SIPVicious Package Description
SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools:. svmap – this is a sip scanner. Lists SIP devices found on an IP range svwar – identifies active extensions on a PBX svcrack – an online password cracker for SIP PBX svreport – manages sessions and exports reports to various formats svcrash – attempts to stop unauthorized svwar and svcrack scans.
Source: https://code.google.com/p/sipvicious/
SIPVicious Homepage | Kali SIPVicious Repo
- Author: Sandro Gauci
- License: GPLv2
Tools included in the sipvicious package
svcrack – Online password cracker for SIP PBX
[email protected]:~# svcrack -h
Usage: svcrack -u username [options] target
examples:
svcrack -u100 -d dictionary.txt 10.0.0.1
svcrack -u100 -r1-9999 -z4 10.0.0.1
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Increase verbosity
-q, --quiet Quiet mode
-p PORT, --port=PORT Destination port or port ranges of the SIP device - eg
-p5060,5061,8000-8100
-P PORT, --localport=PORT
Source port for our packets
-x IP, --externalip=IP
IP Address to use as the external ip. Specify this if
you have multiple interfaces or if you are behind NAT
-b BINDINGIP, --bindingip=BINDINGIP
By default we bind to all interfaces. This option
overrides that and binds to the specified ip address
-t SELECTTIME, --timeout=SELECTTIME
This option allows you to trottle the speed at which
packets are sent. Change this if you're losing
packets. For example try 0.5.
-R, --reportback Send the author an exception traceback. Currently
sends the command line parameters and the traceback
-A, --autogetip Automatically get the current IP address. This is
useful when you are not getting any responses back due
to SIPVicious not resolving your local IP.
-s NAME, --save=NAME save the session. Has the benefit of allowing you to
resume a previous scan and allows you to export scans
--resume=NAME resume a previous scan
-c, --enablecompact enable compact mode. Makes packets smaller but
possibly less compatible
-u USERNAME, --username=USERNAME
username to try crack
-d DICTIONARY, --dictionary=DICTIONARY
specify a dictionary file with passwords
-r RANGE, --range=RANGE
specify a range of numbers. example:
100-200,300-310,400
-e EXTENSION, --extension=EXTENSION
Extension to crack. Only specify this when the
extension is different from the username.
-z PADDING, --zeropadding=PADDING
the number of zeros used to padd the password.
the options "-r 1-9999 -z 4" would give 0001 0002 0003
... 9999
-n, --reusenonce Reuse nonce. Some SIP devices don't mind you reusing
the nonce (making them vulnerable to replay attacks).
Speeds up the cracking.
-T TEMPLATE, --template=TEMPLATE
A format string which allows us to specify a template
for the extensions example
svwar.py -e 1-999 --template="123%#04i999" would scan
between 1230001999 to 1230999999"
--maximumtime=MAXIMUMTIME
Maximum time in seconds to keep sending requests
without receiving a response
back
-D, --enabledefaults Scan for default / typical passwords such as
1000,2000,3000 ... 1100, etc. This option is off by
default. Use --enabledefaults to
enable this functionality
--domain=DOMAIN force a specific domain name for the SIP message, eg.
-d example.org
svcrash – Attempts to stop unauthorized svwar and svcrack scans
[email protected]:~# svcrash -h
WARNING: No route found for IPv6 destination :: (no default route?)
Usage: svcrash [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
--auto Automatically send responses to attacks
--astlog=ASTLOG Path for the asterisk full logfile
-d IPADDR specify attacker's ip address
-p PORT specify attacker's port
-b bruteforce the attacker's port
svreport – Manages sessions and exports reports to various formats
[email protected]:~# svreport -h
Usage: svreport [command] [options]
Supported commands:
- list: lists all scans
- export: exports the given scan to a given format
- delete: deletes the scan
- stats: print out some statistics of interest
- search: search for a specific string in the user agent (svmap)
examples:
svreport.py list
svreport.py export -f pdf -o scan1.pdf -s scan1
svreport.py delete -s scan1
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Increase verbosity
-q, --quiet Quiet mode
-t SESSIONTYPE, --type=SESSIONTYPE
Type of session. This is usually either svmap, svwar
or svcrack. If not set I will try to find the best
match
-s SESSION, --session=SESSION
Name of the session
-f FORMAT, --format=FORMAT
Format type. Can be stdout, pdf, xml, csv or txt
-o OUTPUTFILE, --output=OUTPUTFILE
Output filename
-n Do not resolve the ip address
-c, --count Used togather with 'list' command to count the number
of entries
svmap – Lists SIP devices found on an IP range
[email protected]:~# svmap -h
Usage: svmap [options] host1 host2 hostrange
Scans for SIP devices on a given network
examples:
svmap 10.0.0.1-10.0.0.255 172.16.131.1 sipvicious.org/22 10.0.1.1/241.1.1.1-20 1.1.2-20.* 4.1.*.*
svmap -s session1 --randomize 10.0.0.1/8
svmap --resume session1 -v
svmap -p5060-5062 10.0.0.3-20 -m INVITE
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Increase verbosity
-q, --quiet Quiet mode
-p PORT, --port=PORT Destination port or port ranges of the SIP device - eg
-p5060,5061,8000-8100
-P PORT, --localport=PORT
Source port for our packets
-x IP, --externalip=IP
IP Address to use as the external ip. Specify this if
you have multiple interfaces or if you are behind NAT
-b BINDINGIP, --bindingip=BINDINGIP
By default we bind to all interfaces. This option
overrides that and binds to the specified ip address
-t SELECTTIME, --timeout=SELECTTIME
This option allows you to trottle the speed at which
packets are sent. Change this if you're losing
packets. For example try 0.5.
-R, --reportback Send the author an exception traceback. Currently
sends the command line parameters and the traceback
-A, --autogetip Automatically get the current IP address. This is
useful when you are not getting any responses back due
to SIPVicious not resolving your local IP.
-s NAME, --save=NAME save the session. Has the benefit of allowing you to
resume a previous scan and allows you to export scans
--resume=NAME resume a previous scan
-c, --enablecompact enable compact mode. Makes packets smaller but
possibly less compatible
--randomscan Scan random IP addresses
-i scan1, --input=scan1
Scan IPs which were found in a previous scan. Pass the
session name as the argument
-I scan1, --inputtext=scan1
Scan IPs from a text file - use the same syntax as
command line but with new lines instead of commas.
Pass the file name as the argument
-m METHOD, --method=METHOD
Specify the request method - by default this is
OPTIONS.
-d, --debug Print SIP messages received
--first=FIRST Only send the first given number of messages (i.e.
usually used to scan only X IPs)
-e EXTENSION, --extension=EXTENSION
Specify an extension - by default this is not set
--randomize Randomize scanning instead of scanning consecutive ip
addresses
--srv Scan the SRV records for SIP on the destination domain
name.The targets have to be domain names - example.org
domain1.com
--fromname=FROMNAME specify a name for the from header
svwar – Identifies active extensions on a PBX
[email protected]:~# svwar -h
Usage: svwar [options] target
examples:
svwar -e100-999 10.0.0.1
svwar -d dictionary.txt 10.0.0.2
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Increase verbosity
-q, --quiet Quiet mode
-p PORT, --port=PORT Destination port or port ranges of the SIP device - eg
-p5060,5061,8000-8100
-P PORT, --localport=PORT
Source port for our packets
-x IP, --externalip=IP
IP Address to use as the external ip. Specify this if
you have multiple interfaces or if you are behind NAT
-b BINDINGIP, --bindingip=BINDINGIP
By default we bind to all interfaces. This option
overrides that and binds to the specified ip address
-t SELECTTIME, --timeout=SELECTTIME
This option allows you to trottle the speed at which
packets are sent. Change this if you're losing
packets. For example try 0.5.
-R, --reportback Send the author an exception traceback. Currently
sends the command line parameters and the traceback
-A, --autogetip Automatically get the current IP address. This is
useful when you are not getting any responses back due
to SIPVicious not resolving your local IP.
-s NAME, --save=NAME save the session. Has the benefit of allowing you to
resume a previous scan and allows you to export scans
--resume=NAME resume a previous scan
-c, --enablecompact enable compact mode. Makes packets smaller but
possibly less compatible
-d DICTIONARY, --dictionary=DICTIONARY
specify a dictionary file with possible extension
names
-m OPTIONS, --method=OPTIONS
specify a request method. The default is REGISTER.
Other possible methods are OPTIONS and INVITE
-e RANGE, --extensions=RANGE
specify an extension or extension range example: -e
100-999,1000-1500,9999
-z PADDING, --zeropadding=PADDING
the number of zeros used to padd the username.
the options "-e 1-9999 -z 4" would give 0001 0002 0003
... 9999
--force Force scan, ignoring initial sanity checks.
-T TEMPLATE, --template=TEMPLATE
A format string which allows us to specify a template
for the extensions example
svwar.py -e 1-999 --template="123%#04i999" would scan
between 1230001999 to 1230999999"
-D, --enabledefaults Scan for default / typical extensions such as
1000,2000,3000 ... 1100, etc. This option is off by
default. Use --enabledefaults to
enable this functionality
--maximumtime=MAXIMUMTIME
Maximum time in seconds to keep sending requests
without receiving a response
back
--domain=DOMAIN force a specific domain name for the SIP message, eg.
-d example.org
--debug Print SIP messages received
svmap Usage Example
Scan the given network range (192.168.1.0/24) and display verbose output (-v):
[email protected]:~# svmap 192.168.1.0/24 -v
INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:Looks like we received a SIP request from 192.168.1.202:5060
INFO:DrinkOrSip:Looks like we received a SIP request from 192.168.1.202:5060
INFO:DrinkOrSip:Looks like we received a SIP request from 192.168.1.202:5060