VoIPER VoIP Exploit Research toolkit 0.04 released
VoIPER is a security toolkit that aims to allow developers and security researchers to easily, extensively and automatically test VoIP devices for security vulnerabilties. It incorporates a fuzzing suite built on the Sulley fuzzing framework, a SIP torturer tool based on RFC 4475 and a variety of auxilliary modules to assist in crash detection and debugging
It is cross platform and usable via a command line interface on Linux, Windows
and OS X or a GUI on Windows. The primary goal of VoIPER is to create a toolkit with all required testing functionality built in and to minimise the amount of effort an auditor has to put into testing the security of a VoIP code base.
For the moment the fuzzer incorporates tests for
- SIP INVITE (3 different test suites)
- SIP ACK
- SIP CANCEL
- SIP request structure
- SDP over SIP
This translates to well over 200,000 generated tests covering all SIP attributes
specified in RFC 3261 for the given messages.
It includes other features such as
- Protocol and process based crash detection and recording
- Fuzzer pause/restart functionality (SFF)
- Supports clients that require registration prior to fuzzing
- Simple to expand to new protocols
- As far as possible, protocol compliance e.g ACKs and CANCELs responses to prevent some clients hanging
- Target process control (SFF)
SFF : Provided as part of the Sulley Fuzzing Framework, in some cases with my modifications and fixes
VoIPER has been added to Security-Database Tools Watch Process
Post scriptum
Compliance Mandates
|
Related Articles
Fuzzers |
|
VoIP |
|
VoIPER |
|
Vulnerability Scanner |
|