Viproy VoIP Penetration Testing and Exploitation Kit

Project Page: http://www.github.com/fozavci/viproy-voipkit
Download: https://github.com/fozavci/viproy-voipkit/archive/master.zip
Author : Fatih Ozavci

Viproy Voip Pen-Test Kit is developed to improve the quality of SIP Penetration Tests. It provides authentication feature that helps to create simple tests. It includes 10 different modules with authentication support: options tester, brute forcer, enumerator, invite tester, trust analyzer, proxy and registration tester. All attacks could perform before and after authentication to fuzz SIP services and value added services.

SIP Pen-test guide will be published soon. Basic Usage of Modules are presented below, it can be used before guide. All modules have DEBUG and VERBOSE supports


Preparing The Test Network

VulnVOIP is vulnerable SIP server, you can use it for tests
VulnVOIP : http://www.rebootuser.com/?cat=371

Installation - Metasploit Github Edition

Copy "lib", "modules" and "data" folders' content to Metasploit Root "/" Directory.
Mixins.rb File (lib/msf/core/auxiliary/mixins.rb) Should Contain This Line
require 'msf/core/auxiliary/sip'

Installation - Metasploit Pro Edition

Copy "lib", "modules" and "data" folders' content to /opt/metasploit/apps/pro/msf3 directory.
Mixins.rb File (/opt/metasploit/apps/pro/msf3/lib/msf/core/auxiliary/mixins.rb) Should Contain This Line
require 'msf/core/auxiliary/sip'

For SIP Trust Analyzer module.
Install "pcaprub" via "/opt/metasploit/ruby/bin/gem install pcaprub"
or
Metasploit - How To install Pcaprub For Windows


Events


  • VoIP Wars: Return of the SIP - Defcon 21 (USA)

  • Viproy VoIP Penetration Testing Kit - Blackhat Arsenal USA 2013


  • Videos & Papers


    Attacking SIP/VoIP Servers Using VIPROY VoIP Pen-Test Kit for Fun & Profit - Video (50 mins)

    This is a training video for penetration testing of SIP servers.

    Chapters of Training Video
    1-Footprinting of SIP Services
    2-Enumerating SIP Services
    3-Registering SIP Service with/without Credentials
    4-Brute Force Attack for SIP Service
    5-Call Initiation with/without Spoof & Credentials
    6-Hacking Trust Relationships
    7-Intercepting SIP Client with SIP Proxy


    Sample Usage Video

    http://www.youtube.com/watch?v=1vDTujNVKGM

    Hacking Trust Relationships of SIP/NGN Gateways - Video

    http://www.youtube.com/watch?v=BVJq2yrHYhI

    Hacking Trust Relationships Between SIP Gateways (PDF)

    http://viproy.com/files/siptrust.pdf

    VoIP Wars : Return of the SIP (Defcon 21 Presentation)


    Usage


    Global Settings

    setg CHOST 192.168.1.99 #Local Host
    setg CPORT 5099 #Local Port
    setg RHOSTS 192.168.1.1-254 #Target Network
    setg RHOST 192.168.1.201 #Target Host

    Basic Usage of OPTIONS Module

    use auxiliary/scanner/sip/vsipoptions
    show options
    set THREADS 255
    run

    Basic Usage of REGISTER Module

    use auxiliary/scanner/sip/vsipregister
    show options
    run

    set LOGIN true
    set USERNAME 101
    set PASSWORD s3cur3
    run

    Basic Usage of INVITE Module

    use auxiliary/scanner/sip/vsipinvite
    set FROM 2000
    set TO 1000
    run

    set LOGIN true
    set FROM 102
    set USERNAME 102
    set PASSWORD letmein123
    run

    set DOS_MODE true
    set NUMERIC_USERS true
    set NUMERIC_MIN 200
    set NUMERIC_MAX 205
    run

    Basic Usage of ENUMERATOR Module

    use auxiliary/scanner/sip/vsipenumerator
    show options
    unset USERNAME
    set USER_FILE /tmp/files/users2
    set VERBOSE false
    set METHOD SUBSCRIBE
    run

    unset USER_FILE
    set METHOD SUBSCRIBE
    set NUMERIC_USERS true
    set NUMERIC_MAX 2300
    run

    set METHOD REGISTER
    run

    Basic Usage of BRUTE FORCE Module

    use auxiliary/scanner/sip/vsipbruteforce
    show options
    set RHOST 192.168.1.201
    set USERNAME 2000
    set PASS_FILE /tmp/files/passwords
    set VERBOSE false
    run

    unset USERNAME
    set USER_FILE /tmp/files/users2
    run

    unset USER_FILE
    set NUMERIC_USERS true
    set NUMERIC_MAX 500
    run

    Basic Usage of Trust Analyzer Module

    use auxiliary/scanner/sip/vsiptrust
    show options
    set SRC_RHOSTS 192.168.1.200-210
    set SRC_RPORTS 5060
    set SIP_SERVER 192.168.1.201
    set INTERFACE eth0
    set TO 101
    run

    show options
    set ACTION CALL
    set SRC_RHOSTS 192.168.1.202
    set FROM James Bond
    run

    Basic Usage of SIP Proxy Module

    use auxiliary/scanner/sip/vsipproxy
    show options
    set PRXCLT_PORT 5060
    set PRXCLT_IP 192.168.1.99
    set PRXSRV_PORT 5089
    set PRXSRV_IP 192.168.1.99
    set CLIENT_IP 192.168.1.120
    set CLIENT_PORT 5060
    set SERVER_IP 192.168.1.201
    set SERVER_PORT 5060
    set CONF_FILE /tmp/sipproxy_replace.txt
    set LOG true
    set VERBOSE false
    run