Bluebox-ng is a GPL VoIP/UC vulnerability scanner written using Node.js powers. "Our 2 cents" to improve security practices in these environments and to make the Node world still more awesome. ;)

• GitHub repo: https://github.com/jesusprubio/bluebox-ng
• IRC(Freenode): #breakingVoIP

• Auto VoIP/UC penetration test
• Report generation
• Performance
• RFC compliant
• SIP TLS and IPv6 support
• SIP over websockets (and WSS) support (RFC 7118)
• SHODAN, exploitsearch.net and Google Dorks
• SIP common security tools (scan, extension/password bruteforce, etc.)
• Authentication and extension brute-forcing through different types of SIP requests
• SIP Torture (RFC 4475) partial support
• SIP SQLi check
• SIP denial of service (DoS) testing
• Web management panels discovery
• Other common protocols brute-force: Asterisk AMI, MySQL, MongoDB, SSH, (S)FTP, HTTP(S), TFTP, LDAP, SNMP
• Some common network tools: whois, ping (also TCP), traceroute, etc.
• Dumb fuzzing
• Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
• Automatic vulnerability searching (CVE, OSVDB, NVD)
• VirusTotal IP, URL and domain
• Geolocation
• Colored output
• Command completion
• Cross-platform support

Dependencies. It should work in all systems which support Node:

• Node.js: http://nodejs.org/.
• A comfortable way to keep your Node version updated is to use the official binary distributions: https://github.com/nodesource/distributions
• These scripts don't work in Kali GNU/Linux (nodesource/distributions#28 (comment)), so we've implemented one which also installs Bluebox-ng. Yoy can use it using the next command: curl -sL https://raw.githubusercontent.com/jesusprubio/bluebox-ng/master/artifacts/installScripts/kali.sh | sudo bash -
• Nmap (only for "nmapScan" module): http://nmap.org/

npm i -g bluebox-ng

NOTE: It takes a while because we're using a lot of official modules (Mongo, LDAP, etc.) which need to compile some stuff.

npm update -g bluebox-ng

• Console client: bluebox-ng
• As a library:

var Bluebox = require('bluebox-ng'),

    options       = {},
    bluebox       = new Bluebox(options),
    moduleOptions = {
        target : '188.87.148.41'
    };

bluebox.runModule('geoLocate', moduleOptions, function (err, result) {
    if (err) {
        console.log('ERROR:');
        console.log(err);
    } else {
        console.log('RESULT:');
        console.log(result);
    }
});

• Please use GitHub web (https://github.com/jesusprubio/bluebox-ng/issues). If you have doubts playing with the software label the issue as "question".

• To add a module you only have to add one file with the code which implements the new features. I suggest to copy the most similar one and start to write code from there. If you needed a new parser/printer feel free to also change the code in the "utils" folder.
• To contribute we use GitHub pull requests.
• Only include external tools written in Node.js. I know we're using Nmap, it's an exception because we still not have a serious replacement for it.
• Never call a module from another, use a Grunt task to automate things (ie: "auto" module).
• Styleguide:
• Always use camelCase, never underscores
• Use soft-tabs with a four space indent
• Follow the style of the actual modules

• Jesús Pérez

• @jesusprubio

• jesusprubio gmail com

• http://jesusprubio.name/

• Sergio García

• @s3rgiogr

• s3rgio.gr gmail com

https://github.com/jesusprubio/bluebox-ng/graphs/contributors

• Jose Luis Verdeguer (@pepeluxx), my mate playing with VoIP security related stuff.
• Damián Franco (@pamojarpan), help during first steps.
• Quobis, some hours of work through personal projects program.
• Antón Román (@antonroman), my SIP mentor.
• Sandro Gauci (@sandrogauci), SIPVicious was my inspiration.
• Kamailio community (@kamailioproject), my favourite SIP Server.
• David Endler and Mark Collier (@markcollier46), the authors of "Hacking VoIP Exposed" book.
• John Matherly (@achillean) for the SHODAN API and GHDB.
• Tom Steele (@_tomsteele) and the rest of exploitsearch.net team.
• VirusTotal friends.
• sha0coder, we use the word lists included in "node-dirscan" project.
• All developers who have written the Node.js modules used in the project.
• All VoIP, free software and security hackers that I read everyday.
• My friend Carlos Pérez, the logo designer.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.