Security Dashboard
VoIPER VoIP Exploit Research toolkit 0.04 released
Wednesday 23 April 2008
VoIPER is a security toolkit that aims to allow developers and security researchers to easily, extensively and automatically test VoIP devices for security vulnerabilties. It incorporates a fuzzing suite built on the Sulley fuzzing framework, a SIP torturer tool based on RFC 4475 and a variety of auxilliary modules to assist in crash detection and debuggingIt is cross platform and usable via a command line interface on Linux, Windows and OS X or a GUI on Windows. The primary goal of VoIPER is to create a toolkit with all required testing functionality built in and to minimise the amount of effort an auditor has to put into testing the security of a VoIP code base.
For the moment the fuzzer incorporates tests for
SIP INVITE (3 different test suites)
SIP ACK
SIP CANCEL
SIP request structure
SDP over SIP
This translates to well over 200,000 generated tests covering all SIP attributes specified in RFC 3261 for the given messages.
It includes other features such as
Protocol and process based crash detection and recording
Fuzzer pause/restart functionality (SFF)
Supports clients that require registration prior to fuzzing
Simple to expand to new protocols
As far as possible, protocol compliance e.g ACKs and CANCELs responses to prevent some clients hanging
Target process control (SFF)
SFF : Provided as part of the Sulley Fuzzing Framework, in some cases with my modifications and fixes
VoIPER has been added to Security-Database Tools Watch Process
POSTSCRIPTUM
RELATED ARTICLES
Fuzzers, VoIP, VoIPER, Vulnerability Scanner, 8 October 2008 : VoIPER v0.07 released25 June 2008 : VoIPER version 0.06 released3 June 2008 : VoIPER VoIP Exploit Research toolkit updated to 0.0.523 April 2008 : VoIPER VoIP Exploit Research toolkit 0.04 released
