Vulnerability Analysissipvoipscannerauditpbxextensionpasswordcracker

SIPVicious

SIPVicious is a suite of tools to audit SIP-based VoIP systems. It includes svmap for scanning SIP servers, svwar for identifying extensions, svcrack for password cracking, svreport for managing sessions, and svcrash for defense.

Description

SIPVicious suite is designed to audit SIP based VoIP systems, helping security professionals identify vulnerabilities in VoIP infrastructure. The tools are particularly useful for penetration testing PBX systems, discovering active SIP devices, enumerating extensions, and cracking authentication credentials.

Use cases include network reconnaissance to find SIP servers on IP ranges, extension line discovery on PBX systems to determine which require authentication, and brute-forcing or dictionary-based password attacks on registrar and proxy servers. svreport facilitates analysis by exporting scan data in various formats, while svcrash provides a defensive measure against unauthorized scans.

These tools operate over SIP protocol (typically UDP port 5060) and support features like session management, randomized scanning, and multiple request methods.

How It Works

The suite uses SIP protocol interactions to probe VoIP systems. svmap sends SIP requests to IP ranges to detect responsive servers. svwar probes extensions with REGISTER, OPTIONS, or INVITE methods to identify valid lines and authentication needs. svcrack performs online password guessing via digest authentication on targets. svreport processes session data from scans. svcrash sends crafted responses to crash outdated scanner versions or block attacks.

Installation

bash

sudo apt install sipvicious

Flags

-v, --verboseIncrease verbosity (svmap)

-p PORT, --port=PORTDestination port of the SIP device - eg -p 5060 (svmap, svcrack)

--randomscanScan random IP addresses (svmap)

-e RANGE, --extensions=RANGEspecify an extension or extension range example: -e 100-999,1000-1500,9999 (svwar)

-u usernameUsername for cracking (svcrack)

-d dictionary.txtspecify a dictionary file with possible extension names (svwar)

--autoAutomatically send responses to attacks (svcrash)

-f FORMAT, --format=FORMATFormat type. Can be stdout, pdf, xml, csv or txt (svreport)

Examples

Scan the given network range (192.168.1.0/24) and display verbose output

svmap 192.168.1.0/24 -v

Scans for SIP devices on a given network with various host formats

svmap 10.0.0.1-10.0.0.255 172.16.131.1 sipvicious.org/22 10.0.1.1/24 1.1.1.1-20 1.1.2-20.* 4.1.*.*

Start a randomized scan session named session1

svmap -s session1 --randomize 10.0.0.1/8

Resume a previous scan session with verbose output

svmap --resume session1 -v

Crack password for username 100 using dictionary over UDP

svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080

Brute force password for username 100 with range 1-9999 and 4 zeros padding

svcrack -u100 -r1-9999 -z4 10.0.0.1

Scan extensions 100-999 on target

svwar -e100-999 udp://10.0.0.1:5080

Scan extensions from dictionary file on target

svwar -d dictionary.txt 10.0.0.2

Updated 2026-04-16kali.org ↗