Skip to main content

What’s up with SIPVicious PRO?

Published on Mar 30, 2020 in ,

In the past 3 years we have been working on developing SIPVicious PRO during our work as penetration testers and in between engagements. Since our chief demolition officer, Alfred joined up with Enable Security, the development has had a much-needed push so that we started making it available to a limited number of companies that happen to be our clients.

Today, we’re making version 6.0.0-alpha.4 available to our clients which includes Opus support, further support for SRTP and of course, a number of bug fixes. Our release notes can be read at the support site.

SIPVicious PRO mascot

What’s the current state?

A number of features have been already implemented in SIPVicious PRO. For example:

  • Various attacks, including SIP flood, RTP flood, SIP enumeration, Digest leak, RTP Bleed and RTP inject
  • Support for SIP over different transport protocols: TCP, UDP, TLS and WebSockets
  • SIP messages may be easily modified using a flexible templating system
  • Support for RTP attacks
  • Insane speed, especially useful for flood attacks with rate limiting capabilities
  • Compliance to RFCs1

If the dear reader is interested in reading more on this, our support documentation website may be of interest.

How & when can I get my hands on SIPVicious PRO?

At the moment, we are making the toolset available to our clients so that they can easily reproduce the security issues that we report to them following our penetration tests. Our aim is to help improve their internal quality assurance processes so that certain security tests can be automated to prevent reintroducing old vulnerabilities into their products.

We don’t have a time-line but our aim is to make the beta available to a selected number of vetted organisations to be used for internal testing of their RTC systems. We also plan to support open source projects in the RTC-space (the sort you meet at Kamailio World) as our contribution to VoIP and WebRTC infrastructure security.

If you want to put your organisation on our list, you can subscribe here.

What’s the difference between SIPVicious OSS and SIPVicious PRO?

The open-source version of SIPVicious, first published back in 2007, was written in Python and is available on Github for free. This includes three main tools, svmap which is a scanner for SIP, svwar which enumerates extensions on SIP devices and svcrack that tries to guess passwords for SIP extensions. The tools only supports SIP over UDP and do not offer support for TCP or TLS due to design issues. It is still maintained and, in fact, this earlier last month we issued a new release.

SIPVicious PRO is a complete rewrite in Go, with a larger feature-set and more ambitious goals. End users get an executable binary for their OS rather than Python scripts.

It is meant to be used by vendors and system integrators internally to identify common RTC vulnerabilities before making it to production. Therefore, it supports the most commonly used protocols for SIP, that is, UDP, TCP, TLS and WebSockets. With WebSocket and DTLS-SRTP support, the tool can be used to test WebRTC infrastructure. Additionally, SIPVicious PRO can make and receive calls, handling SIP flows correctly. This allows for a number of attacks to be reproduced on test systems. The template system allows testers to quickly modify the SIP messages sent to the target system to include custom headers and other peculiarities as need be. SIPVicious PRO is not limited to just tests on SIP, but also other related protocols such as RTP. And finally, SIPVicious PRO makes use of our internal network library which gives the tool speed while maintaining sessions and other logical complexities in check.

Note: At this time, DTLS-SRTP is not yet included in the builds we release to our clients.

  1. RFC compliance: especially concerning SIP and RTP. This applies unless the attack requires non-compliance! ↩︎