Skip to main content

VoIP penetration testing
tools for professionals

SIPVicious PRO helps us battle-test modern VoIP and WebRTC systems, applications and protocols for manual and automated testing.

SIPVicious PRO mascot with white background

VoIP security testing tools for professionals

Not just
SIP or UDP

In addition to SIP over UDP, SIPVicious PRO supports SIP over different transport protocols including SIP over TCP, TLS and WebSocket. Tests for RTP and SRTP too.
Target Specification »

Fast.
Very fast

SIPVicious PRO’s concurrent design allow it to achieve extraordinary speeds, making it perfect for DDoS simulations and SIP flood tests.
SIP Flood »

Automate security with CI/CD

Do not push new code or configuration without automated security testing first. Continuously test for vulnerabilities on each commit + fuzzing & DoS testing.
Automation »

Fuzzing for unknown
Vulnerabilities

Fuzzing modules which help identify security flaws that lurk in the code, whether it be the SIP stack, SIP/RTP parser or the codecs.
SIP Fuzzing »

What features are supported?

Wide variety of protocols

Support for a wide variety of protocols including SIP, SDP, SDES, RTP, DTLS, SIP TLS and WebSocket

WebRTC security testing tools

DTLS-SRTP, STUN and SIP over WebSocket are supported

Fuzzing

Mutation-based testing to find buffer overflows, memory corruption and other security violations

Encrypted traffic

SIP servers with TLS as well as client certificates supported, together with SDES-SRTP and DTLS-SRTP

DoS testing

Various modules to aid with Denial of Service testing often used to simulate DDoS attacks

RFC compliant

Complies to the standards (unless the attack requires non-compliance)

SIP message modification

All SIP related tools in SIPVicious PRO allow customization of SIP messages before they are sent via a powerful templating system

Automation

To integrate with automated testing processes, including CI/CD pipelines, each tool supports exit codes and JSON output

Utilities for manual testing

A number of tools to aid with manual debugging and tests, useful during manual VoIP penetration tests

Attacks on the media

Various attacks affecting an often neglected vector - media servers supporting RTP, SRTP and various codecs

STIR/SHAKEN Experimental

Fuzzing and support for calls signed with STIR/SHAKEN, in addition to support for manual attacks using the protocol

TCP Flood Attack Experimental

Causes TCP servers to run out of sockets due to a SYN-ACK flood

SIPVicious PRO
Bug-O-Rama

SIPVicious PRO has been used to find several previously unknown security vulnerabilities.

Support for advanced
attacks out-of-the-box

SIP Flood DoS

Standard and advanced SIP Flood Denial of Service (DoS) testing

SIP digest leak

Test user-agent clients and servers for leakage of digest challenge response

SIP online password cracker

Online SIP digest authentication password cracking on both registrar servers and proxy servers

SIP extension enumeration

Identify SIP extensions or addresses on a given target server

SIP method enumeration

Find out which SIP methods are supported and if any allow authentication bypass

SIP method fuzzer

Fuzzes each SIP method, headers and body to find SIP parser and logic issues

RTP bleed

Check media servers and RTP proxies for this wide-spread vulnerability

RTP Flood DoS

Flood the target with RTP packets

RTP inject

Inject RTP packets in ongoing media streams targeting both media servers and clients

STIR/SHAKEN fuzzer Experimental

Fuzz the STIR/SHAKEN SIP headers to identify parser and logic issues

RTP fuzzer Experimental

Fuzz the RTP packets to identify vulnerabilities in the RTP parser and codec handling

SIP fuzzing server Experimental

Fuzz SIP clients (UAC) by pointing them to this server

Ask us about our Security Auditing and Penetration Testing services

We make use of SIPVicious PRO and have developed various other tools to perform our work.
Get in touch to find out more.

We'll never share your email with anyone else.
We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from these communications at any time. By subscribing, you are agreeing to the Privacy Policy.