Skip to content
PortsDB

Port reference

Port 5004 (UDP) – RTP (Real-time Transport Protocol)

Default RTP port carrying real-time audio/video media for VoIP and streaming, negotiated by signaling protocols like SIP.

udpRegisteredCommonly attacked

Default state

Used for RTP media streams on VoIP endpoints and media servers; the media path is opened during call setup by SIP/H.323.

Common attacks

  • Eavesdropping on unencrypted RTP audio/video streams
  • RTP injection of spoofed audio/video into a call
  • Stream disruption and denial of service via packet flooding
  • SSRC/sequence manipulation to hijack or corrupt media

Hardening

  • Use SRTP to encrypt and authenticate media streams
  • Negotiate and key media securely via SIP over TLS
  • Restrict RTP source addresses and validate SSRC/sequence
  • Place VoIP media on an isolated VLAN, not the open internet
  • Rate-limit and monitor RTP flows for injection/flooding

nmap snippet

nmap -sU -p5004 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5004?

Port 5004 is the default for RTP, the Real-time Transport Protocol, which carries real-time audio/video for VoIP and streaming. RTP is not standalone: a signaling protocol like SIP (5060) or H.323 opens the media path and negotiates codecs, then the media flows over RTP (with RTCP on 5005). It runs over UDP for low latency.

Why it matters for security

Cleartext RTP exposes the actual conversation: anyone on the media path can eavesdrop by capturing packets and reconstructing the audio/video. Because RTP has weak inherent authentication, attackers can also inject spoofed media into a call or manipulate SSRC/sequence numbers to hijack or corrupt the stream, and flood packets to disrupt it.

How it's attacked

On a shared or exposed media path, attackers capture RTP and replay it to eavesdrop. They inject crafted RTP with a matching SSRC to overlay or replace audio, manipulate sequence numbers to corrupt playback, and flood the endpoint to cause denial of service.

Hardening checklist

Use SRTP to encrypt and authenticate media, and negotiate keys securely via SIP over TLS. Restrict RTP source addresses and validate SSRC/sequence to reject injected packets. Keep VoIP media on an isolated VLAN rather than the open internet, and rate-limit and monitor RTP flows for injection or flooding. Use the nmap snippet above only against systems you are authorized to test.

Related ports

Port 5005Port 5060Port 5061Port 554

Frequently asked questions

What is the relationship between RTP and SIP?
SIP (port 5060) is the signaling that sets up a call and negotiates the media; RTP (port 5004) carries the actual audio/video. SIP opens the RTP path, so securing both — ideally SIP/TLS plus SRTP — is necessary.
Can RTP streams be eavesdropped?
Yes. Unencrypted RTP can be captured and replayed to recover the audio/video. Attackers on the media path can also inject spoofed RTP. SRTP encrypts and authenticates the stream to prevent this.