jesusprubio / Bluebox Ng
Licence: mit
Pentesting framework using Node.js powers, focused in VoIP.
Stars: ✭ 255
Programming Languages
javascript
184084 projects - #8 most used programming language
Projects that are alternatives of or similar to Bluebox Ng
kamailioexamples
configurations for voip solution architectures and usecases involving SIP servers
Stars: ✭ 59 (-76.86%)
Mutual labels: voip
WireBug
WireBug is a toolset for Voice-over-IP penetration testing
Stars: ✭ 142 (-44.31%)
Mutual labels: voip
Deep-Inside
Command line tool that allows you to explore IoT devices by using Shodan API.
Stars: ✭ 22 (-91.37%)
Mutual labels: shodan
univoice
Voice chat/VoIP solution for unity. P2P implementation included.
Stars: ✭ 192 (-24.71%)
Mutual labels: voip
ShonyDanza
A customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.
Stars: ✭ 86 (-66.27%)
Mutual labels: shodan
thelordseye
thelordseye searches and returns detailed information about devices that are directly connected to the internet [IoT] (Smart TV's, Fridges, Webcams, Traffic Lights etc).
Stars: ✭ 30 (-88.24%)
Mutual labels: shodan
mongodb-scraper
Scraps for publicly accessible MongoDB instances and dumps user passwords
Stars: ✭ 33 (-87.06%)
Mutual labels: shodan
netsploit
📡 A security research tool with shodan integration
Stars: ✭ 25 (-90.2%)
Mutual labels: shodan
AmiClient
Modern .NET Standard client for accessing the Asterisk AMI protocol using async/await and Reactive Extensions (Rx)
Stars: ✭ 30 (-88.24%)
Mutual labels: voip
linphone-xamarin
Linphone.org mirror for linphone-xamarin (git://git.linphone.org/linphone-xamarin.git)
Stars: ✭ 23 (-90.98%)
Mutual labels: voip
Shodan-RPi
A simple SSH bruteforce script targeting (not necessarily) Raspbian devices.
Stars: ✭ 13 (-94.9%)
Mutual labels: shodan
Bluebox-ng
Pentesting framework using Node.js powers. Focused in VoIP.
DISCLAIMER: Pointing this tool at other people's servers is NOT legal in most countries.
- Auto VoIP/UC penetration test
- Report generation
- Performance
- RFC compliant
- SIP TLS and IPv6 support
- SIP over websockets (and WSS) support (RFC 7118)
- SHODAN, exploitsearch.net and Google Dorks
- SIP common security tools (scan, extension/password bruteforce, etc.)
- Authentication and extension brute-forcing through different types of SIP requests
- SIP Torture (RFC 4475) partial support
- SIP SQLi check
- SIP denial of service (DoS) testing
- Web management panels discovery
- DNS brute-force, zone transfer, etc.
- Other common protocols brute-force: Asterisk AMI, MySQL, MongoDB, SSH, (S)FTP, HTTP(S), TFTP, LDAP, SNMP
- Some common network tools: whois, ping (also TCP), traceroute, etc.
- Asterisk AMI post-explotation
- Dumb fuzzing
- Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
- Automatic vulnerability searching (CVE, OSVDB, NVD)
- Geolocation
- Command completion
- Cross-platform support
Install
- Install Node.js: https://nodejs.org/download
npm i -g bluebox-ng
Kali GNU/Linux
curl -sL https://raw.githubusercontent.com/jesusprubio/bluebox-ng/master/artifacts/installScripts/kali2.sh | sudo bash -
Use
Console
To start the console client.
bluebox-ng
Programatically
To run it from other Node code.
const Bluebox = require('bluebox-ng');
const box = new Bluebox();
box.run('gather/network/geo', { rhost: '8.8.8.8' })
.then(res => {
console.log('Result:');
console.log(res);
})
.catch(err => {
console.log('Error:');
console.log(err);
});
Developer guide
- Use GitHub pull requests.
Environment
- Get a copy of the code and install the dependencies.
git clone https://github.com/jesusprubio/bluebox-ng
cd bluebox-ng
npm i # or use yarn
Debug
We use the visionmedia module, so you have to use this environment variable:
DEBUG=bluebox-ng* npm start
New modules
You can add your own features to this environment following this tips:
- Add a new file inside
/modules
and it should appear in the pentesting environment. - Use the most similar among the actual ones as boilerplate.
Tests
We still don't have a proper Docker setup. So, for now, the test have to be run locally. Please check its code before it, they often need a valid target service.
./node_modules/.bin/tap test/wifi
node test/wifi/*
./node_modules/.bin/tap test/wifi/scanAps.js
node test/wifi/scanAps.js
Conventions
- We use ESLint and Airbnb style guide.
- Please run to be sure your code fits with it and the tests keep passing:
npm run posttest
Commit messages rules
- It should be formed by a one-line subject, followed by one line of white space. Followed by one or more descriptive paragraphs, each separated by one line of white space. All of them finished by a dot.
- If it fixes an issue, it should include a reference to the issue ID in the first line of the commit.
- It should provide enough information for a reviewer to understand the changes and their relation to the rest of the code.
Contributors
Thanks to
- Our mentors: @antonroman, @sandrogauci (SIPVicious was our inspiration), @pepeluxx, @markcollier46 ("Hacking VoIP Exposed").
- Quobis, some hours of work through personal projects program.
- Kamailio community (@kamailioproject), our favourite SIP Server.
- Tom Steele (@_tomsteele) and the rest of exploitsearch.net team.
- All developers who have written the Node.js modules used in the project.
- All VoIP, free software and security hackers that we read everyday.
- Our friend Carlos Pérez, the logo designer.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].