This documentation applies to SIPVicious version v6.0.0-alpha.5. Please note that only the latest version of SIPVicious PRO is supported.
SIPVicious PRO is a set of tools that allow security testers, quality assurance and developers to test Real-Time Communications systems, especially VoIP and WebRTC infrastructure, against known attacks. It’s objectives are to:
Our aim is to help vendors and implementers of VoIP and WebRTC infrastructures to build products that withstand attack. That’s why SIPVicious Pro is built on our experience in penetration testing RTC systems and is meant to be a professional-grade security testing suite that can integrated in your testing methodology.
It’s key features are:
The software will be licensed to approved vendors and implementers of VoIP and WebRTC infrastructure and included in our penetration testing services. At the moment, we are compiling a list of interested parties. If that includes you, please fill in the form here. Alternatively, get in touch with us by writing to firstname.lastname@example.org.
SIPVicious PRO is designed to test for security flaws and can damage target systems due to the nature of its functionality. The user must take due care when using the software. When used on production systems or any other system, the user has to accept the full warning in the license agreement.
To review the software license, please click here.
The open-source version of SIPVicious, first published back in 2007, was written in Python and is available on Github for free. This includes three main tools,
svmap which is a scanner for SIP,
svwar which enumerates extensions on SIP devices and
svcrack that tries to guess passwords for SIP extensions. The tools only support SIP over UDP and do not offer support for TCP or TLS due to design issues.
SIPVicious PRO is a complete rewrite in Go, with a larger feature-set and more ambitious goals. End users get an executable binary for their OS rather than Python scripts.
It is meant to be used by vendors and system integrators internally to identify common RTC vulnerabilities before making it to production. Therefore, it supports the most commonly used protocols for SIP, that is, UDP, TCP, TLS and WebSockets. With WebSocket and DTLS-SRTP support, the tool can be used to test WebRTC infrastructure. Additionally, SIPVicious PRO can make and receive calls, handling SIP flows correctly. This allows for a number of attacks to be reproduced on test systems. The template system allows testers to quickly modify the SIP messages sent to the target system to include custom headers and other peculiarities as need be. SIPVicious PRO is not limited to just tests on SIP, but also other related protocols such as RTP. And finally, SIPVicious PRO makes use of our internal network library which gives the tool speed while maintaining sessions and other logical complexities in check.
RFC compliance: especially concerning SIP and RTP. This applies unless the attack requires non-compliance! ↩︎