Sandro Gauci, Enable Security
We’re hiring a pentester / security researcher
Published on May 4, 2022
Do you know anyone who would like to join the team at Enable Security as a pentester / security researcher? We have a remote open position for the right person. We are mainly looking for someone full-time but persons interested in joining us part-time should also apply. More details can be found at the actual hiring page.…
Read more »root@localhost
One presentation at ClueCon and five security advisories for FreeSWITCH
Published on Oct 25, 2021 in freeswitch, voip security, conferences, denial of service, sipvicious pro
The FreeSWITCH team has just published version v1.10.7 which fixes a number of security issues that we reported. If you use FreeSWITCH, please do upgrade to get these security updates. To learn about the background work that went into getting these security bugs squashed, follow Sandro’s talk called Killing bugs … one vulnerability report at a time. This will be presented at at ClueCon on Thursday, October 28th. Here are the titles of each advisory and a very short summary:…
Read more »
Sandro Gauci, Enable Security
Why volumetric DDoS cripples VoIP providers and what we see during pentesting
Published on Oct 13, 2021 in denial of service, voip security
An epiphany Until a few days ago, I was of the opinion that simulating volumetric DDoS attacks is not something we should be doing. If you had asked us for such a test, we would have given you a negative answer. Ironically, we had been unwittingly simulating volumetric DDoS attacks while quietly ignoring our own results. But, it’s time to stop neglecting bandwidth saturation and start giving it the attention that it deserves.…
Read more »
Sandro Gauci, Enable Security
Massive DDoS attacks on VoIP Providers and simulated DDoS testing
Published on Sep 24, 2021 in denial of service, voip security
VoIP.ms and other VoIP providers under DDoS attack At the time of writing, a major VoIP provider called VoIP.ms is under a distributed denial of service (DDoS) attack since over a week. As a result, they are unable to serve their customers with everyone and their dog complaining that they cannot connect to VoIP.ms’s SIP servers as well as other resources. At the same time, someone claiming to be part of the REvil ransomware group is blackmailing the provider.…
Read more »
Sandro Gauci, Enable Security
SIPVicious OSS v0.3.4 released with exit codes and automation features
Published on Jun 2, 2021 in sipvicious oss, security tools, sip security, sipvicious releases
We just made SIPVicious OSS v0.3.4 available, so go get it! Or install it via pip: pip install sipvicious --upgrade What’s new? Two main things: Exit codes, just like SIPVicious PRO’s Integration with Github Actions This release makes it much easier to use SIPVicious OSS within your CI/CD pipelines and other automation systems. One should, of course, read the documentation on automation for more information. But here’s an example script to get the idea of what can be done:…
Read more »root@localhost
DEMO - An overview of the VoIP and RTC offensive security toolset, SIPVicious PRO
Published on May 25, 2021 in sip security, sipvicious pro, sip security testing, fuzzing, denial of service, training, devops
We pushed out a video that introduces the basics of SIPVicious PRO by demonstrating some of the attack tools and showing the building blocks for automating security testing of VoIP and WebRTC applications and infrastructure. What follows is a transcript of the video. Introduction Hello, I’m Sandro Gauci from Enable Security. In this video, I’d like to show you what we have been working on, SIPVicious PRO! Let’s start by introducing the tools.…
Read more »root@localhost
SIPVicious PRO 6.0.0-beta.4 getting close to take-off!
Published on May 20, 2021 in sip security, sipvicious pro, sip security testing, sipvicious releases
This one’s a bit of a boring update for SIPVicious PRO. That’s because we’re getting to a stable place where flag names and values do not change too often. Which means, we’re getting out of beta rather soon! However, it is still a major update because we made a significant number of internal changes. For example, we standardized a number of flags to be the same across all tools. We discovered that we can minimize each tool’s flagset by making use of config flags such as --auth-config that allows you to configure behaviours specific to how SIPVicious handles authentication (e.…
Read more »
Sandro Gauci, Enable Security
TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server
Published on May 18, 2021 in sip security, sipvicious pro, sip security testing, demo server, sipvicious oss, fuzzing, denial of service, training, devops
TADSummit is a great event where people from different backgrounds that are somehow involved in communications, contribute in various ways. I, personally, always look forward to see what’s coming up in the next TADSummit event. At the moment, TADSummit Asia presentations are currently being released on a daily basis on the main site. And last week, the presentation that I prepared was published! In the previous TADSummit, I had presented about why we need to bring an offensive approach to RTC security.…
Read more »root@localhost
OpenSIPIt'01: Lessons learned, STIR/SHAKEN security testing and RFC 8760
Published on Apr 16, 2021
Executive summary (TL;DR) It was a great event, highly recommended if you’re a SIP developer. We developed new STIR/SHAKEN capabilities in SIPVicious PRO. And we found some vulnerabilities during the event that got fixed in the process. What was OpenSIPIt#01 about? This week the humble security researchers from Enable Security participated in OpenSIPIt#01, an online event run by the community to test interoperability across various independent open-source SIP implementations especially when it comes to new RFCs.…
Read more »root@localhost
SIPVicious OSS 0.3.3 released with new STDIN and target URL specification
Published on Mar 25, 2021 in sipvicious oss, security tools, sip security, sipvicious releases
Without further ado, please say hello to SIPVicious OSS 0.3.3! To install or upgrade run pip install -U sipvicious. For more installation methods, see the wiki. What’s new? SIP extensions and passwords from standard input We have a new feature which seems so simple yet so powerful: STDIN for dictionary input! This works for both svwar and svcrack. It is similar to what we did with SIPVicious PRO, which (surprisingly) proved to be a very popular feature.…
Read more »