Skip to content

sfewer-r7/sip-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
run.rb
run.rb
 
 
test.rb
test.rb
 
 

Repository files navigation

SIP Proxy

A SIP/RTP proxy for testing and auditing SIP infrastructure. It proxies SIP signaling and media traffic, extracts SRTP key material from SDP, verifies SRTP key exposure by attempting to decrypt SRTP payloads, and writes everything to PCAP files for offline analysis in Wireshark.

This tool is intended for authorized security testing only, where the consent of all participating parties has been obtained.

What It Does

  • Proxies SIP signaling (INVITE, REGISTER, BYE, etc.) over UDP
  • Proxies RTP/SRTP media streams between endpoints
  • Extracts SRTP keys from SDP a=crypto lines and decrypts SRTP to RTP. This demonstrates the need to use a more secure key exchange mechanism such as DTLS-SRTP or ZRTP.
  • Generates per-call PCAP files with both SIP traffic and RTP traffic
  • Writes a debug.pcap of all proxied SIP traffic
  • Logs all SIP messages to a configurable log file

Usage

Requirements: Ruby (no external gems required).

ruby run.rb --local-ip <IP> [--local-port <PORT>] [--external-ip <IP>] [--stun-server <HOST[:PORT]>] [--log-file <PATH>]
Option Required Default Description
--local-ip Yes -- IP address to bind the proxy to
--local-port No 5060 UDP port to listen on
--external-ip No auto-detected Public IP for NAT traversal (auto-discovered via STUN if local IP is private)
--stun-server No stun.l.google.com STUN server for external IP discovery (host or host:port)
--log-file No -- Path to the SIP message log file

When the proxy is behind NAT (i.e. --local-ip is a private RFC 1918 address), it needs to know its public IP so that remote SIP peers can route signaling back through it. The proxy handles this automatically:

  • If --local-ip is private and no --external-ip is given, the proxy sends a STUN Binding Request (RFC 5389) to discover its public IP at startup.
  • If --external-ip is provided, that value is used directly and STUN is skipped.
  • If --local-ip is already a public address, no NAT traversal is needed.
  • If STUN discovery fails, the proxy warns and continues without NAT traversal.

You can specify a custom STUN server with --stun-server, e.g. --stun-server stun.sipgate.net:3478.

Point a SIP device at this proxy's IP and port as its outbound proxy. SIP messages will appear in the log and in debug.pcap. Calls that negotiate media will produce individual PCAP files named call_<hash>.pcap containing the SIP traffic and RTP traffic. Open these in Wireshark to analyze the stream and verify plaintext recovery.

Limitations

  • UDP only -- TCP and TLS transports are not supported.
  • SIP signaling is processed sequentially -- not designed for high-volume use.
  • SRTP decryption supports AES_CM_128_HMAC_SHA1_80 and AES_CM_128_HMAC_SHA1_32 only.

License

BSD 3-Clause. See LICENSE.md.

About

A SIP/RTP proxy for testing and auditing SIP infrastructure

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages