Skip to main content

Tags sipvicious oss

Asterisk forensics: the logs vs the attackers

Published on Jan 2, 2012 in , , ,

Recently I had the opportunity to present on VoIP insecurity around various conferences this year, on my own and also with Joffrey Czarny. At Secure 2011 we had one day a workshop and one of the things we showed was the effect of a typical SIPVicious attack on an Asterisk box. The following videos (best seen in full screen and high quality) illustrate what happens. When we run, nothing usually shows up on the asterisk logs.…

Read more »

Distributed SIP scanning during Halloween weekend

Published on Nov 4, 2010 in , ,

Over last weekend there were a number of reports of VoIP (especially Asterisk) servers that were “under heavy attack”. I have looked at some packet traces and noticed how the SIP messages look very similar to the ones generated by SIPVicious especially In fact, I think this is a modified version of SIPVicious that is being distributed on a botnet. Take a look at the following message generated by these new scans:…

Read more »

New beta of VIPER VAST released 2.76

Published on Jul 21, 2010 in ,

And that includes all the latest goodness, including SIPVicious. This is a great tool for those needing an up to date VoIP hackin.. er penetration testing distro :-) Download it from here.…

Read more »

How to crash SIPVicious - introducing

Published on Jun 22, 2010 in , ,

A new tool has been added to SIPVicious - As the name implies, it crashes something - and This tool is meant to be used by system administrators and organizations that are receiving unauthorized scans on their exposed IP PBX. Quick links: Download the latest version :: Watch a short demo of Since this is a little different from the usual, I’ll provide a bit of background first.…

Read more »

SIPVicious 0.2.5 out

Published on May 19, 2010 in , ,

Latest SIPVicious. It has been a while since I released an update to SIPVicious. It is mostly a bug-fix and “play nice” update. Download it from here. Changelog: v0.2.5 (20100519) Feature: has “scan for default / typical extensions” option. This option tries to guess numeric extensions which have certain patterns such as 1212 etc. Option is -D, –enabledefaults General: and now have a new option which allows you to see how long the tools will scan without receiving any response back.…

Read more »

VIPER VAST includes SIPVicious

Published on Oct 5, 2009 in ,

A quick post to refer to the live bootable CD from Viperlabs called VIPER VAST. It’s a Linux distribution that includes a good number of tools that can help in a VoIP security assessment. I think I’ll be giving this a try next time around. What makes this useful is if you want to quickly have a machine with all the right libraries, drivers and packages installed to be able to run tools such as UCsniff.…

Read more »

SEC-T in Sweden and SIPVicious update in svn

Published on Sep 7, 2009 in , ,

Its been a while since I updated SIPVicious, mostly because I have been working on SIPVicious 2.0 (being used in However I decided to add a few new options for svmap and svreport to help me with the research for this new presentation I’ll be giving on Friday at SEC-T in Stockholm, Sweden. The presentation is called “Searching for phones on the Internet” and subtitled “Adventures with SIPVicious”. Will be posting more details on the presentation later on, but lets describe the new features in svmap.…

Read more »

Late March updates

Published on Mar 17, 2009 in , ,

It’s about time that we look at SIPVicious again. If you’re making use of the SVN version, please update to the latest svn commit which includes some fixes for bugs that were creating unnecessary traffic. I’m currently planning on a major update of SIPVicious - email me with your suggestions and VoIP needs please ;-) Cleaner and extensible code guaranteed. VOIPPACK gets to target IP Phones this month, with 2 major new modules that highlight what can be done to both hardphones and softphones: Ghostcall and “SIP Digest Leak”.…

Read more »

VOIP Scanning on the increase

Various service providers and vendors have noticed an increase in VoIP scanning traffic. Arbor Networks mentioned VoIP attacks as one of their increasing concerns. A Norwegian honeynet detected various INVITE requests trying to get VoIP systems on the internet to dial specific numbers. This scan is for open VOIP relays. VoIP attacks are nothing new really and some people in the telco-fraud business seem to have been around for quite a while.…

Read more »

Upcoming changes in SIPVicious

Published on Sep 9, 2008 in ,

The following are two updates for the next version of SIPVicious’s PBX extension enumeration tool svwar: svwar now tries to guess common numbers by default. It scans for the following ranges: 1000,2000… 9000, 1001, 2001..9001, 1111,2222… 9999, 11111,22222…99999, 100-999, 1234,2345 ..7890 and so on. This feature has a tendency to identify extensions on many PBX configurations. If you would like to disable it simply pass the –disabledefaults option to svwar. svwar now sends ACK responses to SIP responses with code 200 because some PBXes keep sending packets until they receive an acknowledge.…

Read more »