-
Notifications
You must be signed in to change notification settings - Fork 157
SVCrack Usage
SVCrack is another tool of the sipvicious toolset which allows you to crack the password for a specific username/extension on a PBX.
examples:
sipvicious_svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080
sipvicious_svcrack -u100 -r1-9999 -z4 10.0.0.1
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Increase verbosity
-q, --quiet Quiet mode
-p PORT, --port=PORT Destination port or port ranges of the SIP device - eg
-p5060,5061,8000-8100
-P PORT, --localport=PORT
Source port for our packets
-x IP, --externalip=IP
IP Address to use as the external ip. Specify this if
you have multiple interfaces or if you are behind NAT
-b BINDINGIP, --bindingip=BINDINGIP
By default we bind to all interfaces. This option
overrides that and binds to the specified ip address
-t SELECTTIME, --timeout=SELECTTIME
This option allows you to throttle the speed at which
packets are sent. Change this if you're losing
packets. For example try 0.5.
-R, --reportback Send the author an exception traceback. Currently
sends the command line parameters and the traceback
-A, --autogetip Automatically get the current IP address. This is
useful when you are not getting any responses back due
to SIPVicious not resolving your local IP.
-s NAME, --save=NAME save the session. Has the benefit of allowing you to
resume a previous scan and allows you to export scans
--resume=NAME resume a previous scan
-c, --enablecompact enable compact mode. Makes packets smaller but
possibly less compatible
-u USERNAME, --username=USERNAME
username to try crack
-d DICTIONARY, --dictionary=DICTIONARY
specify a dictionary file with passwords or - for stdin
-r RANGE, --range=RANGE
specify a range of numbers. example:
100-200,300-310,400
-e EXTENSION, --extension=EXTENSION
Extension to crack. Only specify this when the
extension is different from the username.
-z PADDING, --zeropadding=PADDING
the number of zeros used to padd the password.
the options "-r 1-9999 -z 4" would give 0001 0002 0003
... 9999
-n, --reusenonce Reuse nonce. Some SIP devices don't mind you reusing
the nonce (making them vulnerable to replay attacks).
Speeds up the cracking.
-T TEMPLATE, --template=TEMPLATE
A format string which allows us to specify a template
for the extensions example
svwar.py -e 1-999 --template="123%#04i999" would scan
between 1230001999 to 1230999999"
--maximumtime=MAXIMUMTIME
Maximum time in seconds to keep sending requests
without receiving a response back
-D, --enabledefaults Scan for default / typical passwords such as
1000,2000,3000 ... 1100, etc. This option is off by
default. Use --enabledefaults to
enable this functionality
--domain=DOMAIN force a specific domain name for the SIP message, eg.
-d example.org
--requesturi=REQUESTURI
force the first line URI to a specific value; e.g.
sip:999@example.org
-6 scan an IPv6 address
-m METHOD, --method=METHOD
svcrack
requires the user to pass a target as well as an username to crack. The target can be specified in form of a full URL format, i.e. udp://<host>:<port>
. By default it will use guess passwords as numbers but additional options are available which can further help you.
Example:
./svcrack 10.0.0.1 -u 100
./svcrack udp://10.0.0.1:5080 -u 100
To specify a hostname instead of the IP:
./svcrack siphost.com -u 100
To use a IPv6 address as a target, specify the -6
switch:
./svcrack -6 fe80::6ca6:57ff:fecf:a43f -u 100
-s
allows one to save a session with all the details of the scan. You must specify a session name which has not been used previously to save a session.
Example
./svcrack -s session1 10.0.0.1 -u 100
This also serves the purpose of being compatible with the input and resume options.
Resumes a previously incomplete session. To list sessions make use of "svreport.py list". When a session is saved, svcrack will periodically save the current state and also save the state upon exit.
Example
./svcrack --resume session1 -u 100
By default, most SIP devices listen on the udp port 5060. However some SIP phones might listen on a high port. Make use of svmap to scan for ports which speak SIP on a target address. You can then pass the non-standard port to svcrack by specifying "-p" option.
Example
./svcrack -p5061 10.0.0.1 -u 100
This option allows you to specify the timeout for the select() function. If the network is slow, then it is recommended that you set this to something higher than the default. The default is 0.005. Try with 0.01 first, and start increasing.
Example
./svcrack -t 0.1 10.0.0.1 -u 100
SIP supports compact mode, where some headers can be written in short form. By default this is disabled because some devices might not support it.
Example
./svcrack -c 10.0.0.1 -u 100
By default, war uses the REGISTER method. However some devices might not reveal existing extensions through this method. You may specify a different method to scan with, such as OPTIONS and INVITE. Note that INVITE can be noisy and generate a "ring" at the other end. For a list of method consult with the relevant RFCs or the wikipedia page.
Example
./svcrack -m INVITE 10.0.0.1 -u 100
The verbose gives you more info. If you need to view all debug information, then specify -vvv instead of -v.
Example
./svcrack -vv 10.0.0.1 -u 100
Quiet mode does not print anything except for critical errors. Be sure to save to a session if you want to still view the results later on. Example
./svcrack -q 10.0.0.1 -u 100
This option allows the end user to send a bug report to the author.
Example
./svcrack -R 10.0.0.1 -s test -u 100
svcrack does a sanity check before it starts scanning, to make sure that a PBX server is really listening at the target. This option overrides the sanity check.
Example
./svcrack --force 10.0.0.1 -u 100
By default svcrack will try to guess numeric ranges between 100 and 999. You can specify the ranges by making use of the following format: start-end,start2-end2,start3-end3,...
Example
./svcrack -e 1-99,1000-9999,150-200 1.0.0.1 -u 100
When making use of the extension range mode, possible extension numbers can be padded with a given number of zeros. For example, with options -z4, when trying extension number 1 the extension would be 0001.
Example
./svcrack -z4 -e1-9999 10.0.0.1 -u 100
Dictionary refers to a text file with a list of possible passwords. You can specify - to direct svwar to take input via stdin. This allows for alphanumeric PBX extensions.
Example
./svcrack -d dictionary.txt 10.0.0.1 -u 100
The following is an example of the contents of a dictionary file:
123456
12345
123456789
password
iloveyou<3
princess
1234567
12345678
abc123
For input via STDIN:
echo '1001' | ./svcrack -d - 10.0.0.1 -u 100
Please refer to the SecLists repository for freely available dictionary files, or maskprocessor for generating combinations for possible extension names for STDIN.
Nonce reuse refers to the replay attack technique which could be used to speed up the cracking process:
./svcrack -u 100 -n 10.0.0.1
This option allows scanning for default passwords/weak passwords. Can be activated using the -D
or the --enabledefaults
switch.
./svcrack -u 100 -D 10.0.0.1
This option decides on what is the max. time to keep sending requests before a response is received.
./svcrack --maximumtime 2 -u 100 10.0.0.1
Scan from 00000 to 99999 using padding, and save the session to 'session1':
./svcrack -s session1 -e0-99999 -z5 10.0.0.1 -u 100
Last edited by @0xInfection - 2021/06/01
- Home - Welcome to the wiki!
- Introduction:
- Basics - Setting up dependencies & sipvicious.
- Toolset - Know the tools within the toolset.
- Getting Started - Running the tools you just installed.
- Manual usage:
-
svmap
Usage - Usingsvmap
. -
svwar
Usage - Usingsvwar
. -
svcrack
Usage - Usingsvcrack
. -
svreport
Usage - Usingsvreport
. -
svcrash
FAQs - Solving queries aboutsvcrash
. - Other FAQs - Answers to your common questions.
-
- Automation - Automated testing and integration with CI/CD pipelines.
- Development:
- Changelog - Tracking changes through the development.
- Others:
- Media Mentions - Media mentions about sipvicious.