navigation

SIPVicious PRO

The offensive RTC security toolset

What is SIPVicious PRO?

SIPVicious PRO is a toolset for security testers, quality assurance and developers of Real-Time Communications systems. The security test tools cover VoIP and WebRTC infrastructure and applications, aiding in the discovery and demonstration of known and unknown vulnerabilities. Built off the experience gained through penetration tests done by the security researchers at Enable Security, SIPVicious PRO's tools are packaged in a professional-grade security testing suite.

Who benefits from SIPVicious PRO?

Our aim is to help vendors and implementers of VoIP and WebRTC infrastructure to build products that withstand attack. The toolset is mainly aimed at two types of users: the vendors developing RTC solutions and the service providers implementing RTC solutions. Users of SIPVicious PRO include security professionals within such organisations, quality assurance, developers and operations. If this describes you, then visit the beta subscription page to gain access to SIPVicious PRO.

Subscribe for the SIPVicious PRO Beta

How is it used?

SIPVicious PRO is a command-line toolset, used during manual security testing and also in automated procedures. The tools are extremely versatile and effective in the hands of an experience manual tester. But they shine when put in use within an automated system. In fact, SIPVicious PRO is designed to be integrated with quality assurance processes. This ranges from being wrapped in simple bash scripts to integration within CI/CD pipelines and fully fledged applications where SIPVicious PRO is the engine behind the platform. For further details see the automation pages.

Key features

SIPVicious PRO comes with various features that are critical when doing offensive security testing on RTC systems, including:

  • Various attacks, including SIP flood, RTP flood, SIP enumeration, Digest leak, RTP Bleed and RTP inject
  • Fuzzing to discover unknown vulnerabilities
  • Support for SIP over different transport protocols: TCP, UDP, TLS and WebSockets
  • Integration within QA automation systems, including CI/CD pipelines
  • A flexible templating system so that SIP messages may be easily modified
  • Support for RTP attacks
  • Insane speed, especially useful for flood attacks with rate limiting capabilities
  • Compliance to RFCs1

Go read the features page for a full list of features that are available.

Contents

    Overview

    Understand what the SIPVicious PRO toolset is and when it is useful.

    Learn

    How to install and start using SIPVicious PRO to test for RTC security issues.

    Automation

    How to integrate SIPVicious PRO in your continuous integration system and perform regression testing.

    Technical Documentation

    Technical documentation is to be found around here.

    Support

    Get help with SIPVicious PRO.

  1. RFC compliance: especially concerning SIP and RTP. This applies unless the attack requires non-compliance! ↩︎