Skip to main content

rtp fuzz

Summary

Fuzzes the target with mutated RTP packets

What it does

Perform an RTP fuzzing test. This tool allows testers to check the robustness of the RTP parser, codec and transcoder code by sending mutated RTP messages to the target system.

Tool functionality

The rtp fuzz module helps identify unknown security issues using fuzzing techniques. It mutates RTP packets before they are sent to the target server by making use of the mutation engine that is specified. By default it uses radamsa, but the zzuf mutator can also be used as a mutation engine. For details about getting these third-party mutators setup on your system, please follow the installation page.

The fuzzer has two operating modes that can be specified by making use of the fuzz-mode flag:

  • rtp-payload mode, where the whole RTP packet is mutated, including headers and the payload itself; this mode is ideal when testing the RTP parser
  • audio-payload mode, where only the audio is mutated making it ideal when testing codecs, transcoders and so on

Additionally, the fuzzer has different call modes that can be specified through the call-mode flag. By default, it will initiate calls by sending an INVITE message and then starting an RTP stream if the call is accepted. When the call mode is set to callee, it can accept calls. This is especially useful if testing user-agent clients. Finally, the rtp-stream mode is there for times when one does not want to start a call using SIP but instead simply fuzz RTP directly.

Video demonstration

sipvicious rtp fuzz

Command format

sipvicious rtp fuzz <target1 [target2 [target3 ...]]> [flags]

Flags

      --auth-config strings   Specify SIP authentication configuration. See documentation for details e.g. algorithm:sha-256
      --ca-cert string        TLS CA Certificate
  -m, --call-mode string      Set mode (valid modes are callee, caller and rtp-stream) (default "caller")
      --client-cert string    TLS client certificate
      --client-key string     TLS client private key
      --codec strings         Specify the codec that should be used for the RTP stream (default [opus,alaw,ulaw,opus,gsm,g723,lpc,g722,g728,g729,h261,h263])
  -c, --conn-count int        Number of RTP streams to use (per target) (default 1)
  -u, --credentials string    Set the username and password in the following format: username:password[:realm] (e.g. 1000:test123:snowflake). Realm is optional
  -D, --domain string         Override domain name for the SIP address
  -e, --extension string      Specify a target extension or SIP URI to call; if not specified, a random numeric extension is used
  -f, --from string           Specify the from header address; if not specified, the from address is constructed from the credentials, otherwise a random numeric extension is used
      --fuzz-mode string      Set which part of the RTP packet to fuzz (valid modes are rtp-payload, audio-payload) (default "rtp-payload")
      --mutator string        Specify the mutator to use (radamsa|zzuf|none) (default "radamsa")
      --rate string           Specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms
      --register              Register with the specified target
      --rtp-payload string    Specify the RTP payload for the audio (e.g. music.wav or 2600hz.raw) (default "music.wav")
      --templates string      Directory to search for sip template overrides (default ".")
      --tls-key-log string    TLS key log

Flags inherited from parent commands

  -C, --config string       configuration file to use (may be JSON, TOML or YAML)
      --debug               set log level to debug
  -T, --duration duration   
      --logfile string      specify a log filename
      --results string      specify the filename for the result output, defaults to standard output. See documentation for information on file extension meanings
      --srtp string         Specify either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")

Examples

sipvicious rtp fuzz udp://target:5060 -e 1234 -f 2345
sipvicious rtp fuzz tcp://target:5060 --call-mode callee --register -u user:pass
sipvicious rtp fuzz udp://0.0.0.0:5060 --call-mode callee
sipvicious rtp fuzz udp://target:8000 --call-mode rtp-stream --rate 1/5ms --rtp-payload 2600hz.raw
sipvicious rtp fuzz udp://target:5060 -e 1100 -u 1000:1500 -T 5s

Advanced examples

# register with given credentials with target and fuzz as the sip callee, upon an incoming call
sipvicious rtp fuzz udp://demo.sipvicious.pro:5060 --call-mode callee -u 1000:1500 --register -T 5s

# use a specific codec as well as a specific rtp payload, while using rtp-stream mode to fuzz the target
sipvicious rtp fuzz udp://demo.sipvicious.pro:8000 --codec alaw --rtp-payload music.wav --call-mode rtp-stream

# specify the opus codec using a specific rate and channels and enable debug mode
sipvicious rtp fuzz udp://demo.sipvicious.pro:5060 --codec opus/48000/2 --call-mode caller --debug

# target extension 2000 from extension 1100 and rate limiting the attack
sipvicious rtp fuzz udp://demo.sipvicious.pro:5060 -e 2000 --from 1100 --rate 1/4ms

# specify a duration for the attack with 10 rtp streams while over-riding domain
sipvicious rtp fuzz udp://demo.sipvicious.pro:5060 --duration 100s -D siteonsip.tld --conn-count 10 -e 1100

# Specify multiple targets with extensions with 50 rtp streams per target
sipvicious rtp fuzz udp://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 -e 2000 -c 50

Exit codes

Code Description
40 A security issue is raised when the prober detects SIP-level, RTP-level or network-level errors
30 A network connectivity issue is raised when the connection fails before the attack is started

Full flag documentation

Flag: --auth-config

Specify SIP authentication configuration. This flag accepts the following values:

  • algorithm:value where value may be md5, md5-sess, sha-256, sha-256-sess, sha-512-256 or sha-512-256-sess. This value will force the tool to calculate the authorization response based on the first WWW-Authenticate or Proxy-Authenticate header field that matches this algorithm. If no match is found then the first WWW-Authenticate or Proxy-Authenticate header is selected.

Flag: --ca-cert

The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: -m, --call-mode

The tool currently supports three call modes. The default mode is to start a call with the target using the SIP protocol. If the call is picked up by the callee, the RTP fuzz attack is started on the RTP address advertised in the SDP body. Incoming RTP packets are received but discarded.

When the mode is set to callee, the tool behaves much like the sip utils callee tool. If no register flag is passed, the tool will listen on the specified target address and wait for incoming calls. Whenever an incoming call is received, the call is accepted and the RTP fuzz attack is started on the RTP address advertised in the SDP body.

When the mode is set to rtp-stream, the tool simply sends RTP packets to the target address.

Flag: --client-cert

The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: --client-key

The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: --codec

Specify the codec to be supported for the SDP and also in the RTP stream. Currently supported are alaw, ulaw, opus, gsm, g723, lpc, g722, g728, g729, h261 and h263. You may pass multiple codecs by delimiting using a comma, as follows: ulaw,alaw,opus.

When rates and channels need to be passed, they can be provided after the codec name, separated by a slash. For example: opus/48000/2.

Flag: -C, --config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: -c, --conn-count

Specify the number of RTP streams to be started for the attack. By default, this is set to 1 but setting more than that may increase the load on the target system.

Flag: -u, --credentials

Specify valid credentials so that the registration can be done authenticated. The following format is used username:password (e.g. 1000:test123).

Additionally, a realm may be specified as a third parameter (e.g. 1000:test123:snowflake).

Flag: --debug

Tells the logger to print out debug messages.

Flag: -D, --domain

A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.

Flag: -T, --duration

Specify the maximum duration of the attack so that it stops after a certain time. For example, 30s, 10m or 24h.

Flag: -e, --extension

This flag allows users to call a particular extension, overriding the default behaviour of calling a random extension. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

When the mode is set to callee, this flag has no meaning.

Flag: -f, --from

This flag allows users to set the From address, overriding the default behaviour of setting a random extension or the username in the credentials when one is provided. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

Flag: --fuzz-mode

The fuzz-mode value can be either:

  • rtp-payload, where the whole RTP packet is mutated
  • audio-payload, where only the RTP data is mutated, thus having valid RTP headers

Flag: --logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: --mutator

Choose the mutation engine to use. Currently supported are the following:

The none mutator can be specified for debugging reasons, for example, to ensure that the SIP messages are generated correctly. When using this value, no fuzzing is actually done.

Flag: --rate

Rate allows one to limit the probing phase below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.

Flag: --register

Register may use credentials to be passed so that a REGISTER message is sent to authenticate with a registrar server before starting the call or waiting for a call to be received. The registration is maintained as per SIP standards, so that authentication does not time out.

Flag: --results

When the results flag is specified, upon completing the test, it outputs the results to the specified filename. The format for this output file is text unless the filename ends with a .json file extension. In that case, the result output is that of JSON.

The schema for the JSON output for this submodule can be found here.

Flag: --rtp-payload

The rtp-payload parameter allows the setting of a file that is used for the RTP stream. The following file types are supported:

  • .raw, for raw audio to be passed to the RTP stream without any transcoding
  • .wav, for wave files to be transcoded for the RTP stream
  • .rtp, for payload files containing the whole RTP packet to be sent as is

If the value of rtp-payload starts with dtmf:, then the RTP stream will consist of a sequence of DTMF tones instead of audio stream.

The supported alphabet in the DTMF string is 0-9, A-D, *, #, F (flash), and , (comma) for a pause equivalent to one digit in length. The other side may not support all of these.

Flag: --srtp

The srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE message. When the srtp flag is set to none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE. The srtp mode can also be either dtls or sdes. In both dtls and sdes modes, the parameters are not required and will be generated randomly as need be.

Options for both dtls and sdes mode may be passed after a colon. For example:

  • --srtp dtls:cert.crt:cert.key[:ca.crt] where the first argument after the mode (dtls) is the public certificate cert.crt, then the private key cert.key and finally, the optional certificate authority file ca.crt
  • --srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj where the argument is the base64 encoded cryptographic master key appended with the master salt.

Note that in the case of sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80.

Flag: --templates

Allows one to set the template directory which is used to load (or save) the SIP templates.

To get the default SIP templates, make use of the sipvicious sip utils dump templates command.

Flag: --tls-key-log

The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.

JSON schema

The following is the JSON schema for the JSON output of this tool:

{
  "type": "object",
  "properties": {
    "status": {
      "type": "object",
      "properties": {
        "returncode": { "type": "integer" },
        "description": { "type": "string" }
      }
    },
    "targets": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "target": { "type": "string" },
          "status": {
            "type": "object",
            "properties": {
              "returncode": { "type": "integer" },
              "description": { "type": "string" }
            }
          },
          "results": {
            "type": "object",
            "properties": {
            }
          },
          "issues": {
            "type": "object",
            "properties": {
            }
          }
        }
      }
    }
  }
}