Skip to main content

Tags Sipvicious Oss

SIPVicious OSS v0.3.4 released with exit codes and automation features

Published on Jun 2, 2021 in , , ,

We just made SIPVicious OSS v0.3.4 available, so go get it! Or install it via pip:

pip install sipvicious --upgrade

What’s new?

Two main things:

  • Exit codes, just like SIPVicious PRO’s
  • Integration with Github Actions

This release makes it much easier to use SIPVicious OSS within your CI/CD pipelines and other automation systems. One should, of course, read the documentation on automation for more information. But here’s an example script to get the idea of what can be done:

Read more about SIPVicious OSS v0.3.4 released with exit codes and automation features

TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server

Published on May 18, 2021 in , , , , , , , ,

TADSummit is a great event where people from different backgrounds that are somehow involved in communications, contribute in various ways. I, personally, always look forward to see what’s coming up in the next TADSummit event. At the moment, TADSummit Asia presentations are currently being released on a daily basis on the main site. And last week, the presentation that I prepared was published!

In the previous TADSummit, I had presented about why we need to bring an offensive approach to RTC security. In this one, I introduce our contributions to the space, i.e. SIPVicious OSS, SIPVicious PRO and the demo server.

Read more about TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server

SIPVicious OSS 0.3.3 released with new STDIN and target URL specification

Published on Mar 25, 2021 in , , ,

Without further ado, please say hello to SIPVicious OSS 0.3.3!

To install or upgrade run pip install -U sipvicious. For more installation methods, see the wiki.

What’s new?

SIP extensions and passwords from standard input

We have a new feature which seems so simple yet so powerful: STDIN for dictionary input! This works for both svwar and svcrack. It is similar to what we did with SIPVicious PRO, which (surprisingly) proved to be a very popular feature. So, we thought of backporting it to SVOSS (SIPVicious OSS). From now on, one can easily use external tools to generate passwords on the fly for cracking with svcrack, or to generate SIP extensions on the fly for SIP extension enumeration with svwar. To do so, instead of specifying a filename to the --dictionary flag, give it - as its value.

Read more about SIPVicious OSS 0.3.3 released with new STDIN and target URL specification

SIPVicious OSS 0.3.2 released with more IPv6 goodness!

Published on Mar 3, 2021 in , , ,

The free and opensource version of SIPVicious has been updated so that support for IPv6 is also available in svmap. If you can’t wait to try it out, you can get it at the official repository or by using pip3 install sipvicious --upgrade.

So now, with svmap’s IPv6 support, you can do stuff like:

sipvicious_svmap -6 -v 2a01:7e01::f03c:92ff:fecf:60a8

INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:-:61500        ->      2a01:7e01::f03c:92ff:fecf:60a8:5060     ->      kamailio (5.4.4 (x86_64/linux))
INFO:root:we have 1 devices
+-------------------------------------+---------------------------------+
| SIP Device                          | User Agent                      |
+=====================================+=================================+
| 2a01:7e01::f03c:92ff:fecf:60a8:5060 | kamailio (5.4.4 (x86_64/linux)) |
+-------------------------------------+---------------------------------+
INFO:root:Total time: 0:00:03.028053

Do note that CIDR scans on IPv6 are unsupported, but of course, one can scan multiple ports for SIP on a target.

Read more about SIPVicious OSS 0.3.2 released with more IPv6 goodness!

Attacking a real VoIP System with SIPVicious OSS

Published on Jun 8, 2020 in , ,

Recently, we put out a target server on the Internet at demo.sipvicious.pro which hosts a Kamailio Server handling SIP over UDP, TCP, TLS as well as WebSockets. Behind that, the observant reader will soon discover that an Asterisk server handles the voicemail and echo services. This is actually a fully functioning (real) VoIP system that’s ready to be attacked. Therefore, in combination, these software packages allow us to reproduce a number of common security vulnerabilities affecting VoIP and WebRTC systems.

Read more about Attacking a real VoIP System with SIPVicious OSS

SIPVicious OSS 0.3.0 released

Published on Mar 10, 2020 in , ,

It’s been a few years since we released a new version of SIPVicious. Truth is, we were working on SIPVicious PRO which we started making available to some of our clients. Many people still use the open-source version of SIPVicious and it is included in various pentest Linux distributions, and definitely is useful to a number of people (especially after they change the user-agent string). And so, with the impending Python2 apocalypse, we decided to make a new release, porting SIPVicious OSS to Python 3 and including various updates that happened since 2015 in the master branch.

Read more about SIPVicious OSS 0.3.0 released

If SIPVicious gives you a ring…

Published on Dec 10, 2012 in , , , ,

Note: SIPVicious version 0.28 is out, go get it.

I like to keep an eye on the social media and Google alerts for SIPVicious and in the last few months I noticed a rise in mentions of the tools. Specifically, a number of Korean twitter users (who have their service with KT, a VoIP service provider) complaining about receiving a call from a caller-id showing ‘SIPVicious’.

Read more about If SIPVicious gives you a ring...

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in our services? Let's collaborate.
Get in touch

We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.