Figured I should, at some point, annouce to the general community that VoIPER exists. The current version on Sourceforge is 0.07 which I uploaded about a month ago. While it has been downloaded quite a bit I have yet to receive any bug reports. I would imagine this is because people are lazy rather than it being bug free so if you encounter any issues let me know and I'll do my best to help you out. I'm quite busy atm (which is why it hasn't been tested as extensively as I'd like) but I'll fix any show stopping bugs if they crop up. nnp@xxxxxxxxxxx$ cat ReleaseNotes.txt VoIPER is a security toolkit that aims to allow developers and security researchers to easily, extensively and automatically test VoIP devices for security vulnerabilties. It incorporates a fuzzing suite built on the Sulley fuzzing framework, a SIP torturer tool based on RFC 4475 and a variety of auxilliary modules to assist in crash detection and debugging. It is cross platform and usable via a command line interface on Linux, Windows and OS X or a GUI on Windows. The primary goal of VoIPER is to create a toolkit with all required testing functionality built in and to minimise the amount of effort an auditor has to put into testing the security of a VoIP code base. This is a beta release and has not been tested as extensively as I would like. That said, it includes a number of new and useful fuzzers as well as a new SIP backend that greatly increases protocol compliance and the ability to traverse the state tree of different request types. It also means that protocol based crash detection is much more reliable than before. Certain clients are quite odd in how they respond to fuzzing though (Ekiga for example) and as a result process based crash detection is still recommended where possible to avoid false positives. Also in this release it is possible to register with a server before beginning fuzzing, view 'voiper.config' to see how to enable this. In this release fuzzers were added for REGISTER, NOTIFY and SUBSCRIBE as well as new fuzzers for CANCEL and ACK that aim to get the device into a state where it is expecting a CANCEL or ACK before fuzzing it. For the moment the fuzzer incorporates tests for - SIP INVITE (3 different test suites) - SIP ACK (Dumb and 'smart' versions) - SIP CANCEL (Dumb and 'smart' versions) - SIP NOTIFY - SIP SUBSCRIBE - SIP REGISTER - SIP request structure - SDP over SIP </snip> See http://voiper.sourceforge.net for more project info and http://www.unprotectedhex.com for updates etc. -nnp -- http://www.unprotectedhex.com http://www.smashthestack.org
