Automation

Since release 0.3.4, SIPVicious OSS provides a new functionality that eases the process of integration of the tool with automated testing systems and CI/CD pipelines.

All of three tools provided in the SIPVicious OSS toolset, namely svmap, svcrack and svwar standardize the following exit codes:

Code	Description
0	hakuna matata
10	command syntax or flag related errors
20	catch-all of errors
30	network connectivity problems
40	security issue detected

Each tool gives out a specific exit code from the above table after execution. 0 indicates perfect execution cycle. An exit code of 40 indicates that a security issue (username enumeration / cracked password) has been detected. Similarly, 30 indicates that the end target is probably not responding / there were network connectivity problems in between.

NOTE: As an exception svmap does not return code 40 since detecting the presence of an element that talks SIP is not deemed as a security issue.

An exemplary way in which the toolset could be integrated is as below (from examples within autotest):

do_test() {
    $2
    if [ $? -ne $1 ]; then exit 1; fi
}

# see if the demo server is responding at all
do_test 0 "sipvicious_map demo.sipvicious.pro"
# try guessing some extensions
do_test 40 "sipvicious_svwar udp://demo.sipvicious.pro:5060 -e 1000-1200"
# cracking password for user 1000
do_test 40 "sipvicious_svcrack demo.sipvicious.pro -u 1000 -r 1400-1600"

In this case, the script checks that particular vulnerabilities are detected by looking for exit code 40, to ensure that the demo server is functional. In the case of an automated system for testing an RTC product or service, it is likely that the script would be rewritten so that all tools should return exit code 0.