lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 28 Oct 2008 23:33:13 +0000
From: nnp <version5@...il.com>
To: full-disclosure@...ts.grok.org.uk, voipsec@...psa.org, 
	pen-test@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Tool update: VoIPER v0.07

Figured I should, at some point, annouce to the general community that
VoIPER exists. The current version on Sourceforge is 0.07 which I
uploaded about a month ago. While it has been downloaded quite a bit I
have yet to receive any bug reports. I would imagine this is because
people are lazy rather than it being bug free so if you encounter any
issues let me know and I'll do my best to help you out. I'm quite busy
atm (which is why it hasn't been tested as extensively as I'd like)
but I'll fix any show stopping bugs if they crop up.

nnp@...per-0.07$ cat ReleaseNotes.txt
VoIPER is a security toolkit that aims to allow developers and
security researchers
to easily, extensively and automatically test VoIP devices for
security vulnerabilties.
It incorporates a fuzzing suite built on the Sulley fuzzing framework,
a SIP torturer
tool based on RFC 4475 and a variety of auxilliary modules to assist
in crash detection and
debugging. It is cross platform and usable via a command line
interface on Linux, Windows
and OS X or a GUI on Windows. The primary goal of VoIPER is to create
a toolkit with all
required testing functionality built in and to minimise the amount of
effort an auditor
has to put into testing the security of a VoIP code base.

This is a beta release and has not been tested as extensively as I
would like. That said,
it includes a number of new and useful fuzzers as well as a new SIP
backend that greatly
increases protocol compliance and the ability to traverse the state
tree of different
request types. It also means that protocol based crash detection is
much more reliable
than before. Certain clients are quite odd in how they respond to
fuzzing though (Ekiga
for example) and as a result process based crash detection is still
recommended where
possible to avoid false positives.

Also in this release it is possible to register with a server before
beginning fuzzing,
view 'voiper.config' to see how to enable this.

In this release fuzzers were added for REGISTER, NOTIFY and SUBSCRIBE
as well as new
fuzzers for CANCEL and ACK that aim to get the device into a state
where it is expecting
a CANCEL or ACK before fuzzing it.

For the moment the fuzzer incorporates tests for
 - SIP INVITE (3 different test suites)
 - SIP ACK (Dumb and 'smart' versions)
 - SIP CANCEL (Dumb and 'smart' versions)
 - SIP NOTIFY
 - SIP SUBSCRIBE
 - SIP REGISTER
 - SIP request structure
 - SDP over SIP

</snip>

See http://voiper.sourceforge.net for more project info and
http://www.unprotectedhex.com for updates etc.

-nnp

-- 
http://www.unprotectedhex.com
http://www.smashthestack.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ