Skip to main content


SIP extension enumeration in Bluebox-ng

There are some well known SIP extension enumeration vulnerabilities in different VoIP servers, specially in Asterisk. This brute-force vector is based on the study of the authentication responses of the target server. Sometimes its replies are different in the case that the client uses a valid extension, so it's easy to discover them. This vector is normally classified as a low security risk. Moreover we're moving towards a federated SIP environment , in which the extension is the public email address of the user. But it's still important in some cases: To guide next steps during a penetration test. In example, you can use the discovered extension to reduce the number of attempts in the phase of SIP extensión brute-force. Some RCE (Remote Code Execution) exploits need a valid extension to work. After a little research, these are the known vulns: CVE-2009-3727 : It's quite old and it's practically not present in real environments. It's still not imple
Recent posts

More brute-force modules in Bluebox-ng

The last day I said that now we're going to automate all VoIP tasks trying to build a VoIP/UC vulnerability scanner. But I realized that there are some other tasks which I need in each penetration test that we could add too. This way we could avoid to use another tools for an important part of the work. Normally, we're hired to deploy a VoIP specific penetration test, but we also like to check (in a minimal way) the rest of implied services. So I've added next modules brute-force modules: Asterisk AMI : It was a must because this is a very common scenario. MySQL : The most common DB engine among VoIP servers. MongoDB : It's not used in VoIP, but I've been playing lately with this system and I really like it. So I decided also to add a module. SSH / (S)FTP : More common protocols. HTTP(S) : Useful when we find a web management panel for a VoIP server. TFTP : Widely used in VoIP to auto-provisioning the softphones of an organization. LDAP : Sometimes the V

Bluebox-ng beta released

I've just pushed the last changes to Bluebox-ng repo to get what we consider a beta version. It's not yet finished but it's much more stable than the previous release. Here there is a resume of the changelog: IPv6 support. I would like to thank Olle E. Johansson ( @oej ) because of his research in SIP and IPv6 , it did my work really easy.  API support. DNS module finished. Nicer outputs. Simpler setup process. A network host/port scanner ( Evilscan ). Dirscan-node  upgraded to version 0.5. Added some numerical lists (with different paddings) to use with brute-force modules. Host list files and port ranges support included in SipScan module. Solved SipBrutePass module problem with too much asyncronous requests. A lot of refinements in the whole code. I want to say that we've decided to re-define the project like a "VoIP/UC vulnerability scanner", this way we can work more focused. Our idea is to write a tool to test in an

Bluebox-ng Alpha release

Finally I've pushed the first Alpha version of Bluebox-ng to my GitHub repo: Features RFC compliant TLS and IPv6 support SIP over websockets (and WSS) support (draft-ietf-sipcore-sip-websocket-08) SHODAN and Google Dorks SIP common security tools (scan, extension/password bruteforce, etc.) REGISTER, OPTIONS, INVITE, MESSAGE, SUBSCRIBE, PUBLISH, OK, ACK, CANCEL, BYE and Ringing requests support Authentication through different types of requests. SIP denial of service (DoS) testing SRV and NAPTR discovery Dumb fuzzing Common VoIP servers web management panels discovery Automatic exploit searching (Exploit DB, PacketStorm, Metasploit) Automatic vulnerability searching (CVE, OSVDB) Geolocation Colored output Command completion GNU/Linux, Mac OS X and Windows I'm sorry but we still do not have documentation about the tool. For now, we have the README file included in the source code (which shows the steps to start

My new toy: Bluebox-ng

Hi again guys, here there is my new personal project. I think that README file is complete enough so I paste it on this post. Next month I'll be with my colleague Antón  at Kamalio World Conference showing a bit more about it. If you are there and want to talk a bit about VoIP security (or WebRTC) get in contact with us please. :) Finally, we would like to publish the first version in one ore two months, sorry but we're developing it mostly in our free time :(. I've promised Yago to do it on Security by Default blog so stay tuned.  Moreover this tool was included in Quobis personal project plan so you can always follow Quobis planet in which we publish all our experiments. Nothing else, I hope you like it and all kind of suggestions (and coders) are welcomed :). Bluebox-ng Bluebox-ng is a next generation UC/VoIP security tool. It has been written in CoffeeScript using Node.js powers. This project is "our 2 cents" to help to improve

How to protect your WebRTC app code?

I have spent some time analyzing which could be the best way to protect a privative version of a webphone based on QoffeeSIP that we are developing now at Quobis . I have seen this same question on different sites with quite confusing responses. So I'm going to share what I learned just in case it could help to anybody. Well, I'm not going to define what is WebRTC because Internet is full of it this year ( only overtaken by cats ;). For our purposes we have to consider that our app is a Javascript library. Really there is also HTML/CSS code but what I think that is important is Javascript, but HTML/CSS can also be protected in the same way but with other tools. First of all I want to remark that protect your code in the sense of anybody could copy/modify and redistribute it is impossible since Javascript is only text. If anybody had enough time (or money) this code could be reversed. But, as always, we can do things trying to avoid it as far as possible. In general, I

SIP INVITE attack with Metasploit

Some days ago my friend  @pepeluxx  wrote  another post  about INVITE attacks. He spoke about a  @sinologic   project  which allows to everybody passing some security tests to SIP servers. Furthermore he also published a perl script to do the same task. So I implemented it on Metasploit because I think It could be really useful during a pentesting. It’s interesting because these attacks are really dangerous, normally, attackers try to call to expensive locations. This target numbers often have special charges and they make money with this. Here there are two well known examples: I’m not going to deep in this vector because of being a well known (and old!!) one. Basically the attacker tries to make a call using a misconfigured PBX. This is allowed because  SIP RFC  says that an extension has not to be registered to be abl