We just pushed out a new SIPVicious PRO update to our subscribing members! This version does not include any new major features. Instead, it fixes various bugs and brings missing but necessary features to various SIPVicious PRO tools. We have the following highlights in this update:
- Documentation now includes realistic Gitlab CI/CD examples
- The RTP fuzzer in the experimental version now supports SRTP
- Support for new SIP DoS flood request methods
- The RTP inject tool can now specify the RTP’s SSRC and payload ID
- The SIP password cracking tool now supports closing the connection upon each attempt
- The SIP ping utility supports INVITE
For the boring details, including a list of bug fixes, do read the release notes for v6.0.0-experimental.6 and v6.0.0-beta.6.
Get in touch for further details.
Gitlab CI/CD examples
SIPVicious PRO has supported CI/CD pipelines and been used in an automated fashion since v6.0.0-alpha.5, for almost 3 years. We have people using it in Jenkins, Gitlab and Github environments. Therefore we’re publishing practical examples of how SIPVicious PRO integrates with devops environments to detect vulnerabilities before they go into production - starting with our favourite, the Gitlab CI/CD.
The automation documentation now includes practical examples showing SIPVicious PRO usage within a .gitlab-ci.yml and explaining how to build custom SIPVicious PRO Docker images.
Additionally, we published a repository on the public Gitlab servers as a full example of a monitoring solution based on SIPVicious PRO. Check out the pipelines and jobs as they get executed regularly at 4am each morning to make sure that our Demo Server stays vulnerable. If you are a SIPVicious PRO subscriber, you will probably want the opposite - to make sure that your VoIP systems stay secure!
RTP inject tool can specify the SSRC and payload ID
The RTP inject tool is meant to test if attackers can insert RTP audio into ongoing RTP streams. This update allows testers to specify the SSRC to test for cases where only a specific SSRC is being allowed to inject. More interestingly, testers can also specify the payload ID. During our engagements we noticed that if a specific codec is in use, in some cases, RTP injection will only work if the attacker makes use of the correct payload ID associated with that codec. Therefore this update makes the tool more effective in performing manual tests for this particular vulnerability.
These configuration options can be passed through the --inject-config flag.
SRTP support for the RTP fuzzer
The RTP fuzzer included with the experimental build now supports SRTP like many other SIPVicious PRO tools. This is particularly useful for testing media servers that enforce the use of SRTP and therefore could not be fuzz tested before this update.
Closing the connection upon each password cracking attempt
During one of our penetration tests, we noticed that although password cracking attempts were being blocked after a few attempts, if we closed the connection, no blocking occurred. This update to the SIP password cracker allows security testers to automate this test and bypass certain naive security protection mechanisms.
This update adds the --close-conn flag to the sip crack online tool.
SIP DoS flood additional request methods
Session Border Controllers (SBCs) and SIP routers are very flexible tools that can be configured to handle SIP methods in various ways. Such customizations can sometimes introduce inefficiencies that may then be abused in a DoS attack. This update is meant to expand our coverage of such scenarios.
The SIP DoS flood tool now supports the following SIP request methods:
- REGISTER
- SUBSCRIBE
- NOTIFY
- PUBLISH
- MESSAGE
- INVITE
- OPTIONS
- ACK
- CANCEL
- BYE
- PRACK
- INFO
- REFER
- UPDATE
SIP ping utility with INVITE
Finally, the SIP ping utility can now send an INVITE. Originally, we avoided adding this feature simply because of the nature of SIP INVITE - it starts a call. We changed our mind because we often need this functionality ourselves to monitor servers with INVITE - we simply use it without valid credentials or a destination SIP address that starts a call.
Use this new feature by making use of the --method INVITE flag.
How to get this update
SIPVicious PRO is available to our subscribing members - get in touch to learn more.