SIPVicious

Overview

SIPVicious is a suite of command-line tools for auditing SIP (Session Initiation Protocol) servers and VoIP infrastructure. It includes tools for network scanning (svmap), extension enumeration (svwar), and authentication testing (svcrack). Designed for authorized security assessments and penetration testing of VoIP systems.

Installation

Linux Package Managers

# Debian/Ubuntu
sudo apt-get install sipvicious

# Fedora/RHEL
sudo dnf install sipvicious

# From source
git clone https://github.com/EnableSecurity/sipvicious.git
cd sipvicious
pip install -e .

Docker

docker pull sipvicious/sipvicious
docker run -it sipvicious/sipvicious /bin/bash

SIPVicious Tools

Tool	Purpose	Use Case
svmap	SIP server scanner and mapper	Discover active SIP servers on network
svwar	SIP extension/user enumerator	Find valid SIP usernames and extensions
svcrack	SIP authentication cracker	Test weak credentials on SIP servers
svreport	Result analysis and reporting	Generate audit reports from findings
svplayback	SIP message replay tool	Test SIP message handling and responses

SVMap - SIP Server Discovery

SVMap scans IP ranges and identifies active SIP servers and services.

Basic Scanning

# Scan single host
svmap 192.168.1.100

# Scan network range
svmap 192.168.1.0/24

# Scan with custom port
svmap -p 5060 192.168.1.0/24

# Scan multiple ports
svmap -p 5060,5061,5065,15060 192.168.1.100

Advanced SVMap Options

# Verbose output
svmap -v 192.168.1.0/24

# Timeout per host (seconds)
svmap -t 5 192.168.1.100

# Max parallel processes
svmap -j 4 192.168.1.0/24

# Save results to file
svmap -o output.txt 192.168.1.100

# Use proxy
svmap -P sip:proxy.example.com:5060 192.168.1.100

# Custom domain
svmap -d voip.example.com 192.168.1.100

# IPv6 support
svmap ::1/64

Common SVMap Commands

# Full verbose scan with custom timeout
svmap -v -t 3 -j 8 192.168.1.0/24

# Scan with output logging
svmap -o sip_servers.txt -v 192.168.1.100

# UDP and TCP scanning
svmap -u -t 2 192.168.1.0/24

# Range scanning with max threads
svmap -j 16 192.168.1.0-192.168.1.50

SVWar - SIP Extension Enumeration

SVWar enumerates valid SIP user extensions by probing the target SIP server.

Basic Extension Discovery

# Enumerate against discovered server
svwar -m REGISTER 192.168.1.100

# Enumerate with custom port
svwar -m REGISTER -p 5061 192.168.1.100

# Enumerate specific domain
svwar -m REGISTER -d voip.example.com 192.168.1.100

# Use extension list wordlist
svwar -m REGISTER -e usernames.txt 192.168.1.100

SVWar Enumeration Methods

# REGISTER method (default)
svwar -m REGISTER 192.168.1.100

# OPTIONS method
svwar -m OPTIONS 192.168.1.100

# INVITE method
svwar -m INVITE 192.168.1.100

# SUBSCRIBE method
svwar -m SUBSCRIBE 192.168.1.100

Advanced SVWar Techniques

# Enumerate with custom range
svwar -m REGISTER -e 100-999 192.168.1.100

# Threading for faster enumeration
svwar -m REGISTER -j 16 192.168.1.100

# Verbose logging
svwar -m REGISTER -v 192.168.1.100

# Save results
svwar -m REGISTER -o valid_users.txt 192.168.1.100

# Custom From domain
svwar -m REGISTER -d internal.corp.com 192.168.1.100

# Custom User-Agent
svwar -m REGISTER -A "Cisco SIP Gateway" 192.168.1.100

# Response code filtering
svwar -m REGISTER -x "401,407" 192.168.1.100

SVWar with Wordlists

# Common extensions
svwar -m REGISTER -e extensions.txt 192.168.1.100

# Custom wordlist
svwar -m REGISTER -e /path/to/wordlist.txt 192.168.1.100

# Generate numeric range (100-999)
seq 100 999 > numeric_list.txt
svwar -m REGISTER -e numeric_list.txt 192.168.1.100

# Common names list
svwar -m REGISTER -e common_names.txt 192.168.1.100

SVCrack - SIP Authentication Testing

SVCrack performs credential testing against SIP authentication mechanisms.

Basic Credential Testing

# Test credentials against server
svcrack -u admin 192.168.1.100

# Wordlist attack
svcrack -u admin -w passwords.txt 192.168.1.100

# Dictionary password file
svcrack -u admin -w /usr/share/dict/wordlist 192.168.1.100

# With proxy
svcrack -u admin -P sip:proxy.example.com:5060 192.168.1.100

Advanced Cracking Options

# Custom port
svcrack -u admin -p 5061 192.168.1.100

# Domain specification
svcrack -u admin -d voip.example.com 192.168.1.100

# Multiple usernames
svcrack -U users.txt -w passwords.txt 192.168.1.100

# Threading optimization
svcrack -u admin -w passwords.txt -j 8 192.168.1.100

# Timeout per request
svcrack -u admin -w passwords.txt -t 5 192.168.1.100

# Verbose output
svcrack -u admin -w passwords.txt -v 192.168.1.100

# Save results
svcrack -u admin -w passwords.txt -o cracked.txt 192.168.1.100

Workflow Examples

Complete VoIP Assessment

# Step 1: Discover SIP servers
svmap -v -j 8 192.168.1.0/24 | tee sip_discovery.txt

# Step 2: Enumerate extensions from discovered servers
for server in $(grep "SIP" sip_discovery.txt | cut -d: -f1); do
  echo "Enumerating $server"
  svwar -m REGISTER -v -j 8 $server | tee enum_$server.txt
done

# Step 3: Test credentials for valid extensions
for user in $(cat valid_extensions.txt); do
  svcrack -u $user -w passwords.txt -v 192.168.1.100
done

Targeted Assessment

# Known SIP server assessment
TARGET="192.168.1.100"

# Scan for service confirmation
svmap -v $TARGET

# Enumerate extensions with REGISTER
svwar -m REGISTER -d corp.internal $TARGET -o valid_users.txt

# Attempt credential brute-force
svcrack -U valid_users.txt -w common_passwords.txt $TARGET

Report Generation

# Generate structured results
svmap -o scan_results.txt 192.168.1.0/24
svwar -m REGISTER -o enum_results.txt -d corp.com 192.168.1.100
svcrack -u admin -w passwords.txt -o crack_results.txt 192.168.1.100

# Combine and analyze
cat scan_results.txt enum_results.txt crack_results.txt > assessment_report.txt

Best Practices

• Authorization: Only test VoIP systems you own or have explicit written permission to assess
• Network: Run SIPVicious from a machine with network access to target infrastructure
• Rate Limiting: Use threading (-j) judiciously to avoid causing DoS conditions
• Documentation: Log all scan parameters and findings for compliance reporting
• Port Discovery: Start with port 5060 (UDP) and 5061 (TCP), but verify service on alternative ports
• Domain Enumeration: Use REGISTER method for most reliable extension discovery

Troubleshooting

No Responses from SIP Server

# Verify connectivity
nc -zv 192.168.1.100 5060

# Check firewall rules
sudo iptables -L | grep 5060

# Test with custom timeout
svmap -t 10 192.168.1.100

High False Positive Rates

# Use specific method matching behavior
svwar -m REGISTER -x "401,407" 192.168.1.100

# Filter by response codes
svwar -m REGISTER -v 192.168.1.100 | grep "401\|407"

Slow Enumeration

# Increase threading
svwar -m REGISTER -j 32 192.168.1.100

# Reduce timeout
svwar -m REGISTER -t 2 192.168.1.100

Related Tools

• Asterisk: Open-source VoIP PBX for testing VoIP deployments
• SIPp: SIP protocol tester and traffic generator
• VoIPmonitor: VoIP traffic analysis and monitoring
• Wireshark: Packet capture and SIP protocol analysis
• Kamailio: SIP server for test environments

Security Considerations

• SIPVicious generates network traffic; ensure network monitoring systems won’t trigger alerts
• Credential testing can lock accounts; test with dedicated accounts in lab environments
• Some VoIP systems have rate limiting; respect throttling and avoid account lockouts
• Document all testing with proper change control and client approval

References

• SIPVicious GitHub: https://github.com/EnableSecurity/sipvicious
• RFC 3261: SIP Protocol Specification
• OWASP VoIP Security Testing Guide
• NIST Guidelines for VoIP Security