Skip to main content

Tags SIPVicious PRO

How doing QA testing for SIPVicious PRO led to an Asterisk DoS

Published on Nov 10, 2020 in , , , ,

Executive summary (TL;DR)

While heavily testing SIPVicious PRO for bugs, we encountered an unexpected crash in Asterisk. We reported this to the Asterisk team, who issued a fix. (Update February 4, 2026: SIPVicious PRO is an internal tool and is not sold or licensed.)

How the Asterisk crash was found

We test our software as much as we can because, like any other software, ours contains bugs too! When it comes to SIPVicious PRO, one of our quality assurance tests is to run it against instances of Asterisk and Kamailio and check for expected results. Our test suite loads these servers in a docker environment and automatically runs SIPVicious PRO against these targets. During these tests, we look for crashes, race conditions and other unchecked states that we might have failed to address in our own code. We do this through various methods, one of which is to observe exit codes in SIPVicious PRO that indicate the result of the test.

Read more about How doing QA testing for SIPVicious PRO led to an Asterisk DoS

SIPVicious PRO v6.0.0 alpha.5 available to our clients

Published on Jun 3, 2020 in , ,

With great pleasure, we announce the availability of the v6.0.0-alpha.5 version of SIPVicious PRO. This is a major update since most of the promised feature-set of the existent modules is now available. While you are encouraged to read the release notes, the main highlights are the following:

  • Target demo server (demo.sipvicious.pro) now implemented, used throughout the documentation for attack examples and training purposes
  • An extensive getting started page is now available, with instructions on how to use most of the modules
  • Exit codes! Yes, for automation, say, in your CI pipelines
  • All flags that were previously marked as TODO are now fully functional (with the exception of DTLS SRTP)
  • SDES SRTP supported throughout all modules
  • DTMF tone generation, because in RTP inject attacks, this is particularly useful
  • Lots of bug fixes and refactoring thanks to more consistent internal testing and the perseverance of our dear developers and internal testers

If you already had access to SVPRO at the time, you should have received an email from us with further details. Today, SIPVicious PRO is not commercially available.

Read more about SIPVicious PRO v6.0.0 alpha.5 available to our clients

What’s up with SIPVicious PRO?

Published on Mar 30, 2020 in ,

In the past 3 years we have been working on developing SIPVicious PRO during our work as penetration testers and in between engagements. Since our chief demolition officer, Alfred joined up with Enable Security, the development has had a much-needed push so that we started making it available to a limited number of companies that happen to be our clients.

Today, we’re making version 6.0.0-alpha.4 available to our clients which includes Opus support, further support for SRTP and of course, a number of bug fixes. Our release notes can be read at the support site.

Read more about What's up with SIPVicious PRO?

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in our services? Let's collaborate.
Get in touch

We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.