Information Gathering

Bluebox-ng – Node.js VoIP Penetration Testing Framework


  • Auto VoIP/UC penetration test
  • Report generation
  • Performance
  • RFC compliant
  • SIP TLS and IPv6 support
  • SIP over websockets (and WSS) support (RFC 7118)
  • SHODAN, and Google Dorks
  • SIP common security tools (scan, extension/password bruteforce, etc.)
  • Authentication and extension brute-forcing through different types of SIP requests
  • SIP Torture (RFC 4475) partial support
  • SIP SQLi check
  • SIP denial of service (DoS) testing
  • Web management panels discovery
  • DNS brute-force, zone transfer, etc.
  • Other common protocols brute-force: Asterisk AMI, MySQL, MongoDB, SSH, (S)FTP, HTTP(S), TFTP, LDAP, SNMP
  • Some common network tools: whois, ping (also TCP), traceroute, etc.
  • Asterisk AMI post-explotation
  • Dumb fuzzing
  • Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
  • Automatic vulnerability searching (CVE, OSVDB, NVD)
  • Geolocation
  • Command completion
  • Cross-platform support



npm i -g bluebox-ng


Kali GNU/Linux

  • curl -sL | sudo bash -




To start the console client.




To run it from other Node code.

const Bluebox = require('bluebox-ng');

const box = new Bluebox();'gather/network/geo', { rhost: '' })
.then(res => {
.catch(err => {



  • shodan-search: Find potential targets in SHODAN computer search engine.
  • shodan-pop: Quick access to popular SHODAN VoIP related queries.
  • *google-dorks: Find potential targets using a Google dork.
  • sip-dns: DNS SRV and NAPTR discovery.
  • sip-scan: A SIP host/port scanning tool.
  • sip-brute-ext: Try to brute-force valid extensions of the SIP server using REGISTER (CVE-2011-2536) or INVITE (no CVE, requests.
  • sip-brute-ext-nat: Try to brute-force valid extensions in Asterisk using different NAT settings (CVE-2011-4597).
  • sip-brute-pass: Try to brute-force the password for an extension.
  • sip-unauth: Try know if a SIP server allows unauthenticated calls.
  • sip-unreg: Try to unregister another endpoint.
  • sip-bye: Use BYE teardown to end an active call.
  • sip-flood: Denial of service (DoS) protection mechanism stress test.
  • dumb-fuzz: Really stupid fuzzer.
  • ami-brute: Try to brute-force valid credentials for Asterisk AMI service.
  • db-brute: Try to brute-force valid credentials for a DB (MySQL/MongoDB).
  • ssh-brute: Try to brute-force valid credentials for a SSH server.
  • sftp-brute: Try to brute-force valid credentials for a FTP/SFTP server.
  • tftp-brute: Try to brute-force a valid file for a TFTP server.
  • ldap-brute: Try to brute-force valid credentials for a LDAP/Active Directory server.
  • http-brute: Try to brute-force valid credentials for an HTTP server.
  • http-discover: Discover common web panel of a VoIP servers in a host (Dirscan-node).
  • network-scan: Host/port scanning (Evilscan).
  • shodan-host: Get indexed info of an IP address in SHODAN.
  • shodan-vulns‘: Find vulnerabilities and exploit for an specifig service version (using SHODAN API).
  • shodan-query: Use a customized SHODAN VoIP query.
  • shodan-download: Download an exploit.
  • search-vulns: Find vulnerabilities and exploit for an specifig service version (using API).
  • default-pass: Show common VoIP system default passwords.
  • geo-locate: Geolozalization (Maxmind DB).
  • get-ext-ip: Get you external IP address (

Download Bluebox-ng