SIPVicious包装说明
SIPVicious套件是一套可用于审计基于SIP的VoIP系统的工具。目前,它由四个工具:。 svmap - 这是一小口的扫描仪。在IP范围svwar发现列出SIP设备 - 标识在PBX svcrack积极扩展 - 在线密码破解的SIP PBX svreport - 管理会话和出口报告,以各种格式svcrash - 试图阻止未授权的svwar和svcrack扫描。 资料来源:https://code.google.com/p/sipvicious/
- 作者:桑德罗高奇
许可:GPL第二版
0x01 包含在sipvicious包工具
svcrack - 在线密码破解的SIP PBX
:~# svcrack -h Usage: svcrack -u username [options] target examples: svcrack -u100 -d dictionary.txt 10.0.0.1 svcrack -u100 -r1-9999 -z4 10.0.0.1 Options: --version show program's version number and exit -h, --help show this help message and exit -v, --verbose Increase verbosity -q, --quiet Quiet mode -p PORT, --port=PORT Destination port or port ranges of the SIP device - eg -p5060,5061,8000-8100 -P PORT, --localport=PORT Source port for our packets -x IP, --externalip=IP IP Address to use as the external ip. Specify this if you have multiple interfaces or if you are behind NAT -b BINDINGIP, --bindingip=BINDINGIP By default we bind to all interfaces. This option overrides that and binds to the specified ip address -t SELECTTIME, --timeout=SELECTTIME This option allows you to trottle the speed at which packets are sent. Change this if you're losing packets. For example try 0.5. -R, --reportback Send the author an exception traceback. Currently sends the command line parameters and the traceback -A, --autogetip Automatically get the current IP address. This is useful when you are not getting any responses back due to SIPVicious not resolving your local IP. -s NAME, --save=NAME save the session. Has the benefit of allowing you to resume a previous scan and allows you to export scans --resume=NAME resume a previous scan -c, --enablecompact enable compact mode. Makes packets smaller but possibly less compatible -u USERNAME, --username=USERNAME username to try crack -d DICTIONARY, --dictionary=DICTIONARY specify a dictionary file with passwords -r RANGE, --range=RANGE specify a range of numbers. example: 100-200,300-310,400 -e EXTENSION, --extension=EXTENSION Extension to crack. Only specify this when the extension is different from the username. -z PADDING, --zeropadding=PADDING the number of zeros used to padd the password. the options "-r 1-9999 -z 4" would give 0001 0002 0003 ... 9999 -n, --reusenonce Reuse nonce. Some SIP devices don't mind you reusing the nonce (making them vulnerable to replay attacks). Speeds up the cracking. -T TEMPLATE, --template=TEMPLATE A format string which allows us to specify a template for the extensions example svwar.py -e 1-999 --template="123%#04i999" would scan between 1230001999 to 1230999999" --maximumtime=MAXIMUMTIME Maximum time in seconds to keep sending requests without receiving a response back -D, --enabledefaults Scan for default / typical passwords such as 1000,2000,3000 ... 1100, etc. This option is off by default. Use --enabledefaults to enable this functionality --domain=DOMAIN force a specific domain name for the SIP message, eg. -d example.org0x02 svcrash - 试图阻止未经授权svwar和svcrack扫描
:~# svcrash -h WARNING: No route found for IPv6 destination :: (no default route?) Usage: svcrash [options] Options: --version show program's version number and exit -h, --help show this help message and exit --auto Automatically send responses to attacks --astlog=ASTLOG Path for the asterisk full logfile -d IPADDR specify attacker's ip address -p PORT specify attacker's port -b bruteforce the attacker's port0x03 svreport - 管理会议,并出口到各种格式的报表
:~# svreport -h Usage: svreport [command] [options] Supported commands: - list: lists all scans - export: exports the given scan to a given format - delete: deletes the scan - stats: print out some statistics of interest - search: search for a specific string in the user agent (svmap) examples: svreport.py list svreport.py export -f pdf -o scan1.pdf -s scan1 svreport.py delete -s scan1 Options: --version show program's version number and exit -h, --help show this help message and exit -v, --verbose Increase verbosity -q, --quiet Quiet mode -t SESSIONTYPE, --type=SESSIONTYPE Type of session. This is usually either svmap, svwar or svcrack. If not set I will try to find the best match -s SESSION, --session=SESSION Name of the session -f FORMAT, --format=FORMAT Format type. Can be stdout, pdf, xml, csv or txt -o OUTPUTFILE, --output=OUTPUTFILE Output filename -n Do not resolve the ip address -c, --count Used togather with 'list' command to count the number of entries0x04 svmap - 对一个IP地址范围发现列表SIP设备
:~# svmap -h Usage: svmap [options] host1 host2 hostrange Scans for SIP devices on a given network examples: svmap 10.0.0.1-10.0.0.255 172.16.131.1 sipvicious.org/22 10.0.1.1/241.1.1.1-20 1.1.2-20.* 4.1.*.* svmap -s session1 --randomize 10.0.0.1/8 svmap --resume session1 -v svmap -p5060-5062 10.0.0.3-20 -m INVITE Options: --version show program's version number and exit -h, --help show this help message and exit -v, --verbose Increase verbosity -q, --quiet Quiet mode -p PORT, --port=PORT Destination port or port ranges of the SIP device - eg -p5060,5061,8000-8100 -P PORT, --localport=PORT Source port for our packets -x IP, --externalip=IP IP Address to use as the external ip. Specify this if you have multiple interfaces or if you are behind NAT -b BINDINGIP, --bindingip=BINDINGIP By default we bind to all interfaces. This option overrides that and binds to the specified ip address -t SELECTTIME, --timeout=SELECTTIME This option allows you to trottle the speed at which packets are sent. Change this if you're losing packets. For example try 0.5. -R, --reportback Send the author an exception traceback. Currently sends the command line parameters and the traceback -A, --autogetip Automatically get the current IP address. This is useful when you are not getting any responses back due to SIPVicious not resolving your local IP. -s NAME, --save=NAME save the session. Has the benefit of allowing you to resume a previous scan and allows you to export scans --resume=NAME resume a previous scan -c, --enablecompact enable compact mode. Makes packets smaller but possibly less compatible --randomscan Scan random IP addresses -i scan1, --input=scan1 Scan IPs which were found in a previous scan. Pass the session name as the argument -I scan1, --inputtext=scan1 Scan IPs from a text file - use the same syntax as command line but with new lines instead of commas. Pass the file name as the argument -m METHOD, --method=METHOD Specify the request method - by default this is OPTIONS. -d, --debug Print SIP messages received --first=FIRST Only send the first given number of messages (i.e. usually used to scan only X IPs) -e EXTENSION, --extension=EXTENSION Specify an extension - by default this is not set --randomize Randomize scanning instead of scanning consecutive ip addresses --srv Scan the SRV records for SIP on the destination domain name.The targets have to be domain names - example.org domain1.com --fromname=FROMNAME specify a name for the from header0x05 svwar - PBX上标识积极扩展
:~# svwar -h Usage: svwar [options] target examples: svwar -e100-999 10.0.0.1 svwar -d dictionary.txt 10.0.0.2 Options: --version show program's version number and exit -h, --help show this help message and exit -v, --verbose Increase verbosity -q, --quiet Quiet mode -p PORT, --port=PORT Destination port or port ranges of the SIP device - eg -p5060,5061,8000-8100 -P PORT, --localport=PORT Source port for our packets -x IP, --externalip=IP IP Address to use as the external ip. Specify this if you have multiple interfaces or if you are behind NAT -b BINDINGIP, --bindingip=BINDINGIP By default we bind to all interfaces. This option overrides that and binds to the specified ip address -t SELECTTIME, --timeout=SELECTTIME This option allows you to trottle the speed at which packets are sent. Change this if you're losing packets. For example try 0.5. -R, --reportback Send the author an exception traceback. Currently sends the command line parameters and the traceback -A, --autogetip Automatically get the current IP address. This is useful when you are not getting any responses back due to SIPVicious not resolving your local IP. -s NAME, --save=NAME save the session. Has the benefit of allowing you to resume a previous scan and allows you to export scans --resume=NAME resume a previous scan -c, --enablecompact enable compact mode. Makes packets smaller but possibly less compatible -d DICTIONARY, --dictionary=DICTIONARY specify a dictionary file with possible extension names -m OPTIONS, --method=OPTIONS specify a request method. The default is REGISTER. Other possible methods are OPTIONS and INVITE -e RANGE, --extensions=RANGE specify an extension or extension range example: -e 100-999,1000-1500,9999 -z PADDING, --zeropadding=PADDING the number of zeros used to padd the username. the options "-e 1-9999 -z 4" would give 0001 0002 0003 ... 9999 --force Force scan, ignoring initial sanity checks. -T TEMPLATE, --template=TEMPLATE A format string which allows us to specify a template for the extensions example svwar.py -e 1-999 --template="123%#04i999" would scan between 1230001999 to 1230999999" -D, --enabledefaults Scan for default / typical extensions such as 1000,2000,3000 ... 1100, etc. This option is off by default. Use --enabledefaults to enable this functionality --maximumtime=MAXIMUMTIME Maximum time in seconds to keep sending requests without receiving a response back --domain=DOMAIN force a specific domain name for the SIP message, eg. -d example.org --debug Print SIP messages received0x06 svmap用法示例
扫描指定的网络范围内 (192.168.1.0/24),并显示 详细输出 (-v):
五
原文来自:https://www.hackfun.org/kali-tools/sipvicious_zh.html。转载请注明原出处,商用请联系原作者授权。