DEMO - An overview of the VoIP and RTC offensive security toolset, SIPVicious PRO
Last updated: May 25, 2021
We pushed out a video that introduces the basics of SIPVicious PRO by demonstrating some of the attack tools and showing the building blocks for automating security testing of VoIP and WebRTC applications and infrastructure.
What follows is a transcript of the video.
Hello, I’m Sandro Gauci from Enable Security. In this video, I’d like to show you what we have been working on, SIPVicious PRO! Let’s start by introducing the tools. SIPVicious PRO is a command-line toolset, meant to test the security of realtime communications, which includes Voice over IP as well as WebRTC infrastructure.
To get a list of tools, we can make use of the
sipvicious list command. And each tool takes a number of flags that modify its default behaviour. For example, with the RTP Bleed test, you can set the number of connections, output the received RTP packets to a pcap or wave file and so on.
Now, let’s give the RTP bleed tool a try. Here, we’re targeting the demo server setup for these tests. And we know that there are calls going on on this server on the port range of 35000 and 40000. We’re going to run the command for 10 seconds.
Next tool we’re showing is the SIP digest leak test. We’ll be calling extension 2000, getting the digest challenge response, thanks to the attack, and saving that to a file to be used with the password cracking tool, John the Ripper. Let’s take a look at the file created. Now we can use John the Ripper and crack the password locally, making it a very quick attack. The password in this case, is 2000.
Let’s look at a more traditional attack. Here we show the SIP extension enumeration tool to find out which SIP extensions exist on the demo server. We can see a number of SIP extensions exist between 1000 and 2000.
Then, we do a bit of online password cracking, guessing the password for extension 1000. Now we know what that password is.
Sometimes, however, you just want to test the target system for robustness, to find any memory corruption issues or crashes that the system might be vulnerable to. For that, we have the SIP fuzzer tool which we’ll run for a few seconds.
A similar tool, but purely used for denial of service purposes, is the SIP DoS flood tool. We’re going to start a large number of calls by sending INVITE messages and hanging up as soon as the server starts ringing. If run for enough time, this tool would actually break our demo server.
Automating security tests
So till now I showed a number of the tools that are part of the SIPVicious PRO toolset. However, an important feature of SIPVicious PRO is that it can be easily used in an automated fashion. One of the most straightforward ways to do this is by checking the exit code upon each test.
Let’s take a look at a demo script where the SIP crack digest leak tool is used and then the exit code is checked. If the exit code is 40, then we know that the vulnerability has been detected. Let’s give that a run.
Apart from exit codes, one can also parse the output of the tools which is JSON. Here I’m going to show the SIP ping utility within SIPVicious PRO and its JSON output. This is useful for example if you want to chain a couple of SIPVicious PRO commands together. For that, we have a python script. Let’s take a quick look at that. First this script runs the extension enumeration tool and then it passes the results of the enumerated extensions to the password cracker.
Let’s give it a run and we can see that it found a number of extensions and then found the password for extension 1000. The other ones have passwords that are not so easy to guess.
The SIPVicious PRO introductory workshop
SIPVicious PRO members are required to participate in an online introductory workshop. We do this because we understand that the learning curve for such a toolset is a bit steep and so it is very useful to be able to have this session which is very practical and introduces the attendees to each tool of interest as well as the concepts and security vulnerabilities that are covered.
Professional offensive security toolset with professional support
Of course, SIPVicious PRO is professionally supported so we’re there to help you achieve your goals with this toolset! I’m personally very excited to hear about how you’d like to use SIPVicious PRO so do get in touch through the forms on our website!