SIPVicious PRO - the offensive RTC security toolset
What is SIPVicious PRO?
SIPVicious PRO is a toolset for security testers, quality assurance and developers of Real-Time Communications systems. The security test tools cover VoIP and WebRTC infrastructure and applications, aiding in the discovery and demonstration of known and unknown vulnerabilities. Built off the experience gained through penetration tests done by the security researchers at Enable Security, SIPVicious PRO’s tools are packaged in a professional-grade security testing suite.
Who benefits from SIPVicious PRO?
Our aim is to help vendors and implementers of VoIP and WebRTC infrastructure to build products that withstand attack. The toolset is mainly aimed at two types of users: the vendors developing RTC solutions and the service providers implementing RTC solutions. Users of SIPVicious PRO include security professionals within such organisations, quality assurance, developers and operations. If this describes you, then visit the membership page to gain access to SIPVicious PRO.
How is it used?
SIPVicious PRO is a command-line toolset, used during manual security testing and also in automated procedures. The tools are extremely versatile and effective in the hands of an experience manual tester. But they shine when put in use within an automated system. In fact, SIPVicious PRO is designed to be integrated with quality assurance processes. This ranges from being wrapped in simple bash scripts to integration within CI/CD pipelines and fully fledged applications where SIPVicious PRO is the engine behind the platform. For further details see the automation pages.
SIPVicious PRO comes with various features that are critical when doing offensive security testing on RTC systems, including:
- Various attacks, including SIP flood, RTP flood, SIP enumeration, Digest leak, RTP Bleed and RTP inject
- Fuzzing to discover unknown vulnerabilities
- Support for SIP over different transport protocols: TCP, UDP, TLS and WebSockets
- Integration within QA automation systems, including CI/CD pipelines
- A flexible templating system so that SIP messages may be easily modified
- Support for RTP attacks
- Insane speed, especially useful for flood attacks with rate limiting capabilities
- Compliance to RFCs1
Go read the features page for a full list of features that are available.
RFC compliance: especially concerning SIP and RTP. This applies unless the attack requires non-compliance! ↩︎