SIPVicious
Overview
SIPVicious is a suite of command-line tools for auditing SIP (Session Initiation Protocol) servers and VoIP infrastructure. It includes tools for network scanning (svmap), extension enumeration (svwar), and authentication testing (svcrack). Designed for authorized security assessments and penetration testing of VoIP systems.
Installation
Linux Package Managers
# Debian/Ubuntu
sudo apt-get install sipvicious
# Fedora/RHEL
sudo dnf install sipvicious
# From source
git clone https://github.com/EnableSecurity/sipvicious.git
cd sipvicious
pip install -e .Docker
docker pull sipvicious/sipvicious
docker run -it sipvicious/sipvicious /bin/bashSIPVicious Tools
| Tool | Purpose | Use Case |
|---|---|---|
svmap | SIP server scanner and mapper | Discover active SIP servers on network |
svwar | SIP extension/user enumerator | Find valid SIP usernames and extensions |
svcrack | SIP authentication cracker | Test weak credentials on SIP servers |
svreport | Result analysis and reporting | Generate audit reports from findings |
svplayback | SIP message replay tool | Test SIP message handling and responses |
SVMap - SIP Server Discovery
SVMap scans IP ranges and identifies active SIP servers and services.
Basic Scanning
# Scan single host
svmap 192.168.1.100
# Scan network range
svmap 192.168.1.0/24
# Scan with custom port
svmap -p 5060 192.168.1.0/24
# Scan multiple ports
svmap -p 5060,5061,5065,15060 192.168.1.100Advanced SVMap Options
# Verbose output
svmap -v 192.168.1.0/24
# Timeout per host (seconds)
svmap -t 5 192.168.1.100
# Max parallel processes
svmap -j 4 192.168.1.0/24
# Save results to file
svmap -o output.txt 192.168.1.100
# Use proxy
svmap -P sip:proxy.example.com:5060 192.168.1.100
# Custom domain
svmap -d voip.example.com 192.168.1.100
# IPv6 support
svmap ::1/64Common SVMap Commands
# Full verbose scan with custom timeout
svmap -v -t 3 -j 8 192.168.1.0/24
# Scan with output logging
svmap -o sip_servers.txt -v 192.168.1.100
# UDP and TCP scanning
svmap -u -t 2 192.168.1.0/24
# Range scanning with max threads
svmap -j 16 192.168.1.0-192.168.1.50SVWar - SIP Extension Enumeration
SVWar enumerates valid SIP user extensions by probing the target SIP server.
Basic Extension Discovery
# Enumerate against discovered server
svwar -m REGISTER 192.168.1.100
# Enumerate with custom port
svwar -m REGISTER -p 5061 192.168.1.100
# Enumerate specific domain
svwar -m REGISTER -d voip.example.com 192.168.1.100
# Use extension list wordlist
svwar -m REGISTER -e usernames.txt 192.168.1.100SVWar Enumeration Methods
# REGISTER method (default)
svwar -m REGISTER 192.168.1.100
# OPTIONS method
svwar -m OPTIONS 192.168.1.100
# INVITE method
svwar -m INVITE 192.168.1.100
# SUBSCRIBE method
svwar -m SUBSCRIBE 192.168.1.100Advanced SVWar Techniques
# Enumerate with custom range
svwar -m REGISTER -e 100-999 192.168.1.100
# Threading for faster enumeration
svwar -m REGISTER -j 16 192.168.1.100
# Verbose logging
svwar -m REGISTER -v 192.168.1.100
# Save results
svwar -m REGISTER -o valid_users.txt 192.168.1.100
# Custom From domain
svwar -m REGISTER -d internal.corp.com 192.168.1.100
# Custom User-Agent
svwar -m REGISTER -A "Cisco SIP Gateway" 192.168.1.100
# Response code filtering
svwar -m REGISTER -x "401,407" 192.168.1.100SVWar with Wordlists
# Common extensions
svwar -m REGISTER -e extensions.txt 192.168.1.100
# Custom wordlist
svwar -m REGISTER -e /path/to/wordlist.txt 192.168.1.100
# Generate numeric range (100-999)
seq 100 999 > numeric_list.txt
svwar -m REGISTER -e numeric_list.txt 192.168.1.100
# Common names list
svwar -m REGISTER -e common_names.txt 192.168.1.100SVCrack - SIP Authentication Testing
SVCrack performs credential testing against SIP authentication mechanisms.
Basic Credential Testing
# Test credentials against server
svcrack -u admin 192.168.1.100
# Wordlist attack
svcrack -u admin -w passwords.txt 192.168.1.100
# Dictionary password file
svcrack -u admin -w /usr/share/dict/wordlist 192.168.1.100
# With proxy
svcrack -u admin -P sip:proxy.example.com:5060 192.168.1.100Advanced Cracking Options
# Custom port
svcrack -u admin -p 5061 192.168.1.100
# Domain specification
svcrack -u admin -d voip.example.com 192.168.1.100
# Multiple usernames
svcrack -U users.txt -w passwords.txt 192.168.1.100
# Threading optimization
svcrack -u admin -w passwords.txt -j 8 192.168.1.100
# Timeout per request
svcrack -u admin -w passwords.txt -t 5 192.168.1.100
# Verbose output
svcrack -u admin -w passwords.txt -v 192.168.1.100
# Save results
svcrack -u admin -w passwords.txt -o cracked.txt 192.168.1.100Workflow Examples
Complete VoIP Assessment
# Step 1: Discover SIP servers
svmap -v -j 8 192.168.1.0/24 | tee sip_discovery.txt
# Step 2: Enumerate extensions from discovered servers
for server in $(grep "SIP" sip_discovery.txt | cut -d: -f1); do
echo "Enumerating $server"
svwar -m REGISTER -v -j 8 $server | tee enum_$server.txt
done
# Step 3: Test credentials for valid extensions
for user in $(cat valid_extensions.txt); do
svcrack -u $user -w passwords.txt -v 192.168.1.100
doneTargeted Assessment
# Known SIP server assessment
TARGET="192.168.1.100"
# Scan for service confirmation
svmap -v $TARGET
# Enumerate extensions with REGISTER
svwar -m REGISTER -d corp.internal $TARGET -o valid_users.txt
# Attempt credential brute-force
svcrack -U valid_users.txt -w common_passwords.txt $TARGETReport Generation
# Generate structured results
svmap -o scan_results.txt 192.168.1.0/24
svwar -m REGISTER -o enum_results.txt -d corp.com 192.168.1.100
svcrack -u admin -w passwords.txt -o crack_results.txt 192.168.1.100
# Combine and analyze
cat scan_results.txt enum_results.txt crack_results.txt > assessment_report.txtBest Practices
- Authorization: Only test VoIP systems you own or have explicit written permission to assess
- Network: Run SIPVicious from a machine with network access to target infrastructure
- Rate Limiting: Use threading (-j) judiciously to avoid causing DoS conditions
- Documentation: Log all scan parameters and findings for compliance reporting
- Port Discovery: Start with port 5060 (UDP) and 5061 (TCP), but verify service on alternative ports
- Domain Enumeration: Use REGISTER method for most reliable extension discovery
Troubleshooting
No Responses from SIP Server
# Verify connectivity
nc -zv 192.168.1.100 5060
# Check firewall rules
sudo iptables -L | grep 5060
# Test with custom timeout
svmap -t 10 192.168.1.100High False Positive Rates
# Use specific method matching behavior
svwar -m REGISTER -x "401,407" 192.168.1.100
# Filter by response codes
svwar -m REGISTER -v 192.168.1.100 | grep "401\|407"Slow Enumeration
# Increase threading
svwar -m REGISTER -j 32 192.168.1.100
# Reduce timeout
svwar -m REGISTER -t 2 192.168.1.100Related Tools
- Asterisk: Open-source VoIP PBX for testing VoIP deployments
- SIPp: SIP protocol tester and traffic generator
- VoIPmonitor: VoIP traffic analysis and monitoring
- Wireshark: Packet capture and SIP protocol analysis
- Kamailio: SIP server for test environments
Security Considerations
- SIPVicious generates network traffic; ensure network monitoring systems won’t trigger alerts
- Credential testing can lock accounts; test with dedicated accounts in lab environments
- Some VoIP systems have rate limiting; respect throttling and avoid account lockouts
- Document all testing with proper change control and client approval
References
- SIPVicious GitHub: https://github.com/EnableSecurity/sipvicious
- RFC 3261: SIP Protocol Specification
- OWASP VoIP Security Testing Guide
- NIST Guidelines for VoIP Security