Over the past 5 years, we have developed a number of VoIP and SIP vulnerability assessment/testing tools. However, we didn’t release any of these tools until late 2006, when we co-authored the “Hacking Exposed: VoIP” book. To support release of the book, we developed and released several additional tools. Some of the tools that we released with the book include:
- add_registrations – adds a bogus registration for a contact
- check_sync_reboot – reboots/resets a SIP phone
- dirscan – actively scans for SIP phones
- erase_registrations – erases all registrations for a contact
- invite_flood – generates a flood of SIP INVITE requests
- redirectpoison – redirects requests
- reghijacker – hijacks a registration (combines erase and add registrations)
- rtpflood – generates a flood of RTP packets
- rtpinsertsound – inserts/replaces sound in a call
- rtpmixsound – mixes in sound in a call
- sip_rogue
- spitter
- teardown
- udpflood
These tools have been available on the Hacking Exposed: VoIP companion web site, www.hackingvoip.com. The book describes their use.
Since release of the book, we have been building new tools and enhancing several of the tools above. Some of the enhancements we made include:
- Added TCP/IP support to applicable tools
- Added digest authentication support to applicable tools
- Implemented quite a few fixes to sip_rogue to make it more reliable
We also built several new tools:
- Several new flood-based DoS tools, which generate floods using different SIP requests, including byeflood, optionsflood, regflood, and subflood. The regflood tool is certainly the most potent of the group.
- dirsniff and dirsortmerge – a passive scanner that builds a directory of valid SIP phone addresses. By using the dirsortmerge tool, you can manage results from this tool, as well as output from the dirscan active scanner.
- Call Monitor and sipsniffer – this tool provides a GUI that shows active SIP calls. The tool allows you to select a call and terminate it (via teardown) or insert/mix in audio (via rtpinsertsound or rtpmixsound). The tool allows you to define up to 10 sound files, that can be inserted/mixed in on command. The tool also streams the call audio to the XMMS player, so you can listen in and “time” when you affect the call.
The Call Monitor tool is particularly interesting. It makes using the rtpinsertsound/rtpmixsound tools a lot easier and more effective. It makes real audio manipulation possible.
We will be posting the complete set of tools to the www.securelogix.com website sometime this week. I will provide a direct link when the download page is completed. I will also post additional information on how to use the new tools.