-
Notifications
You must be signed in to change notification settings - Fork 159
SVWar Usage
svwar is a free SIP PBX extension line scanner. In concept it works similar to traditional wardialers by guessing a range of extensions or a given list of extensions.
svwar can:
- identify extensions on PBXs and through SIP proxies
- Scan for large ranges of numeric extensions
- Scan for extensions using a file containing a list of possible extension names
- Use different SIP request methods for scanning since not all PBX servers behave the same
- resume previous scans
Usage: ./svwar [options] target
examples:
./svwar -e100-999 10.0.0.1
./svwar -d dictionary.txt 10.0.0.2
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Increase verbosity
-q, --quiet Quiet mode
-p PORT, --port=PORT Destination port or port ranges of the SIP device - eg
-p5060,5061,8000-8100
-P PORT, --localport=PORT
Source port for our packets
-x IP, --externalip=IP
IP Address to use as the external ip. Specify this if
you have multiple interfaces or if you are behind NAT
-b BINDINGIP, --bindingip=BINDINGIP
By default we bind to all interfaces. This option
overrides that and binds to the specified ip address
-t SELECTTIME, --timeout=SELECTTIME
This option allows you to trottle the speed at which
packets are sent. Change this if you're losing
packets. For example try 0.5.
-R, --reportback Send the author an exception traceback. Currently
sends the command line parameters and the traceback
-A, --autogetip Automatically get the current IP address. This is
useful when you are not getting any responses back due
to SIPVicious not resolving your local IP.
-s NAME, --save=NAME save the session. Has the benefit of allowing you to
resume a previous scan and allows you to export scans
--resume=NAME resume a previous scan
-c, --enablecompact enable compact mode. Makes packets smaller but
possibly less compatible
-d DICTIONARY, --dictionary=DICTIONARY
specify a dictionary file with possible extension
names
-m OPTIONS, --method=OPTIONS
specify a request method. The default is REGISTER.
Other possible methods are OPTIONS and INVITE
-e RANGE, --extensions=RANGE
specify an extension or extension range example: -e
100-999,1000-1500,9999
-z PADDING, --zeropadding=PADDING
the number of zeros used to padd the username.
the options "-e 1-9999 -z 4" would give 0001 0002 0003
... 9999
--force Force scan, ignoring initial sanity checks.
-T TEMPLATE, --template=TEMPLATE
A format string which allows us to specify a template
for the extensions example
svwar.py -e 1-999 --template="123%#04i999" would scan
between 1230001999 to 1230999999"
-D, --enabledefaults Scan for default / typical extensions such as
1000,2000,3000 ... 1100, etc. This option is off by
default. Use --enabledefaults to
enable this functionality
--maximumtime=MAXIMUMTIME
Maximum time in seconds to keep sending requests
without receiving a response
back
--domain=DOMAIN force a specific domain name for the SIP message, eg.
-d example.org
--debug Print SIP messages received
-6 scan an IPv6 address
svwar requires the user to pass a target, which can either be an ip address or a destination hostname.
./svwar 10.0.0.1
To specify a hostname instead of the IP:
./svwar siphost.com
To specify an IPv6 address instead, use the -6 option:
./svwar -6 fe80::6ca6:57ff:fecf:a43f
The save option allows users to store the current session properties to a database. You can then make use of svreport to manage the sessions and export to other formats. Refer to SvreportUsage page for this.
Example
./svwar -s session1 10.0.0.1
This also serves the purpose of being compatible with the input and resume options.
Resumes a previously incomplete session. To list sessions make use of "svreport.py list". When a session is saved, svwar will periodically save the current state and also save the state upon exit.
Example
./svwar --resume session1
By default, most SIP devices listen on the udp port 5060. However some SIP phones might listen on a high port. Make use of svmap to scan for ports which speak SIP on a target address. You can then pass the non-standard port to svwar by specifying "-p" option.
Example
./svwar -p5061 10.0.0.1
This option allows you to specify the timeout for the select() function. If the network is slow, then it is recommended that you set this to something higher than the default. The default is 0.005. Try with 0.01 first, and start increasing.
Example
./svwar -t 0.1 10.0.0.1
SIP supports compact mode, where some headers can be written in short form. By default this is disabled because some devices might not support it.
Example
./svwar -c 10.0.0.1
By default, war uses the REGISTER method. However some devices might not reveal existing extensions through this method. You may specify a different method to scan with, such as OPTIONS and INVITE. Note that INVITE can be noisy and generate a "ring" at the other end. For a list of method consult with the relevant RFCs or the wikipedia page.
Example
./svwar -m INVITE 10.0.0.1
The verbose gives you more info. If you need to view all debug information, then specify -vv instead of -v.
Example
./svwar -vv 10.0.0.1
Quiet mode does not print anything except for critical errors. Be sure to save to a session if you want to still view the results later on.
Example
./svwar -q 10.0.0.1
This option allows the end user to send a bug report to the author
Example
./svwar -R 10.0.0.1 -s test
Svwar does a sanity check before it starts scanning, to make sure that a PBX server is really listening at the target. This option overrides the sanity check.
Example
./svwar --force 10.0.0.1
By default svwar will try to guess numeric ranges between 100 and 999. You can specify the ranges by making use of the following format: start-end,start2-end2,start3-end3,...
Example
./svwar -e 1-99,1000-9999,150-200 1.0.0.1
When making use of the extension range mode, possible extension numbers can be padded with a given number of zeros. For example, with options -z4, when trying extension number 1 the extension would be 0001.
Example
./svwar -z4 -e1-9999 10.0.0.1
Dictionary refers to a text file with a list of possible extension names. This allows for alphanumeric PBX extensions.
Example
./svwar -d dictionary.txt 10.0.0.1
The following is an example of the contents of a dictionary file:
user1
user2
user3
Please refer to the SecLists repository for freely available dictionary files.
This mode helps in enabling the scanning of default extensions like 100, 1000, etc. To activate simply pass the -D or the --enabledefaults switch.
Example
./svwar -D 10.0.0.1
This argument specifies the maximum time to keep sending requests until a response is received. The value supplied to it must be in seconds.
Example
./svwar --maximumtime 2 10.0.0.1
This switch helps in the assigning of a domain name forcefully for the SIP message.
./svwar --domain siphost.com 10.0.0.1
Scan from 00000 to 99999 using padding, and save the session to 'session1':
./svwar -s session1 -e0-99999 -z5 10.0.0.1
Scanning for extensions using a dictionary file with verbose enabled:
./svwar -d dictionary.txt 10.0.0.1 -v
Last edited by @0xInfection - 2021/06/01
- Home - Welcome to the wiki!
- Introduction:
- Basics - Setting up dependencies & sipvicious.
- Toolset - Know the tools within the toolset.
- Getting Started - Running the tools you just installed.
- Manual usage:
-
svmapUsage - Usingsvmap. -
svwarUsage - Usingsvwar. -
svcrackUsage - Usingsvcrack. -
svreportUsage - Usingsvreport. -
svcrashFAQs - Solving queries aboutsvcrash. - Other FAQs - Answers to your common questions.
-
- Automation - Automated testing and integration with CI/CD pipelines.
- Development:
- Changelog - Tracking changes through the development.
- Others:
- Media Mentions - Media mentions about sipvicious.