Tool result output

Results from each SIPVicious PRO tool

Each test tool in the SIPVicious toolset generates output in a standard format upon completing the test, right before before exiting. The output is meant to determine which targets were tested, if a security issue was detected, how the security issue was detected and the actual results from the test. For example, the SIP extension enumeration test might tell you that the target server was vulnerable because enumeration was possible using the REGISTER method due to a change in the status code and SIP extensions 1000, 1001 and 1002 were detected.

Apart from writing results to standard output, each tool also supports the use of the --results flag. When this flag is used, the results are also stored in a local file on disk. If the extension of the file ends with .json, then the output format is JSON; otherwise the text format is used.

How to use the results in human readable form

The tools generate the results either in human-readable text format or JSON. When the sipvicious command is run from terminal, the text format is used and sent to standard output (i.e. stdout). These results can be redirected to a text file to be viewed at a later time. However, the more interesting use of the results output is when it is integrated within an automation system. For that, one should parse the results programatically as described in the next section.

How to use the results programatically

If the sipvicious command is piped to another process or is run outside the terminal, for example when it is wrapped in a script, the output format is automatically set to JSON. This allows the results to be easily parsed programatically by reading the standard output. In the following example, sipvicious is piped to the tool jq to extract the list of SIP extensions found:

sipvicious sip enumerate extension udp://demo.sipvicious.pro:5060 | jq '.targets[0].issues[][].extension'

The output should be something similar to the following:

"1000"
"1001"
"1007"
"1002"
"1003"
"1004"
"1005"
"1006"
"1008"
"1009"
"1100"
"1200"
"1300"
"1400"
"2000"

Therefore, if you intend to wrap the sipvicious command within a script, we recommend reading the standard output and parsing the JSON if the results are needed. The JSON version of the output for each tool is well defined in a JSON schema. Please refer to each tool's CUI reference for the schema that can be applied to the JSON output. For example, the RTP bleed schema can be found here.

Example: svpro-autohack.py

The following python script embeds SIPVicious PRO to first enumerate the SIP extensions on the target demo server and then run a password cracking attack on each SIP extension found, trying to guess password in the range of 1000 to 2000.

#!/usr/bin/env python3
from subprocess import Popen, PIPE
import json

targets = ["udp://demo.sipvicious.pro:5060"]

enumeratecmd = ["sipvicious", "sip",
                "enumerate", "extensions", "-e", "1000-2000"]
enumeratecmd.extend(targets)

extensionsfound = dict()

with Popen(enumeratecmd, stdout=PIPE) as sipvicious:
    results = json.load(sipvicious.stdout)
for targetdata in results["targets"]:
    target = targetdata['target']
    extensionsfound[target] = []
    for extensiondata in targetdata["issues"]["extensions"]:
        extensionsfound[target].append(extensiondata["extension"])

crackcmd = ["sipvicious", "sip", "crack", "online", "--range", "1000-2000"]

for target in extensionsfound:
    extensions = ','.join(extensionsfound[target])
    newcrackcmd = crackcmd[:]
    newcrackcmd.append(target)
    newcrackcmd.append('--extensions')
    newcrackcmd.append(extensions)
    with Popen(newcrackcmd, stdout=PIPE) as sipvicious:
        results = json.load(sipvicious.stdout)
    print(results)