-
Notifications
You must be signed in to change notification settings - Fork 159
SVMap Usage
Svmap is a free and Open Source scanner to identify sip devices and PBX servers on a target network. It can also be helpful for systems administrators when used as a network inventory tool. Svmap was designed to be faster than the competition by specifically targeting SIP over UDP.
Svmap can:
- identify SIP devices and PBX servers on default and non-default ports
- scan large ranges of networks
- scan just one host on different ports, looking for a SIP service on that host or just multiple hosts on multiple ports
- take previous scan results as input, allowing you to only scan known hosts running SIP
- use different scanning methods (make use of REGISTER instead of OPTIONS request)
- get all the phones on a network to ring at the same time (using INVITE as method)
- randomly scan internet ranges
- resume previous scans
Usage: sipvicious_svmap [options] host1 host2 hostrange
Scans for SIP devices on a given network
examples:
sipvicious_svmap 10.0.0.1-10.0.0.255 172.16.131.1 sipvicious.org/22 10.0.1.1/241.1.1.1-20 1.1.2-20.* 4.1.*.*
sipvicious_svmap -s session1 --randomize 10.0.0.1/8
sipvicious_svmap --resume session1 -v
sipvicious_svmap -p5060-5062 10.0.0.3-20 -m INVITE
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Increase verbosity
-q, --quiet Quiet mode
-p PORT, --port=PORT Destination port or port ranges of the SIP device - eg
-p5060,5061,8000-8100
-P PORT, --localport=PORT
Source port for our packets
-x IP, --externalip=IP
IP Address to use as the external ip. Specify this if
you have multiple interfaces or if you are behind NAT
-b BINDINGIP, --bindingip=BINDINGIP
By default we bind to all interfaces. This option
overrides that and binds to the specified ip address
-t SELECTTIME, --timeout=SELECTTIME
This option allows you to trottle the speed at which
packets are sent. Change this if you're losing
packets. For example try 0.5.
-R, --reportback Send the author an exception traceback. Currently
sends the command line parameters and the traceback
-A, --autogetip Automatically get the current IP address. This is
useful when you are not getting any responses back due
to SIPVicious not resolving your local IP.
-s NAME, --save=NAME save the session. Has the benefit of allowing you to
resume a previous scan and allows you to export scans
--resume=NAME resume a previous scan
-c, --enablecompact enable compact mode. Makes packets smaller but
possibly less compatible
--randomscan Scan random IP addresses
-i scan1, --input=scan1
Scan IPs which were found in a previous scan. Pass the
session name as the argument
-I scan1, --inputtext=scan1
Scan IPs from a text file - use the same syntax as
command line but with new lines instead of commas.
Pass the file name as the argument
-m METHOD, --method=METHOD
Specify the request method - by default this is
OPTIONS.
-d, --debug Print SIP messages received
--first=FIRST Only send the first given number of messages (i.e.
usually used to scan only X IPs)
-e EXTENSION, --extension=EXTENSION
Specify an extension - by default this is not set
--randomize Randomize scanning instead of scanning consecutive ip
addresses
--srv Scan the SRV records for SIP on the destination domain
name. The targets have to be domain names - example.org
domain1.com
--fromname=FROMNAME specify a name for the from header
-6, --ipv6 scan an IPv6 address
To specify a range of IP address, one can make use of the CIDR notation. For example to scan the 1.1.1.0 subnet one would run the following command:
./svmap 1.1.1.1/24
You can also specify a name instead of an IP address:
./svmap sipvicious.org
.. and also use CIDR notation with the name:
./svmap sipvicious.org/24
Scanning first 20 IPs:
./svmap --first 20 sipvicious.org/24
Another way of specifying a custom range is to make use of "-", for example:
./svmap 1.1.1.50-1.1.1.60
Or you could use a shorter method:
./svmap 1.1.1.1-20
Could also use a wildcard:
./svmap 1.1.*.*
And Finally one can combine any of these methods:
./svmap 1.1.1.1-20 1.1.2.* sipvicious.org/24
If you would like to randomly scan internet ranges, the syntax is:
./svmap --randomscan
If however, you would like to scan a range randomly:
./svmap --randomize sipvicious.org/24
Scanning an IPv6 address requires the -6 flag:
./svmap -6 fe80::6ca6:57ff:fecf:a43f
The save option allows users to store the current session properties to a database. You can then make use of svreport to manage the sessions and export to other formats. Refer to SVReport Usage page for this.
Example:
./svmap -s session1 1.0.0.1/8
This also serves the purpose of being compatible with the input and resume options.
Resumes a previously incomplete session. To list sessions make use of ./svreport.py list. When a session is saved, svmap will periodically save the current state and also save the state upon exit.
./svmap --resume session1
The input option accepts previous sessions as input. Make use of svreport to list previous scans. It serves the purpose of being able to scan specific devices on specific ports. This allows security testers to scan the same devices at different times using different methods.
One particular usage example is to scan for SIP devices using default options. Then at a given time scan for the SIP devices found in the previous scan using the INVITE method, which can get all the scanned devices to ring at the same time.
./svmap -i session1 -v
The --randomscan option scans internet ranges to SIP devices. It avoids non routable (internal and reserved) IP addresses.
./svmap --randomscan
The --randomize option randomizes the given ranges of IPs instead of scanning sequentially.
./svmap 1.0.0.1/24 --randomize
By default, most SIP devices listen on the UDP port 5060. However some SIP phones might listen on a high port. For example, X-lite is known to listen on "random" high ports. In that case, you can use ranges of ports to find out the port on which the SIP device is listening on.
./svmap -p5061,5080-5090 10.0.0.1-2
By default, svmap listens on udp port 5060. However there are times when that port is already taken and svmap cannot bind on the default port. When this is the case, SIPVicious tools will listen on the next available port. However, in the case that one wishes to specify a port, one can make use of the -P option to specify another udp port to bind to.
./svmap -P5666 10.0.0.1
This option allows you to specify the timeout for the select() function. If the network is slow, then it is recommended that you set this to something higher than the default. The default is 0.005. Try with 0.01 first, and start increasing.
./svmap -t 0.1 1.1.1.1
SIP supports compact mode, where some headers can be written in short form. By default this is disabled because some devices might not support it.
./svmap -c 101.10.1.1
By default, svmap uses the OPTIONS method. However some devices might not support this method (even though they should). You may specify a different method to scan with, such as REGISTER and INVITE. Note that INVITE can be noisy and generate a "ring" at the other end. For a list of method consult with the relevant RFCs or the wikipedia page.
./svmap -m INVITE 1.1.1.1
This option allows you to specify the external IP address which is used in the SIP request itself.
./svmap -x 88.11.1.1 1.1.1.1
This option allows you to specify the IP to bind to.
./svmap -b 127.0.0.1 127.0.0.1
The verbose gives you more info. If you need to view all debug information, then specify -vv instead of -v.
./svmap -vv 1.1.1.1
Quiet mode does not print anything except for critical errors. Be sure to save to a session if you want to still view the results later on.
./svmap -q 10.1.1.1
This option allows the end user to send a bug report to the author.
./svmap -R 1.1.1.1
This option allows you to identify and scan using SRV records. Use the --srv switch to activate this mode.
./svmap --srv sipvicious.org
This option allow you use a specific name/address in the From header while crafting a SIP message.
./svmap --fromname s1p-h4x0r 10.0.0.1
Scan a subnet with verbose mode:
./svmap 10.0.0.1/24 -v
Scan a subnet running compact mode on port range 1024-2080:
./svmap 10.0.0.1/24 -p1024-2080 -c
Scan a subnet and save the results to a session named "scan1":
./svmap -s scan1 10.0.0.1/24
Scan a list of previously scanned hosts and make use of the INVITE method:
./svmap -i scan1 -m INVITE
Last edited by @0xInfection - 2021/06/01
- Home - Welcome to the wiki!
- Introduction:
- Basics - Setting up dependencies & sipvicious.
- Toolset - Know the tools within the toolset.
- Getting Started - Running the tools you just installed.
- Manual usage:
-
svmapUsage - Usingsvmap. -
svwarUsage - Usingsvwar. -
svcrackUsage - Usingsvcrack. -
svreportUsage - Usingsvreport. -
svcrashFAQs - Solving queries aboutsvcrash. - Other FAQs - Answers to your common questions.
-
- Automation - Automated testing and integration with CI/CD pipelines.
- Development:
- Changelog - Tracking changes through the development.
- Others:
- Media Mentions - Media mentions about sipvicious.