sip utils call
Note
This documentation applies to SIPVicious version v6.0.0-experimental.6. Please note that only the latest version of SIPVicious PRO is supported.Summary
Start a new call
What it does
Generate and handle a new call by sending an INVITE and handling the call traffic.
Tool functionality
The sip call tool is used to test making calls. It does this by making use of the INVITE
SIP method and handling the normal traffic, including SIP Re-INVITE and other in-dialog traffic. By default, if the call is picked up by the other party, the tool will play an internal audio file music.raw
, if the file does not exist in the current directory and hangup if the tool is terminated.
This behaviour is changed by making use of the caller-mode
flag as described in the documentation.
Video demonstration
Command format
sipvicious sip utils call <target1 [target2 [target3 ...]]> [flags]
Flags
--auth-config strings Specify SIP authentication configuration. See documentation for details e.g. algorithm:sha-256
--caller-mode strings Specify how to behave during the call attempt; format: action or action:duration; (ignore|hangup-trying|hangup-ringing|hangup-call|never-hangup) (default [hangup-call:30s])
--codec strings Specify the codec that should be used for the RTP stream (ulaw|alaw|opus) (default [ulaw,alaw,opus])
-u, --credentials string Set the username and password in the following format: username:password[:realm] (e.g. 1000:test123:snowflake). Realm is optional
-D, --domain string Override domain name for the SIP address
-e, --extension string Specify a target extension or SIP URI to call; if not specified, a random numeric extension is used
-f, --from string Specify a from extension or SIP URI to call from; if not specified, a random numeric extension is used
--register Register before making a call; requires -u
--rtp-payload string Specify the RTP payload for the audio (e.g. music.wav or 2600hz.raw) or DTMF tones when value starts with dtmf: see the rtp-payload documentation for further details on specifying DTMF tones. (default "music.wav")
--stir-shaken-config strings Specify values to build the Identity header used for STIR/SHAKEN; see the tool documentation for full definition
Flags inherited from parent commands
--ca-cert string TLS CA Certificate
--client-cert string TLS client certificate
--client-key string TLS client private key
-C, --config string configuration file to use (may be JSON, TOML or YAML)
--debug set log level to debug
-T, --duration duration Stop the tool after a certain amount of time; e.g. 30s
--logfile string specify a log filename
--results string specify the filename for the result output, defaults to standard output. See documentation for information on file extension meanings
--srtp string Specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
--templates string Directory to search for template overrides (default ".")
--tls-key-log string TLS key log
Examples
sipvicious sip utils call udp://target:5060 -e 1234
sipvicious sip utils call tls://target:5061 -e 1234@example.com -f 2345@example.org \
-u 2345:topsecret --rtp-payload ""
sipvicious sip utils call tcp://target:5060 -e hello -f test@example.org --register \
--caller-mode hangup-ringing:30s --caller-mode hangup-call
sipvicious sip utils call tcp://target:5060 -e 1100 -u1000:1500 -T5s
Advanced examples
# simple call placing to an extension
sipvicious sip utils call udp://demo.sipvicious.pro:5060 -e 2000
# register with the given credentials and using a custom from tag
sipvicious sip utils call udp://demo.sipvicious.pro:5060 -u 1000:1500 --register --from sip:0000@siteonsip.tld -e 2000
# send a dtmf payload via the call
sipvicious sip utils call udp://demo.sipvicious.pro:5060 -e 2000 --rtp-payload dtmf:6
# use a specific invite mode for the call
sipvicious sip utils call udp://demo.sipvicious.pro:5060 --caller-mode hangup-trying -e 2000
# send a null rtp payload via the call
sipvicious sip utils call tls://demo.sipvicious.pro:5060 --rtp-payload "" --caller-mode never-hangup
# specify a codec for the call and an alternate rtp payload
sipvicious sip utils call udp://demo.sipvicious.pro:5060 -e 2000 --codec ulaw --rtp-payload 2600hz.raw
Exit codes
Code | Description |
---|---|
40 | Security issues cannot be detected with this tool since it is a SIP utility and not an attack tool |
30 | A network connectivity issue is raised when the connection fails or when no response is received |
Full flag documentation
Flag: --auth-config
Specify SIP authentication configuration. This flag accepts the following values:
algorithm:value
where value may bemd5
,md5-sess
,sha-256
,sha-256-sess
,sha-512-256
orsha-512-256-sess
. This value will force the tool to calculate the authorization response based on the firstWWW-Authenticate
orProxy-Authenticate
header field that matches this algorithm. If no match is found then the firstWWW-Authenticate
orProxy-Authenticate
header is selected.
Flag: --ca-cert
The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.
Flag: --caller-mode
The flag caller-mode
allows one to specify how to behave during a call. The value of this flag could be one of the following actions:
ignore
which does not wait for SIP INVITE responseshangup-trying
which sends aCANCEL
as soon as a100 Trying
message is receivedhangup-ringing
which sends aCANCEL
as soon as a180 Ringing
is receivedhangup-call
which hangs up (by sending aBYE
) when a call is picked up (i.e. when a200 OK
is received)never-hangup
which handles the call flow normally without hanging up
Additionally, the action value may be preceded by a colon and a duration value. This duration should be specified when the action should be taken after a specific time (e.g. 2s or 300ms). For example, hangup-ringing:300ms
. To hangup a call after 30 seconds, the value of caller-mode
should be hangup-call:30s
.
Note
The following caller-mode
values cannot be combined with other caller-mode
values, nor do they take in duration values:
ignore
never-hangup
Flag: --client-cert
The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.
Flag: --client-key
The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.
Flag: --codec
Specify the codec to be supported for the SDP and also in the RTP stream. Currently supported are ulaw, alaw and opus. You may pass multiple codecs by delimiting using a comma, as follows: ulaw,alaw,opus
.
When rates and channels need to be passed, they can be provided after the codec name, separated by a slash. For example: opus/48000/2
.
Flag: -C
, --config
Specify a configuration file which may be a JSON, TOML and YAML config
format. To get the default settings and figure out which settings are available, one may
run the sipvicious utils dump config
command. This is typically used to create a template
configuration that can then be edited as need be.
These settings may be overwritten when the corresponding flag is explicitly set, if one is present.
Flag: -u
, --credentials
Specify valid credentials so that the call can be done authenticated. The following format is used username:password
(e.g. 1000:test123
).
Additionally, a realm may be specified as a third parameter (e.g. 1000:test123:snowflake
).
Flag: --debug
Tells the logger to print out debug messages.
Flag: -D
, --domain
A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.
Flag: -T
, --duration
Specify the maximum duration of the attack so that it stops after a certain time. Examples include:
30s
10m
24h
Flag: -e
, --extension
This flag allows users to call a particular extension, overriding the default behaviour of calling a random extension. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org
).
Flag: -f
, --from
This flag allows users to set the From
address, overriding the default behaviour of setting a random extension or the username in the credentials when one is provided. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org
).
Flag: --logfile
When the logfile
flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json
file extension, then the output format is in JSON, otherwise it defaults to text format.
Flag: --register
Register requires credentials to be passed so that a REGISTER
message is sent to authenticate with a registrar server before starting the call. The registration is maintained as per SIP standards, so that authentication does not time out.
Flag: --results
When the results
flag is specified, upon completing the test, it outputs the results to the specified filename. The format for this output file is text unless the filename ends with a .json
file extension. In that case, the result output is that of JSON.
The schema for the JSON output for this submodule can be found here.
Flag: --rtp-payload
The rtp-payload
parameter allows the setting of a file or DTMF tones that are used for the RTP stream. The following file types are supported:
.raw
, for raw audio to be passed to the RTP stream without any transcoding.wav
, for wave files to be transcoded for the RTP stream.rtp
, for payload files containing the whole RTP packet to be sent as is
The audio is looped unless a noloop
parameter is passed after a comma, e.g. audio.wav,noloop
.
If a blank filename, i.e. ""
, is passed, then no RTP is sent during the call and no SDP is set.
If the value of rtp-payload
starts with dtmf:
, then the RTP stream will consist of a sequence of DTMF tones instead of audio stream.
The supported alphabet in the DTMF string is 0-9
, A-D
, *
, #
, F
(flash), and ,
(comma) for a pause equivalent to one digit in length. The other side may not support all of these.
Example: When Asterisk is configured to allow call forwarding with feature code #1
, the following value to rtp-payload
will forward the call to 123456: dtmf:#1,,,123456
.
Flag: --srtp
The srtp
flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE
message. When the srtp
flag is set to none
, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE
. The srtp
mode can also be either dtls
or sdes
. In both dtls
and sdes
modes, the parameters are not required and will be generated randomly as need be.
Options for both dtls
and sdes
mode may be passed after a colon. For example:
--srtp dtls:cert.crt:cert.key[:ca.crt]
where the first argument after the mode (dtls
) is the public certificatecert.crt
, then the private keycert.key
and finally, the optional certificate authority fileca.crt
--srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj
where the argument is the base64 encoded cryptographic master key appended with the master salt.
Note that in the case of sdes
key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80
.
Flag: --stir-shaken-config
Set the Identity
header and specify the STIR/SHAKEN configuration. This flag accepts the following values:
alg:algorithm
where the algorithm may beES256
,HS256
orNone
privatekey:filename
where the filename points to a PEM encoded private key in the case of ES256, or a file containing the HMAC secret in the case of HS256x5u:url
sets the URL in thex5u
part of the JWT headerinfo:url
sets the URL in the info parameter within the Identity headerorigid:string
- sets the value of the origination identifier value in the JWT bodydest:string
- sets thedest
tn
value in the JWT bodyorig:xxx
- sets theorig
tn
value in the JWT bodyattest:string
sets the attest value in the JWT body
Flag: --templates
Allows one to set the template directory which is used to load (or save) the SIP templates.
To get the default SIP templates, make use of the sipvicious sip utils dump templates
command.
Flag: --tls-key-log
The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.
Future enhancements
- DTLS SRTP support, especially useful in WebRTC environments
- STUN and TURN support, also especially useful in WebRTC environments
JSON schema
The following is the JSON schema for the JSON output of this tool:
{
"type": "object",
"properties": {
"status": {
"type": "object",
"properties": {
"returncode": { "type": "integer" },
"description": { "type": "string" }
}
},
"targets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"target": { "type": "string" },
"status": {
"type": "object",
"properties": {
"returncode": { "type": "integer" },
"description": { "type": "string" }
}
},
"results": {
"type": "object",
"properties": {
}
},
"issues": {
"type": "object",
"properties": {
}
}
}
}
}
}
}