svmap Usage Example

Scan the given network range (192.168.1.0/24) and display verbose output (-v):

root@kali:~# svmap 192.168.1.0/24 -v
INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:Looks like we received a SIP request from 192.168.1.202:5060
INFO:DrinkOrSip:Looks like we received a SIP request from 192.168.1.202:5060
INFO:DrinkOrSip:Looks like we received a SIP request from 192.168.1.202:5060

Packages and Binaries:

sipvicious

SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. This suite has five tools: svmap, svwar, svcrack, svreport, svcrash.

svmap is a sip scanner. When launched against ranges of ip address space, it will identify any SIP servers which it finds on the way.

svwar identifies working extension lines on a PBX. Also tells you if extension line requires authentication or not.

svcrack is a password cracker making use of digest authentication. It is able to crack passwords on both registrar servers and proxy servers.

svreport is able to manage sessions created by the rest of the tools and export to pdf,xml,csv and plain text.

svcrash responds to svwar and svcrack SIP messages with a message that causes old versions to crash.

Installed size: 197 KB
How to install: sudo apt install sipvicious

  • python3
  • python3-pkg-resources
svcrack

Online password guessing tool for SIP devices

root@kali:~# svcrack -h
Usage: svcrack -u username [options] target
examples:
svcrack -u100 -d dictionary.txt 10.0.0.1
svcrack -u100 -r1-9999 -z4 10.0.0.1


Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v, --verbose         Increase verbosity
  -q, --quiet           Quiet mode
  -p PORT, --port=PORT  Destination port or port ranges of the SIP device - eg
                        -p5060,5061,8000-8100
  -P PORT, --localport=PORT
                        Source port for our packets
  -x IP, --externalip=IP
                        IP Address to use as the external ip. Specify this if
                        you have multiple interfaces or if you are behind NAT
  -b BINDINGIP, --bindingip=BINDINGIP
                        By default we bind to all interfaces. This option
                        overrides that and binds to the specified ip address
  -t SELECTTIME, --timeout=SELECTTIME
                        This option allows you to trottle the speed at which
                        packets are sent. Change this if you're losing
                        packets. For example try 0.5.
  -R, --reportback      Send the author an exception traceback. Currently
                        sends the command line parameters and the traceback
  -A, --autogetip       Automatically get the current IP address. This is
                        useful when you are not getting any responses back due
                        to SIPVicious not resolving your local IP.
  -s NAME, --save=NAME  save the session. Has the benefit of allowing you to
                        resume a previous scan and allows you to export scans
  --resume=NAME         resume a previous scan
  -c, --enablecompact   enable compact mode. Makes packets smaller but
                        possibly less compatible
  -u USERNAME, --username=USERNAME
                        username to try crack
  -d DICTIONARY, --dictionary=DICTIONARY
                        specify a dictionary file with passwords
  -r RANGE, --range=RANGE
                        specify a range of numbers. example:
                        100-200,300-310,400
  -e EXTENSION, --extension=EXTENSION
                        Extension to crack. Only specify this when the
                        extension is different from the username.
  -z PADDING, --zeropadding=PADDING
                        the number of zeros used to padd the password.
                        the options "-r 1-9999 -z 4" would give 0001 0002 0003
                        ... 9999
  -n, --reusenonce      Reuse nonce. Some SIP devices don't mind you reusing
                        the nonce (making them vulnerable to replay attacks).
                        Speeds up the cracking.
  -T TEMPLATE, --template=TEMPLATE
                        A format string which allows us to specify a template
                        for the extensions                       example
                        svwar.py -e 1-999 --template="123%#04i999" would scan
                        between 1230001999 to 1230999999"
  --maximumtime=MAXIMUMTIME
                        Maximum time in seconds to keep sending requests
                        without                       receiving a response
                        back
  -D, --enabledefaults  Scan for default / typical passwords such as
                        1000,2000,3000 ... 1100, etc. This option is off by
                        default.                       Use --enabledefaults to
                        enable this functionality
  --domain=DOMAIN       force a specific domain name for the SIP message, eg.
                        -d example.org
  --requesturi=REQUESTURI
                        force the first line URI to a specific value; e.g.
                        sip:999@example.org
  -6                    scan an IPv6 address
  -m METHOD, --method=METHOD

svcrash

Stop unauthorized scans from svcrack/svwar tool

root@kali:~# man svcrash
SVCRASH(1)                       User Commands                      SVCRASH(1)

NAME
       svcrash - stop unauthorized scans from svcrack/svwar tool

SYNOPSIS
       svcrash [options]

OPTIONS
       --version
              show program's version number and exit

       -h, --help
              show this help message and exit

       --auto Automatically send responses to attacks

       --astlog=ASTLOG
              Path for the asterisk full logfile

       -d IPADDR
              specify attacker's ip address

       -p PORT
              specify attacker's port

       -b     bruteforce the attacker's port

              Sipvicious  crash  exploits  a  bug  in svwar/svcrack.py to stop
              unauthorized scans from flooding  the  network.   Copyright  (C)
              2012  Sandro Gauci <sandro@enablesecurity.com>

              This  program  is  free software: you can redistribute it and/or
              modify it under the terms of the GNU General Public  License  as
              published  by  the Free Software Foundation, either version 3 of
              the License, or (at your option) any later version.

              This program is distributed in the hope that it will be  useful,
              but  WITHOUT  ANY WARRANTY; without even the implied warranty of
              MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE.   See  the
              GNU General Public License for more details.

              You  should  have  received a copy of the GNU General Public Li-
              cense    along    with    this    program.     If    not,    see
              <http://www.gnu.org/licenses/>.

SEE ALSO
       The  full  documentation for svcrash is maintained as a Texinfo manual.
       If the info and svcrash programs are properly installed at  your  site,
       the command

              info svcrash

       should give you access to the complete manual.

svcrash v0.2.8                   November 2012                      SVCRASH(1)

svmap

Scanner that searches for SIP devices on a given network

root@kali:~# svmap -h
Usage: svmap [options] host1 host2 hostrange
Scans for SIP devices on a given network

examples:

svmap 10.0.0.1-10.0.0.255 172.16.131.1 sipvicious.org/22 10.0.1.1/241.1.1.1-20 1.1.2-20.* 4.1.*.*

svmap -s session1 --randomize 10.0.0.1/8

svmap --resume session1 -v

svmap -p5060-5062 10.0.0.3-20 -m INVITE



Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v, --verbose         Increase verbosity
  -q, --quiet           Quiet mode
  -p PORT, --port=PORT  Destination port or port ranges of the SIP device - eg
                        -p5060,5061,8000-8100
  -P PORT, --localport=PORT
                        Source port for our packets
  -x IP, --externalip=IP
                        IP Address to use as the external ip. Specify this if
                        you have multiple interfaces or if you are behind NAT
  -b BINDINGIP, --bindingip=BINDINGIP
                        By default we bind to all interfaces. This option
                        overrides that and binds to the specified ip address
  -t SELECTTIME, --timeout=SELECTTIME
                        This option allows you to trottle the speed at which
                        packets are sent. Change this if you're losing
                        packets. For example try 0.5.
  -R, --reportback      Send the author an exception traceback. Currently
                        sends the command line parameters and the traceback
  -A, --autogetip       Automatically get the current IP address. This is
                        useful when you are not getting any responses back due
                        to SIPVicious not resolving your local IP.
  -s NAME, --save=NAME  save the session. Has the benefit of allowing you to
                        resume a previous scan and allows you to export scans
  --resume=NAME         resume a previous scan
  -c, --enablecompact   enable compact mode. Makes packets smaller but
                        possibly less compatible
  --randomscan          Scan random IP addresses
  -i scan1, --input=scan1
                        Scan IPs which were found in a previous scan. Pass the
                        session name as the argument
  -I scan1, --inputtext=scan1
                        Scan IPs from a text file - use the same syntax as
                        command line but with new lines instead of commas.
                        Pass the file name as the argument
  -m METHOD, --method=METHOD
                        Specify the request method - by default this is
                        OPTIONS.
  -d, --debug           Print SIP messages received
  --first=FIRST         Only send the first given number of messages (i.e.
                        usually used to scan only X IPs)
  -e EXTENSION, --extension=EXTENSION
                        Specify an extension - by default this is not set
  --randomize           Randomize scanning instead of scanning consecutive ip
                        addresses
  --srv                 Scan the SRV records for SIP on the destination domain
                        name.The targets have to be domain names - example.org
                        domain1.com
  --fromname=FROMNAME   specify a name for the from header
  --crashandburn        

svreport

Report engine manage sessions from previous scans with SIPVicious

root@kali:~# svreport -h
Usage: svreport [command] [options]

Supported commands:

                - list:	lists all scans

                - export:	exports the given scan to a given format

                - delete:	deletes the scan

                - stats:	print out some statistics of interest

                - search:	search for a specific string in the user agent (svmap)

examples:

      svreport.py list

      svreport.py export -f pdf -o scan1.pdf -s scan1

      svreport.py delete -s scan1



Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v, --verbose         Increase verbosity
  -q, --quiet           Quiet mode
  -t SESSIONTYPE, --type=SESSIONTYPE
                        Type of session. This is usually either svmap, svwar
                        or svcrack. If not set I will try to find the best
                        match
  -s SESSION, --session=SESSION
                        Name of the session
  -f FORMAT, --format=FORMAT
                        Format type. Can be stdout, pdf, xml, csv or txt
  -o OUTPUTFILE, --output=OUTPUTFILE
                        Output filename
  -n                    Do not resolve the ip address
  -c, --count           Used togather with 'list' command to count the number
                        of entries

svwar

Extension line scanner

root@kali:~# svwar -h
Usage: svwar [options] target
examples:
svwar -e100-999 10.0.0.1
svwar -d dictionary.txt 10.0.0.2


Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v, --verbose         Increase verbosity
  -q, --quiet           Quiet mode
  -p PORT, --port=PORT  Destination port or port ranges of the SIP device - eg
                        -p5060,5061,8000-8100
  -P PORT, --localport=PORT
                        Source port for our packets
  -x IP, --externalip=IP
                        IP Address to use as the external ip. Specify this if
                        you have multiple interfaces or if you are behind NAT
  -b BINDINGIP, --bindingip=BINDINGIP
                        By default we bind to all interfaces. This option
                        overrides that and binds to the specified ip address
  -t SELECTTIME, --timeout=SELECTTIME
                        This option allows you to trottle the speed at which
                        packets are sent. Change this if you're losing
                        packets. For example try 0.5.
  -R, --reportback      Send the author an exception traceback. Currently
                        sends the command line parameters and the traceback
  -A, --autogetip       Automatically get the current IP address. This is
                        useful when you are not getting any responses back due
                        to SIPVicious not resolving your local IP.
  -s NAME, --save=NAME  save the session. Has the benefit of allowing you to
                        resume a previous scan and allows you to export scans
  --resume=NAME         resume a previous scan
  -c, --enablecompact   enable compact mode. Makes packets smaller but
                        possibly less compatible
  -d DICTIONARY, --dictionary=DICTIONARY
                        specify a dictionary file with possible extension
                        names
  -m OPTIONS, --method=OPTIONS
                        specify a request method. The default is REGISTER.
                        Other possible methods are OPTIONS and INVITE
  -e RANGE, --extensions=RANGE
                        specify an extension or extension range  example: -e
                        100-999,1000-1500,9999
  -z PADDING, --zeropadding=PADDING
                        the number of zeros used to padd the username.
                        the options "-e 1-9999 -z 4" would give 0001 0002 0003
                        ... 9999
  --force               Force scan, ignoring initial sanity checks.
  -T TEMPLATE, --template=TEMPLATE
                        A format string which allows us to specify a template
                        for the extensions                       example
                        svwar.py -e 1-999 --template="123%#04i999" would scan
                        between 1230001999 to 1230999999"
  -D, --enabledefaults  Scan for default / typical extensions such as
                        1000,2000,3000 ... 1100, etc. This option is off by
                        default.                       Use --enabledefaults to
                        enable this functionality
  --maximumtime=MAXIMUMTIME
                        Maximum time in seconds to keep sending requests
                        without                       receiving a response
                        back
  --domain=DOMAIN       force a specific domain name for the SIP message, eg.
                        -d example.org
  --debug               Print SIP messages received
  -6                    scan an IPv6 address

Updated on: 2021-Nov-26