Identify which SIP methods are accepted by the target.
Enumerate the SIP methods that are allowed by the target. This tool is used as part of reconnaissance and may be used with custom templatable SIP messages.
sip enumerate methods tool sends various SIP messages each with a different SIP method and displays the response code for each, if any. The purpose is to identify which SIP methods are supported by the target. If no response is returned by the target or an error (such as 501 or 405), the tool marks the SIP method as not supported.
The following is an example output of this tool:
INVITE - supported (404 User not found) REGISTER - unsupported (no response) UPDATE - unsupported (405 Method not supported)
sipvicious sip enumerate methods <target1 [target2 [target3 ...]]> [flags]
-u, --credentials string set the username and password in the following format: username:password (e.g. 1000:test123) -D, --domain string override domain name for the SIP address -e, --extension string specify a target extension or SIP URI to target; if not specified, a random numeric extension is used when and where required -f, --from string specify a from extension or SIP URI to set the from address; if not specified, a random numeric extension is used -m, --methods strings set the SIP message methods to try (default [REGISTER,SUBSCRIBE,NOTIFY,PUBLISH,MESSAGE,INVITE,OPTIONS,BYE,CANCEL,ACK,PRACK,INFO,REFER,UPDATE]) --rate string specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms --register register before starting the enumeration; requires -u
--ca-cert string TLS CA Certificate --client-cert string TLS client certificate --client-key string TLS client private key -C, --config string configuration file to use (may be JSON, TOML or YAML) --debug set log level to debug --logfile string specify a log filename --srtp string specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none") --templates string Directory to search for template overrides (default ".") --tls-key-log string TLS key log, - for stdout
sipvicious sip enumerate methods udp://target:5060 sipvicious sip enumerate methods tcp://target:5060 -e user1 -f user2 sipvicious sip enumerate methods tls://target:5060 -u user:password
# setting the socket count, extension and overiding the domain during the enumeration sipvicious sip enumerate methods udp://demo.sipvicious.pro:5060 -c 10 -e 2000 --domain siteonsip.tld # register with the target before starting the enumeration sipvicious sip enumerate methods udp://demo.sipvicious.pro:5060 -u 1000:1500 --register # specifying a from string as well as the methods to be tried specifically sipvicious sip enumerate methods udp://demo.sipvicious.pro:5060 --from 0000 --methods invite,register,prack,publish # slow down and spread out the enumeration attack across different targets sipvicious sip enumerate methods udp://demo.sipvicious.pro:5060 tls://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 --rate 1/30ms
This tool returns exit code 3, i.e. security issue is detected when a SIP method is found to be allowed without any authentication. This refers to most initiating SIP methods except for
OPTIONS. The tool returns exit code 4, i.e. network connectivity problems, when the connection fails or when no response is received.
The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.
The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.
The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.
Specify a configuration file which may be a JSON, TOML and YAML config
format. To get the default settings and figure out which settings are available, one may
sipvicious utils dump config command. This is typically used to create a template
configuration that can then be edited as need be.
These settings may be overwritten when the corresponding flag is explicitly set, if one is present.
Specify valid credentials so that SIP method request can be done authenticated. The following format is used
Tells the logger to print out debug messages.
A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.
This flag allows users to set a particular extension in the SIP URI, overriding the default behaviour of targeting random extensions. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g.
Note that in the case of
OPTIONS messages, if the extension parameter is not specified, then to URI and top most address do not contain the user part of the SIP URI (e.g.
sip:example.org). This has the effect of sending an
OPTIONS to the SIP user-agent in the case of a SIP proxy, rather than to a particular user.
This flag allows users to set the
From address, overriding the default behaviour of setting a random extension or the username in the credentials when one is provided. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g.
logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a
.json file extension, then the output format is in JSON, otherwise it defaults to text format.
Choose which SIP methods to enumerate. The default includes the following methods:
Rate allows one to limit the attack below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.
Register requires credentials to be passed so that a
REGISTER message is sent to authenticate with a registrar server before starting the test. The registration is maintained as per SIP standards, so that authentication does not time out.
srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming
INVITE message. When the
srtp flag is set to
none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming
srtp mode can also be either
sdes. In both
sdes modes, the parameters are not required and will be generated randomly as need be.
Options for both
sdes mode may be passed after a colon. For example:
--srtp dtls:cert.crt:cert.key[:ca.crt]where the first argument after the mode (
dtls) is the public certificate
cert.crt, then the private key
cert.keyand finally, the optional certificate authority file
--srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSojwhere the argument is the base64 encoded cryptographic master key appended with the master salt.
Note that in the case of
sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite
Allows one to set the template directory which is used to load (or save) the SIP templates.
To get the default SIP templates, make use of the
sipvicious sip utils dump templates command.
The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.