svmap Usage Example

Scan the given network range (192.168.1.0/24) and display verbose output (-v):

[email protected]:~# svmap 192.168.1.0/24 -v
INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:Looks like we received a SIP request from 192.168.1.202:5060
INFO:DrinkOrSip:Looks like we received a SIP request from 192.168.1.202:5060
INFO:DrinkOrSip:Looks like we received a SIP request from 192.168.1.202:5060

Packages and Binaries:

sipvicious

SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. This suite has five tools: svmap, svwar, svcrack, svreport, svcrash.

svmap is a sip scanner. When launched against ranges of ip address space, it will identify any SIP servers which it finds on the way.

svwar identifies working extension lines on a PBX. Also tells you if extension line requires authentication or not.

svcrack is a password cracker making use of digest authentication. It is able to crack passwords on both registrar servers and proxy servers.

svreport is able to manage sessions created by the rest of the tools and export to pdf, xml, csv and plain text.

svcrash responds to svwar and svcrack SIP messages with a message that causes old versions to crash.

Installed size: 197 KB
How to install: sudo apt install sipvicious

  • python3
  • python3-pkg-resources
  • python3-scapy
svcrack

Online password guessing tool for SIP devices

[email protected]:~# svcrack -h
Usage: svcrack -u username [options] target
examples:
svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080
svcrack -u100 -r1-9999 -z4 10.0.0.1


Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -p PORT, --port=PORT  Destination port of the SIP device - eg -p 5060
  -v, --verbose         Increase verbosity
  -q, --quiet           Quiet mode
  -P PORT, --localport=PORT
                        Source port for our packets
  -x IP, --externalip=IP
                        IP Address to use as the external ip. Specify this if
                        you have multiple interfaces or if you are behind NAT
  -b BINDINGIP, --bindingip=BINDINGIP
                        By default we bind to all interfaces. This option
                        overrides that and binds to the specified ip address
  -t SELECTTIME, --timeout=SELECTTIME
                        This option allows you to trottle the speed at which
                        packets are sent. Change this if you're losing
                        packets. For example try 0.5.
  -R, --reportback      Send the author an exception traceback. Currently
                        sends the command line parameters and the traceback
  -A, --autogetip       Automatically get the current IP address. This is
                        useful when you are not getting any responses back due
                        to SIPVicious not resolving your local IP.
  -s NAME, --save=NAME  save the session. Has the benefit of allowing you to
                        resume a previous scan and allows you to export scans
  --resume=NAME         resume a previous scan
  -c, --enablecompact   enable compact mode. Makes packets smaller but
                        possibly less compatible
  -u USERNAME, --username=USERNAME
                        username to try crack
  -d DICTIONARY, --dictionary=DICTIONARY
                        specify a dictionary file with passwords or - for
                        stdin
  -r RANGE, --range=RANGE
                        specify a range of numbers. example:
                        100-200,300-310,400
  -e EXTENSION, --extension=EXTENSION
                        Extension to crack. Only specify this when the
                        extension is different from the username.
  -z PADDING, --zeropadding=PADDING
                        the number of zeros used to padd the password. the
                        options "-r 1-9999 -z 4"would give 0001 0002 0003 ...
                        9999
  -n, --reusenonce      Reuse nonce. Some SIP devices don't mind you reusing
                        the nonce (making them vulnerable to replay attacks).
                        Speeds up the cracking.
  -T TEMPLATE, --template=TEMPLATE
                        A format string which allows us to specify a template
                        for the extensionsexample svwar.py -e 1-999
                        --template="123%#04i999" would scan between 1230001999
                        to 1230999999"
  --maximumtime=MAXIMUMTIME
                        Maximum time in seconds to keep sending requests
                        without receiving a response back
  -D, --enabledefaults  Scan for default / typical passwords such
                        as1000,2000,3000 ... 1100, etc. This option is off by
                        default.Use --enabledefaults to enable this
                        functionality
  --domain=DOMAIN       force a specific domain name for the SIP message, eg.
                        example.org
  --requesturi=REQUESTURI
                        force the first line URI to a specific value; e.g.
                        sip:[email protected]
  -6                    Scan an IPv6 address
  -m METHOD, --method=METHOD
                        Specify a SIP method to use

svcrash

Stop unauthorized scans from svcrack/svwar tool

[email protected]:~# svcrash -h
Usage: svcrash [options]

Options:
  --version        show program's version number and exit
  -h, --help       show this help message and exit
  --auto           Automatically send responses to attacks
  --astlog=ASTLOG  Path for the asterisk full logfile
  -d IPADDR        specify attacker's ip address
  -p PORT          specify attacker's port
  -b               bruteforce the attacker's port

svmap

Scanner that searches for SIP devices on a given network

[email protected]:~# svmap -h
Usage: svmap [options] host1 host2 hostrange
Scans for SIP devices on a given network

examples:

svmap 10.0.0.1-10.0.0.255 172.16.131.1 sipvicious.org/22 10.0.1.1/241.1.1.1-20 1.1.2-20.* 4.1.*.*

svmap -s session1 --randomize 10.0.0.1/8

svmap --resume session1 -v

svmap -p5060-5062 10.0.0.3-20 -m INVITE



Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -p PORT, --port=PORT  Destination port or port ranges of the SIP device - eg
                        -p5060,5061,8000-8100
  -v, --verbose         Increase verbosity
  -q, --quiet           Quiet mode
  -P PORT, --localport=PORT
                        Source port for our packets
  -x IP, --externalip=IP
                        IP Address to use as the external ip. Specify this if
                        you have multiple interfaces or if you are behind NAT
  -b BINDINGIP, --bindingip=BINDINGIP
                        By default we bind to all interfaces. This option
                        overrides that and binds to the specified ip address
  -t SELECTTIME, --timeout=SELECTTIME
                        This option allows you to trottle the speed at which
                        packets are sent. Change this if you're losing
                        packets. For example try 0.5.
  -R, --reportback      Send the author an exception traceback. Currently
                        sends the command line parameters and the traceback
  -A, --autogetip       Automatically get the current IP address. This is
                        useful when you are not getting any responses back due
                        to SIPVicious not resolving your local IP.
  -s NAME, --save=NAME  save the session. Has the benefit of allowing you to
                        resume a previous scan and allows you to export scans
  --resume=NAME         resume a previous scan
  -c, --enablecompact   enable compact mode. Makes packets smaller but
                        possibly less compatible
  --randomscan          Scan random IP addresses
  -i scan1, --input=scan1
                        Scan IPs which were found in a previous scan. Pass the
                        session name as the argument
  -I scan1, --inputtext=scan1
                        Scan IPs from a text file - use the same syntax as
                        command line but with new lines instead of commas.
                        Pass the file name as the argument
  -m METHOD, --method=METHOD
                        Specify the request method - by default this is
                        OPTIONS.
  -d, --debug           Print SIP messages received
  --first=FIRST         Only send the first given number of messages (i.e.
                        usually used to scan only X IPs)
  -e EXTENSION, --extension=EXTENSION
                        Specify an extension - by default this is not set
  --randomize           Randomize scanning instead of scanning consecutive ip
                        addresses
  --srv                 Scan the SRV records for SIP on the destination domain
                        name.The targets have to be domain names - example.org
                        domain1.com
  --fromname=FROMNAME   specify a name for the from header
  -6, --ipv6            scan an IPv6 address

svreport

Report engine manage sessions from previous scans with SIPVicious

[email protected]:~# svreport -h
Usage: svreport [command] [options]

Supported commands:

                - list:	lists all scans

                - export:	exports the given scan to a given format

                - delete:	deletes the scan

                - stats:	print out some statistics of interest

                - search:	search for a specific string in the user agent (svmap)

examples:

      svreport.py list

      svreport.py export -f pdf -o scan1.pdf -s scan1

      svreport.py delete -s scan1



Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v, --verbose         Increase verbosity
  -q, --quiet           Quiet mode
  -t SESSIONTYPE, --type=SESSIONTYPE
                        Type of session. This is usually either svmap, svwar
                        or svcrack. If not set I will try to find the best
                        match
  -s SESSION, --session=SESSION
                        Name of the session
  -f FORMAT, --format=FORMAT
                        Format type. Can be stdout, pdf, xml, csv or txt
  -o OUTPUTFILE, --output=OUTPUTFILE
                        Output filename
  -n                    Do not resolve the ip address
  -c, --count           Used togather with 'list' command to count the number
                        of entries

svwar

Extension line scanner

[email protected]:~# svwar -h
Usage: svwar [options] target
examples:
svwar -e100-999 udp://10.0.0.1:5080
svwar -d dictionary.txt 10.0.0.2


Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -p PORT, --port=PORT  Destination port of the SIP device - eg -p 5060
  -v, --verbose         Increase verbosity
  -q, --quiet           Quiet mode
  -P PORT, --localport=PORT
                        Source port for our packets
  -x IP, --externalip=IP
                        IP Address to use as the external ip. Specify this if
                        you have multiple interfaces or if you are behind NAT
  -b BINDINGIP, --bindingip=BINDINGIP
                        By default we bind to all interfaces. This option
                        overrides that and binds to the specified ip address
  -t SELECTTIME, --timeout=SELECTTIME
                        This option allows you to trottle the speed at which
                        packets are sent. Change this if you're losing
                        packets. For example try 0.5.
  -R, --reportback      Send the author an exception traceback. Currently
                        sends the command line parameters and the traceback
  -A, --autogetip       Automatically get the current IP address. This is
                        useful when you are not getting any responses back due
                        to SIPVicious not resolving your local IP.
  -s NAME, --save=NAME  save the session. Has the benefit of allowing you to
                        resume a previous scan and allows you to export scans
  --resume=NAME         resume a previous scan
  -c, --enablecompact   enable compact mode. Makes packets smaller but
                        possibly less compatible
  -d DICTIONARY, --dictionary=DICTIONARY
                        specify a dictionary file with possible extension
                        names or - for stdin
  -m OPTIONS, --method=OPTIONS
                        specify a request method. The default is REGISTER.
                        Other possible methods are OPTIONS and INVITE
  -e RANGE, --extensions=RANGE
                        specify an extension or extension range  example: -e
                        100-999,1000-1500,9999
  -z PADDING, --zeropadding=PADDING
                        the number of zeros used to padd the username.the
                        options "-e 1-9999 -z 4" would give 0001 0002 0003 ...
                        9999
  --force               Force scan, ignoring initial sanity checks.
  -T TEMPLATE, --template=TEMPLATE
                        A format string which allows us to specify a template
                        for the extensionsexample svwar.py -e 1-999
                        --template="123%#04i999" would scan between 1230001999
                        to 1230999999"
  -D, --enabledefaults  Scan for default / typical extensions such
                        as1000,2000,3000 ... 1100, etc. This option is off by
                        default.Use --enabledefaults to enable this
                        functionality
  --maximumtime=MAXIMUMTIME
                        Maximum time in seconds to keep sending requests
                        without receiving a response back
  --domain=DOMAIN       force a specific domain name for the SIP message, eg.
                        -d example.org
  --debug               Print SIP messages received
  -6                    scan an IPv6 address

Updated on: 2022-Feb-10