Skip to main content

SIPVicious PRO incremental update - and Gitlab CI/CD examples

We just pushed out a new SIPVicious PRO update to our subscribing members! This version does not include any new major features. Instead, it fixes various bugs and brings missing but necessary features to various SIPVicious PRO tools. We have the following highlights in this update:

  • Documentation now includes realistic Gitlab CI/CD examples
  • The RTP fuzzer in the experimental version now supports SRTP
  • Support for new SIP DoS flood request methods
  • The RTP inject tool can now specify the RTP’s SSRC and payload ID
  • The SIP password cracking tool now supports closing the connection upon each attempt
  • The SIP ping utility supports INVITE

For the boring details, including a list of bug fixes, do read the release notes for v6.0.0-experimental.6 and v6.0.0-beta.6.

Get in touch for further details.

Gitlab CI/CD examples

SIPVicious PRO has supported CI/CD pipelines and been used in an automated fashion since v6.0.0-alpha.5, for almost 3 years. We have people using it in Jenkins, Gitlab and Github environments. Therefore we’re publishing practical examples of how SIPVicious PRO integrates with devops environments to detect vulnerabilities before they go into production - starting with our favourite, the Gitlab CI/CD.

The automation documentation now includes practical examples showing SIPVicious PRO usage within a .gitlab-ci.yml and explaining how to build custom SIPVicious PRO Docker images.

Additionally, we published a repository on the public Gitlab servers as a full example of a monitoring solution based on SIPVicious PRO. Check out the pipelines and jobs as they get executed regularly at 4am each morning to make sure that our Demo Server stays vulnerable. If you are a SIPVicious PRO subscriber, you will probably want the opposite - to make sure that your VoIP systems stay secure!

RTP inject tool can specify the SSRC and payload ID

The RTP inject tool is meant to test if attackers can insert RTP audio into ongoing RTP streams. This update allows testers to specify the SSRC to test for cases where only a specific SSRC is being allowed to inject. More interestingly, testers can also specify the payload ID. During our engagements we noticed that if a specific codec is in use, in some cases, RTP injection will only work if the attacker makes use of the correct payload ID associated with that codec. Therefore this update makes the tool more effective in performing manual tests for this particular vulnerability.

These configuration options can be passed through the --inject-config flag.

SRTP support for the RTP fuzzer

The RTP fuzzer included with the experimental build now supports SRTP like many other SIPVicious PRO tools. This is particularly useful for testing media servers that enforce the use of SRTP and therefore could not be fuzz tested before this update.

Closing the connection upon each password cracking attempt

During one of our penetration tests, we noticed that although password cracking attempts were being blocked after a few attempts, if we closed the connection, no blocking occurred. This update to the SIP password cracker allows security testers to automate this test and bypass certain naive security protection mechanisms.

This update adds the --close-conn flag to the sip crack online tool.

SIP DoS flood additional request methods

Session Border Controllers (SBCs) and SIP routers are very flexible tools that can be configured to handle SIP methods in various ways. Such customizations can sometimes introduce inefficiencies that may then be abused in a DoS attack. This update is meant to expand our coverage of such scenarios.

The SIP DoS flood tool now supports the following SIP request methods:

  • ACK
  • BYE
  • INFO

SIP ping utility with INVITE

Finally, the SIP ping utility can now send an INVITE. Originally, we avoided adding this feature simply because of the nature of SIP INVITE - it starts a call. We changed our mind because we often need this functionality ourselves to monitor servers with INVITE - we simply use it without valid credentials or a destination SIP address that starts a call.

Use this new feature by making use of the --method INVITE flag.

How to get this update

SIPVicious PRO is available to our subscribing members - get in touch to learn more.