The current version of the VoIP toolkit is not very spectacular and contains only two small utilities. The first tool being SIPUserGuess that exploits a vulnerability that I found in the Asterisk SIP implementation (AST-2009-008) and allows for enumeration of valid usernames. The vulnerability has been addressed by the Asterisk team and patches exists for all supported versions.
The second tool, VoIPPwGuess, can be used to perform an online audit of password quality for SIP or IAX2 accounts. The tool takes a list of passwords that it verifies against a list of usernames.
When developing the tools some stability issues were encountered on the server-side, mostly for older implementations of the IAX2 protocols. In order to prevent systems from becoming unresponsive the application enforces a limit on the number of tries performed each second when using the IAX2 protocol. However, experienced users (that know what they’re doing) have the possibility to override this limit by setting the -maxtps to a higher value.
The toolkit is available for download below and, as always, please report any bugs that you encounter.
Changes in version 0.2
- Bugfixed incorrect SIP line-feeds
- Added support for proxy authentication
- Added another way to guess valid user names
- Added possibility to specify remote port
VoIPTK version 0.2 binary: voiptk-0.2-bin.tar.gz
VoIPTK version 0.1 binary: voiptk-0.1-bin.tar.gz