IP and port that the RTP proxy is forwarding the stream to. On the other hand, the RTP injection command is meant to force an RTP stack to accept an attacker’s media. Both attacks rely on being able to send RTP packets to the vulnerable system. However, their behavior is different in that in the case of RTP Bleed, fake RTP may be used to efficiently scan an RTP proxy. In the case of RTP inject, some form of valid media (audio) is used to target a particular UDP port or multiple UDP ports. In terms of success, RTP Bleed is successful when RTP packets are received from the target. As for RTP inject, the tool is successful if the injected media is heard, or RTP packets that were sent seen during a call.
It is important to note that both tools are related and that
rtp bleed can be used in an RTP inject attack. However, unlike the RTP bleed tool, the RTP inject tool will, send RTP regardless of whether or not RTP is received back by the attacker. This allows the tool to focus only on injection and therefore can spoof the source IP and port to test if the target system is whitelisting allowed IP addresses, without expecting any responses.
Although both commands could be combined, we thought that from a usability point of view, it is easier to reproduce each individual vulnerability when each one belongs to a separate command.