VoIP Security Tool List

http://www.hackingvoip.com/sec_tools.html

VoIP Security Tool List

This VoIP Security Tool List provides categories, descriptions and links to current free and commercial VoIP security tools. Each commercial tool is indicated by the following icon next to it:

The key objectives of this list are as follows:

1. Provide links to tools that help test the efficacy of implemented best practices outlined by VOIPSA's Best Practices Project.
2. Facilitate the open discussion of VoIP security tool information to help users better audit and defend their VoIP devices and deployments.
3. Provide vendors the information needed to proactively test their VoIP devices' ability to function and withstand real-world attacks.

DISCLAIMER: Many of these tools can cause harm to the normal operation of your VoIP network if used improperly. Before using any tools, we recommend that you read the instructions and other d0cumentation available on each of the individual tool's websites. By selecting almost any of these links, you will be leaving VOIPSA's web space. These links and pointers are provided for our visitors' convenience. Please be aware that we do not control or guarantee the accuracy, relevance, timeliness, or completeness of this outside information. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other tools that are more appropriate for your purpose. In no event shall VOIPSA be liable for any direct, indirect, incidental, punitive, or consequential damages of any kind whatsoever with respect to this list. Further, VOIPSA does not endorse any commercial products that may be mentioned in this list. These tools are only meant to be used on networks with the permission of the network owner and in compliance with the law.


Contents Quick Navigation

• VoIP Sniffing Tools
• VoIP Scanning and Enumeration Tools
• VoIP Packet Creation and Flooding Tools
• VoIP Fuzzing Tools
• VoIP Signaling Manipulation Tools
• VoIP Media Manipulation Tools
• Miscellaneous Tools
• Tool Tutorials and Presentations

VoIP Sniffing Tools

• AuthTool - Tool that attempts to determine the password of a user by analyzing SIP traffic.
• Cain & Abel - Multi-purpose tool with the capability to reconstruct RTP media calls.
• CommView VoIP Analyzer - VoIP analysis module for CommView that is suited for real-time capturing and analyzing Internet telephony (VoIP) events, such as call flow, signaling sessions, registrations, media streams, errors, etc.
• Etherpeek - general purpose VoIP and general ethernet sniffer.
• ILTY ("I'm Listening To You") - Open-source, multi-channel SKINNY sniffer.
• NetDude - A framework for inspection, analysis and manipulation of tcpdump trace files.
• Oreka - Oreka is a modular and cross-platform system for recording and retrieval of audio streams.
• PSIPDump - psipdump is a tool for dumping SIP sessions (+RTP traffic, if available) from pcap to disk in a fashion similar to "tcpdump -w".
• rtpBreak - rtpBreak detects, reconstructs and analyzes any RTP session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesn't require the presence of RTCP packets.
• SIPomatic - SIP listener that's part of LinPhone
• SIPv6 Analyzer - An Analyzer for SIP and IPv6.
• UCSniff - UCSniff is an assessment tool that allows users to rapidly test for the threat of unauthorized VoIP eavesdropping. UCSniff supports SIP and Skinny signaling, G.711-ulaw and G.722 codecs, and a MITM ARP Poisoning mode.
• VoiPong - VoIPong is a utility which detects all Voice Over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to separate wave files. It supports SIP, H323, Cisco's Skinny Client Protocol, RTP and RTCP.
• VoIPong ISO Bootable - Bootable "Live-CD" disc version of VoIPong.
• VOMIT - The vomit utility converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players.
• Wireshark - Formerly Ethereal, the premier multi-platform network traffic analyzer.
• WIST - Web Interface for SIP Trace - a PHP Web Interface that permits you to connect on a remote host/port and capture/filter a SIP dialog.

VoIP Scanning and Enumeration Tools

• EnableSecurity VoIPPack for CANVAS - VoIPPack is a set of tools that are designed to work with Immunity CANVAS. The tools perform scans, enumeration, and password attacks.
• enumIAX - An IAX2 (Asterisk) login enumerator using REGREQ messages.
• iaxscan - iaxscan is a Python based scanner for detecting live IAX/2 hosts and then enumerating (by bruteforce) users on those hosts.
• iWar - IAX2 protocol Wardialer
• Nessus - The premier free network vulnerability scanner.
• nmap - the premier open source network port scanner.
• Passive Vulnerability Scanner - The Tenable Passive Vulnerability Scanner (PVS) can find out what is happening on your network without actively scanning it. PVS detects the actual protocol, various administrative interfaces, and VoIP scanner(s). Currently includes over 40 VoIP checks.
• SCTPScan - This tool enumerates open SCTP ports without establishing a full SCTP association with the remote host. You can also scan whole networks to find SCTP-speaking machines.
• SIP Forum Test Framework (SFTF) - The SIP Forum Test Framework (SFTF) was created to allow SIP device vendors to test their devices for common errors.
• SIP-Scan - A fast SIP network scanner
• SIPcrack - SIPcrack is a SIP protocol login cracker. It contains 2 programs, SIPdump to sniff SIP logins over the network and SIPcrack to bruteforce the passwords of the sniffed login.
• Sipflanker - Sipflanker will help you find SIP devices with potentially vulnerable Web GUIs in your network.
• SIPSCAN - SIPSCAN is a SIP username enumerator that uses INVITE, REGISTER, and OPTIONS methods.
• SIPVicious Tool Suite - svmap, svwar, svcrack - svmap is a sip scanner. It lists SIP devices found on an IP range. svwar identifies active extensions on a PBX. svcrack is an online password cracker for SIP PBX
• SiVuS - A SIP Vulnerability Scanner.
• SMAP - SIP Stack Fingerprinting Scanner
• VLANping - VLANPing is a network pinging utility that can work with a VLAN tag.
• VoIPAudit - VoIP specific scanning and vulnerability scanner.

VoIP Packet Creation and Flooding Tools

• IAXFlooder - A packet flooder that creates IAX packets.
• INVITE Flooder - Send a flurry of SIP INVITE messages to a phone or proxy.
• iThinkTest FlowCoder: SiPBlast - SIP Flood/Capacity testing of infrastructure by emulating mass CPE call traffic
• kphone-ddos - Using KPhone for flooding attacks with spoofed SIP packets
• NSAUDITOR - SIP UDP Traffic Generator - Flooder - SIP UDP traffic generator / flooder generates SIP traffic to stress test voice over IP systems, SIP programs and implementations under heavy network load. It is a very simple and fast program which can simulate SIP client and call activity.
• RTP Flooder - Creates "well formed" RTP Packets that can flood a phone or proxy.
• Scapy - Scapy is a powerful interactive packet manipulation program. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery.
• Seagull - a multi-protocol traffic generator especially targeted towards IMS.
• SIPBomber - SIPBomber is sip-protocol testing tool for Linux.
• SIPNess - SIPness Messenger is a SIP testing tool which is used for testing SIP applications.
• SIPp - SIPp is a free Open Source test tool / traffic generator for the SIP protocol.
• SIPsak - SIP swiss army knife.

VoIP Fuzzing Tools

• Asteroid - this is a set of malformed SIP methods (INVITE, CANCEL, BYE, etc.) that can be crafted to send to any phone or proxy.
• Codenomicon VoIP Fuzzers - Commercial versions of the free PROTOS toolset
• Fuzzy Packet - Fuzzy packet is a tool to manipulate messages through the injection, capturing, receiving or sending of packets generated over a network. Can fuzz RTP and includes built-in ARP poisoner.
• Interstate Fuzzer - VoIP Fuzzer
• Mu Dynamics VoIP, IPTV, IMS Fuzzing Platform - Fuzzing appliance for SIP, Diameter, H.323 and MGCP protocols.
• ohrwurm - ohrwurm is a small and simple RTP fuzzer.
• PROTOS H.323 Fuzzer - a java tool that sends a set of malformed H.323 messages designed by the University of OULU in Finland.
• PROTOS SIP Fuzzer - a java tool that sends a set of malformed SIP messages designed by the University of OULU in Finland.
• SIP Forum Test Framework (SFTF) - SFTF was created to allow SIP device vendors to test their devices for common errors. And as a result of these tests improve the interoperability of the devices on the market in general.
• Sip-Proxy - Acts as a proxy between a VoIP UserAgent and a VoIP PBX. Exchanged SIP messages pass through the application and can be recorded, manipulated, or fuzzed.
• Spirent ThreatEx - a commercial protocol fuzzer and ribustness tester.
• VoIPER - VoIPER is a security toolkit that aims to allow developers and security researchers to easily, extensively and automatically test VoIP devices for security vulnerabilties.

VoIP Signaling Manipulation Tools

• BYE Teardown - This tool attempts to disconnect an active VoIP conversation by spoofing the SIP BYE message from the receiving party.
• Check Sync Phone Rebooter - Transmits a special NOTIFY SIP message which will reboot certain phones.
• H225regregject - H225regreject is a tool is used to disconnect H.323 calls. It first monitors the network in order to determine if a call is taking place. Once a call has been identified, it then injects a Registration Reject packet into the call.
• IAXAuthJack - IAXAuthJack is a tool used to actively perform an authentication downgrade attack and force an endpoint to reveal its password in plaintext over the network.
• IAXHangup - The IAXHangup is a tool is used to disconnect IAX calls. It first monitors the network in order to determine if a call is taking place. Once a call has been identified, it then injects a HANGUP control frame into the call.
• iThinkTest FlowCoder: SiPCPE - Evaluate SIP infrastructure protocol compliance using inserted SIP messages.
• RedirectPoison - this tool works in a SIP signaling environment, to monitor for an INVITE request and respond with a SIP redirect response, causing the issuing system to direct a new INVITE to another location.
• Registration Adder - this tool attempts to bind another SIP address to the target, effectively making a phone call ring in two places (the legitimate user's desk and the attacker's)
• Registration Eraser - this tool will effectively cause a denial of service by sending a spoofed SIP REGISTER message to convince the proxy that a phone/user is unavailable.
• Registration Hijacker - this tool tries to spoof SIP REGISTER messages in order to cause all incoming calls to be rerouted to the attacker.
• SIP-Kill - Sniff for SIP-INVITEs and tear down the call.
• SIP-Proxy-Kill - Tears down a SIP-Session at the last proxy before the opposite endpoint in the signaling path.
• SIP-RedirectRTP - Manipulate SDP headers so that RTP packets are redirected to an RTP-proxy.
• SipRogue - a multifunctional SIP proxy that can be inserted between two talking parties
• vnak - VoIP Network Attack Toolkit - vnak combines a number of attacks against multiple protocols in to one easy to use tool. Its aim is to be the one tool a user needs to attack multiple VoIP protocols.
• VoIPHopper - VoIP Hopper is a security validation tool that tests to see if a PC can mimic the behavior of an IP Phone. It rapidly automates a VLAN Hop into the Voice VLAN.

VoIP Media Manipulation Tools

• RTP InsertSound - this tool takes the contents of a .wav or tcpdump format file and inserts the sound into an active conversation.
• RTP MixSound - this tool takes the contents of a .wav or tcpdump format file and mixes the sound into an active conversation.
• RTPInject - RTPInject is a minimal-setup prerequisites attack tool that injects arbitrary audio into established RTP connections. The tool identifies active conversations, enumerates the media codec in use, and allows for the injection of an arbitrary audio file.
• RTPProxy - Wait for incoming RTP packets and send them to wanted (signaled by a tiny protocol) destination.
• SteganRTP - SteganRTP is a steganography tool which establishes a full-duplex steganographic data transfer protocol utilizing Real-time Transfer Protocol (RTP) packet payloads as the cover medium. The tool provides interactive chat, file transfer, and remote shell.
• Vo²IP - With Vo2IP, you can establish a hidden conversation by embedding further compressed voice data into regular PCM-based voice traffic (i.e. G.711 codec).

Miscellaneous Tools

• IAX.Brute - IAX.Brute is a passive dictionary attack tool on IAX's challenge/response authentication method. This attack allows malicious users to steal passwords and hijack endpoint identities.
• SIP-Send-Fun - Sip Send Fun is a tiny command-line based Script, which exploits specific vulnerabilites.
• SIP.Tastic - SIP.Tastic is a passive dictionary attack tool on SIP's digest authentication method. This attack allows malicious users to steal passwords and hijack endpoint identities.
• Spitter - A set of tools for Asterisk to perform VoIP spam testing.
• VoIP Security Audit Program (VSAP) - VSAP is an automated question/answer tool to audit the security of VoIP networks (SIP/H.323/RTP). It provides security topics and audit questions for the end user to complete. Once all the questions are answered, VSAP will provide a final score.
• XTest - A simple, practical, and free, wired 802.1x supplicant security tool implementing the RFC 3847 EAP-MD5 Authentication method.

Tool Tutorials and Presentations

• An Analysis of Security Threats and Tools in SIP-Based VoIP Systems - Shawn McGann and Douglas C. Sicker (University of Colorado at Boulder)
• An Analysis of VoIP Security Threats and Tools - Shawn McGann at 2nd VoIP Security Workshop June 2005
• Hacking VoIP Exposed - David Endler and Mark Collier for BlackHat 2006
• Hacking VoIP Wired and Wireless Phones - Shawn Merdinger for NoConName 2006
• Real-time Steganography with RTP - DEFCON 15 presentation by I)ruid on using steganography with RTP and the SteganRTP tool.
• Security testing of SIP implementations - Christian Wieser, Mark Laakso, and Henning Schulzrinne (Columbia University)
• SIP Stack Fingerprinting and Stack Difference Attacks - Hendrik Scholz, BlackHat USA 2006
• Two attacks against VoIP - by Peter Thermos - The purpose of this article is to discuss two of the most well known attacks that can be carried out in current VoIP deployments using SiVuS.
• VoIP Attacks! - Dustin Trammell for ToorCon 2006