sipvicious sip utils repeater

Summary

Send a SIP message and display the response.

What it does

A useful utility to send various SIP messages either from the default built-in template or from a custom template for each SIP message. This functionality is extremely useful during manual testing where the tester makes small changes to the SIP message iteratively when trying to reproduce a potential security issue. This tool is often used with the sip utils dump templates tool.

Tool functionality

The repeater tool allows sending of specific SIP messages. This is especially useful for replaying specific SIP messages, especially when loaded from a template. The tool simply sends the SIP message specified, displaying it to the user and displays the response if any is received.

The following is an example of the logging from the tool:

INFO[2020-05-28 16:32:07] SUBSCRIBE sip:1000@127.0.0.1 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:57420;rport;branch=z9hG4bK-pldfBMPRXSZRXNZz
Max-Forwards: 70
Contact: <sip:m89kb5AE@127.0.0.1:57420;transport=udp>
To: <sip:1000@127.0.0.1>
From: <sip:m89kb5AE@127.0.0.1>;tag=H1W8PiUqGb2mBN3u
Call-ID: d4NZeUqKLewbJx8g
CSeq: 1 SUBSCRIBE
Expires: 60
Accept: application/simple-message-summary
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
Event: message-summary
Allow-Events: presence, kpml, talk
Content-Length: 0

INFO[2020-05-28 16:32:07] SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 127.0.0.1:57420;rport=57420;branch=z9hG4bK-pldfBMPRXSZRXNZz;received=127.0.0.1
To: <sip:1000@127.0.0.1>;tag=d15adabfc7714a7ef09b417dd44b65c4.7b676193
From: <sip:m89kb5AE@127.0.0.1>;tag=H1W8PiUqGb2mBN3u
Call-ID: d4NZeUqKLewbJx8g
CSeq: 1 SUBSCRIBE
Proxy-Authenticate: Digest realm="127.0.0.1",nonce="Xs/Mk17Py2ebLjsrW/XvQmNh++gvd1gG",qop="auth"
Server: kamailio (5.3.3 (x86_64/linux))
Content-Length: 0
 
INFO[2020-05-28 16:32:07] successfully returned

Command format

sipvicious sip utils repeater <target1 [target2 [target3 ...]]> [flags]

Flags

  -u, --credentials string   set the username and password in the following format: username:password (e.g. 1000:test123)
  -D, --domain string        override domain name for the SIP address
  -e, --extension string     specify a target extension or SIP URI to target; if not specified, a random numeric extension is used when and where required
  -f, --from string          specify a from extension or SIP URI to set the from address; if not specified, a random numeric extension is used
  -m, --method string        set the SIP message method to use (REGISTER|SUBSCRIBE|NOTIFY|PUBLISH|MESSAGE|INVITE|OPTIONS|ACK|CANCEL|BYE|PRACK|INFO|REFER|UPDATE) (default "options")
      --register             register before starting the enumeration; requires -u
  -W, --timeout duration     Time to wait for a response (default 1s)

Flags inherited from parent commands

      --ca-cert string       TLS CA Certificate
      --client-cert string   TLS client certificate
      --client-key string    TLS client private key
  -C, --config string        configuration file to use (may be JSON, TOML or YAML)
      --debug                set log level to debug
      --logfile string       specify a log filename
      --srtp string          specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
      --templates string     Directory to search for template overrides (default ".")
      --tls-key-log string   TLS key log, - for stdout

Examples

sipvicious sip utils repeater udp://target:5060 -e 1234 -m invite
sipvicious sip utils repeater tcp://target:5060 -u user:password -m cancel
sipvicious sip utils repeater tls://target:5060 -m register

Advanced examples

# registering with the creds. before sending a message along with a custom from address
sipvicious sip utils repeater udp://demo.sipvicious.pro:5060 -u 1000:1500 --register -f 0000@siteonsip.tld

# sending a sip message to a extension with 10 secs timeout using invite and a overiding domain addr
sipvicious sip utils repeater udp://demo.sipvicious.pro:5060 -e 2000 --timeout 10s -m invite -D urlonsip.tld

Exit codes

Since this tool has no security context, it will never return exit code 3, i.e. security issue. The tool will return exit code 4, i.e. network connectivity issue, when the connection fails or a response is not received.

Flag: ca-cert

The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-cert

The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-key

The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: credentials

Specify valid credentials so that the request can authenticated. The following format is used username:password (e.g. 1000:test123).

Flag: debug

Tells the logger to print out debug messages.

Flag: domain

A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.

Flag: extension

This flag allows users to set a particular extension in the SIP URI, overriding the default behaviour of targeting random extensions. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

Note that in the case of OPTIONS messages, if the extension parameter is not specified, then to URI and top most address do not contain the user part of the SIP URI (e.g. sip:example.org). This has the effect of sending an OPTIONS to the SIP user-agent in the case of a SIP proxy, rather than to a particular user.

Flag: from

This flag allows users to set the From address, overriding the default behaviour of setting a random extension or the username in the credentials when one is provided. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

Flag: logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: method

Choose a SIP method to send, which may be one of the following:

  • REGISTER
  • SUBSCRIBE
  • NOTIFY
  • PUBLISH
  • MESSAGE
  • INVITE
  • OPTIONS
  • ACK
  • CANCEL
  • BYE
  • PRACK
  • INFO
  • REFER
  • UPDATE

Flag: register

Register requires credentials to be passed so that a REGISTER message is sent to authenticate with a registrar server before starting the test. The registration is maintained as per SIP standards, so that authentication does not time out.

Flag: srtp

The srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE message. When the srtp flag is set to none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE. The srtp mode can also be either dtls or sdes. In both dtls and sdes modes, the parameters are not required and will be generated randomly as need be.

Options for both dtls and sdes mode may be passed after a colon. For example:

  • TODO: --srtp dtls:cert.crt:cert.key[:ca.crt] where the first argument after the mode (dtls) is the public certificate cert.crt, then the private key cert.key and finally, the optional certificate authority file ca.crt
  • --srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj where the argument is the base64 encoded cryptographic master key appended with the master salt.

Note that in the case of sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80.

Flag: templates

Allows one to set the template directory which is used to load (or save) the SIP templates.

To get the default SIP templates, make use of the sipvicious sip utils dump templates command.

Flag: timeout

Specify a timeout when the tool gives up waiting for a response and considers the response as not received. Increase this value when the target system is experiencing slow response times.

Flag: tls-key-log

The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.