Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo server, Sandro Gauci

Video and Slides

Outline: Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo server.

Sandro Gauci, CEO / Senior Penetration Tester / Chief mischief officer at Enable Security GmbH

In Sandro’s previous talk for TADSummit EMEA Americas 2020, he spoke about why it is critical to take an offensive approach when dealing with RTC security.

In this presentation, he shows how tools can help in testing RTC security as well as in learning more about offensive security for RTC.

After a general overview of the landscape, he will focus on the work that his team has done on SIPVicious PRO and the target demo server that helps learn and show vulnerabilities in a lab environment.

Presentation Review

You can ask Sandro any questions about this presentation in the comments section of this weblog, or contact him directly with the info at the end of his presentation.

As mentioned above, in Sandro’s previous talk for TADSummit EMEA Americas 2020, he spoke about why it is critical to take an offensive approach when dealing with RTC security.

With this presentation he focused on their commercial offer SIPVicious PRO and the demo server to test out all the potential vulnerabilities SIPVicious can expose. They plan to open source the demo server once the code is tidied up. Please keep reminding Sandro 😉

SIPVicious PRO is an entirely new code base, it enables testing across SIP, RTP, and TURN, with full WebRTC, and custom protocols coming soon. Some of the features include:

  • Various attacks, including SIP flood, RTP flood, SIP enumeration, digest leak, RTP Bleed and RTP inject
  • Fuzzing to discover unknown vulnerabilities
  • Support for SIP over different transport protocols: TCP, UDP, TLS and WebSockets
  • Integration within QA automation systems, including CI/CD pipelines
  • A flexible templating system so that SIP messages may be easily modified
  • Support for RTP attacks
  • Insane speed, especially useful for flood attacks with rate limiting capabilities

As always with Sandro, there are lots of live demos throughout the presentation to see the code in action.

Open source projects need to find a way to put food on their table, giving away software does not do that. In the awesome RTC hacking list there are some great projects that do not get maintained because of this issue. At TADSummit we try to promote projects to a broader audience, outside the open source community.

Some projects have a big sponsor (sugar-daddy) like Asterisk with Sangoma. SIPVicious PRO provides one of a number of revenue streams (in addition to training, consulting, and offensive security testing) to help Sandro continue to support the open source SIPVicious and demo server. It’s simply up to the community to keep him balanced between the OSS and commercial sides of SIPVicious; as we see with many other open source projects that lack a sugar-daddy 😉

Thank you Sandro for a clear and demo-rich presentation of SIPVicious Pro and the demo server.

4 thoughts on “Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo server, Sandro Gauci”

  1. Thank you Sandro for another insightful and slickly demoed presentation. I have a few questions:

    1) Do you plan to extend the OSS SIPVicious to include RTP/WebRTC offensive testing?
    2) I know you didn’t have time in your presentation to share some of your findings from OpenSIPIt on the vulnerabilities of STIR/SHAKEN. But it would be great if you could share.
    3) Will you add support for STIR/SHAKEN to SIPVicious PRO, asking for a friend here in the US 😉
    4) In your fuzzing implementation, are you taking a black, white, or grey box approach? How will fuzzing work with custom protocols?

    1. Hi Alan, thank you for hosting the summit! Here are my answers to your questions

      1) Do you plan to extend the OSS SIPVicious to include RTP/WebRTC offensive testing?

      Unfortunately no. The main reason is that this would require rewriting SIPVicious OSS; We did that and the result is SIPVicious PRO 🙂 And of course, we don’t want to cannibalize the PRO version.

      2) I know you didn’t have time in your presentation to share some of your findings from OpenSIPIt on the vulnerabilities of STIR/SHAKEN. But it would be great if you could share.

      Sure! During our session we found two main issues. One of them affected various solutions which was a vulnerability in how certificates are retrieved which resulted in denial of service but might have other security implications. Basically, the x5u could point to a local file, e.g. /dev/random and break the system. The other one consisted of some crashes in the OpenSIPS implementation that were found by making use of SIPVicious PRO’s upcoming STIR/SHAKEN fuzzer. We’ll be writing a post about these findings and our methodology on rtcsec.com of course 🙂

      3) Will you add support for STIR/SHAKEN to SIPVicious PRO, asking for a friend here in the US 😉

      Yes! For OpenSIPIt we started developing support for STIR/SHAKEN and it was already quite successful for just a proof of concept. So we’ll be making an official release later this year which supports STIR/SHAKEN once we have polished the code and documentation.

      4) In your fuzzing implementation, are you taking a black, white, or grey box approach? How will fuzzing work with custom protocols?

      SIPVicious PRO’s fuzzer takes a blackbox approach and presently, can be launched against any target server that speaks SIP. We’re adding RTP fuzzing soon too. In our security testing work, we often incorporate the blackbox approach with a whitebox approach by compiling the source code of the target application to include instrumentation, address sanitizers and similar techniques to get the best of both worlds. You could say that this is then a greybox approach 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *