SIPVicious OSS vs SIPVicious PRO

How does SIPVicious OSS compare to SIPVicious PRO?

The open-source version of SIPVicious, first published back in 2007, was written in Python and is available on Github for free. This includes three main tools, svmap which is a scanner for SIP, svwar which enumerates extensions on SIP devices and svcrack that tries to guess passwords for SIP extensions. The tools only support SIP over UDP and do not offer support for TCP or TLS due to design issues.

SIPVicious PRO is a complete rewrite in Go, with a larger feature-set and more ambitious goals. End users get an executable binary for their OS rather than Python scripts.

It is meant to be used by vendors and system integrators internally to identify common RTC vulnerabilities before making it to production. Therefore, it supports the most commonly used protocols for SIP, that is, UDP, TCP, TLS and WebSockets. With WebSocket and DTLS-SRTP support, the tool can be used to test WebRTC infrastructure. Additionally, SIPVicious PRO can make and receive calls, handling SIP flows correctly. This allows for a number of attacks to be reproduced on test systems. The template system allows testers to quickly modify the SIP messages sent to the target system to include custom headers and other peculiarities as need be. SIPVicious PRO is not limited to just tests on SIP, but also other related protocols such as RTP. And finally, SIPVicious PRO makes use of our internal network library which gives the tool speed while maintaining sessions and other logical complexities in check.

Feature comparison

SIPVicious OSS SIPVicious PRO
SIP UDP support
SIP TCP support
SIP TLS support
SIP over Websockets support
SIP Enumeration
SIP online password cracking
SIP Fuzzing
SIP Digest Leak
SIP INVITE enumeration
RTP Bleed attack
SIP method enumeration