Pentesting VoIP is no different from pentsting say an e-mail server. In a VoIP based PBX there are accounts similar to an email server:VOIP
Your best bet would be to run the typical scans (nmap, etc) along with sipvicious to test for weak usernames and passwords. NMAP will tell you what is visible in similar fashion to any server: "This port is open" what is it doing, what is it running, are there any known vulnerabilties against that version. sipvicious is similar to say hydra and NMAP. Give a target and a list of usernames or passwords and it will try to register an account on the machine.
The key to it all is ingenuity. In a VoIP environment, too many admins have the tendency to make extensions usernames. For example:VOIP[i]Username
There is no reason other than lack of understanding risk to configure accounts like this. Its akin to an email admin creating the followingEMAIL
So your goal would be recon in similar fashion to figuring out what a username is for email, only in this instance, it is VoIP. I would start with extensions as a username, e.g., 1000-1999 and so on. Here is a live example of someone on one of my Asterisk honeypots with numbers adding to the beginning:
1: <--- Transmitting (NAT) to 220.127.116.11:5060 --->
2: SIP/2.0 180 Ringing
3: Via: SIP/2.0/UDP 18.104.22.168:5060;branch=z9hG4bK-d8754z-4c30389f4dd4dbfc-1---d8754z-;received=22.214.171.124
4: From: <sip:email@example.com;transport=UDP>;tag=3023bf3b
5: To: <sip:firstname.lastname@example.org;transport=UDP>;tag=as30fa28c1
6: Contact: <sip:email@example.com>
Line 1 shows their external IP address. When this phone registers, I can see their internal IP space in Asterisk. Verbose logging will show me the registered device's egress, in this case from a Romanian attacker.
Line 2 states back and forth from client to server (PBX) that the number called is going through the ringing stage
Line 3 shows the detailed information about the call and who is connected to it
Line 4 shows the extension (USERNAME) making the call
Line 5 shows what number the user is trying to call.
In this example, an attacker from Romania (1) tried calling 00263912792068 (5) using the extension (username) 3097 on my honeypot xxx.xxx.xxx.195 The log entry shows how extensions / usernames are done in many PBXs. Therefore, recon may be able to tell you what extension ranges are visible. Google the company name + mailing lists. See if you can get a signature from someone:
Pentest My Company
212 555 2000 ext 3097
The 3097 is the range I would test first with sipvicious, e.g. ranges 3000-3200 and go longer if I see extensions hit say 3198. As for the setup, depends on what type of PBX they're using. Cisco Call Manager, Avaya, PBXNSIP, SnomOne, etc., they all differ however, they WILL NOT differ in terms of registrations. Registrations meaning usernames, passwords, registrar.