BlueBox-ng: Penetration Testing Framework For VoIP

Written by Mubassir patel

BlueBox-ng is a Pentesting framework using Node.js powers. Focused in VoIP.


DISCLAIMER: Pointing this tool at other people’s servers is NOT legal in most countries.

  • Auto VoIP/UC penetration test
  • Report generation
  • Performance
  • RFC compliant
  • SIP TLS and IPv6 support
  • SIP over websockets (and WSS) support (RFC 7118)
  • SHODAN, and Google Dorks
  • SIP common security tools (scan, extension/password bruteforce, etc.)
  • Authentication and extension brute-forcing through different types of SIP requests
  • SIP Torture (RFC 4475) partial support
  • SIP SQLi check
  • SIP denial of service (DoS) testing
  • Web management panels discovery
  • DNS brute-force, zone transfer, etc.
  • Other common protocols brute-force: Asterisk AMI, MySQL, MongoDB, SSH, (S)FTP, HTTP(S), TFTP, LDAP, SNMP
  • Some common network tools: whois, ping (also TCP), traceroute, etc.
  • Asterisk AMI post-explotation
  • Dumb fuzzing
  • Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
  • Automatic vulnerability searching (CVE, OSVDB, NVD)
  • Geolocation
  • Command completion
  • Cross-platform support
  • Businees Voip

Install Of Bluebox-ng

npm i -g bluebox-ng

Kali GNU/Linux

  • curl -sL | sudo bash -



To start the console client.



To run it from other Node code.

const Bluebox = require('bluebox-ng');

const box = new Bluebox();'gather/network/geo', { rhost: '' })
.then(res => {
.catch(err => {

Developer guide


  • Get a copy of the code and install the dependencies.
git clone
cd bluebox-ng
npm i # or use yarn


We use the visionmedia module, so you have to use this environment variable:

DEBUG=bluebox-ng* npm start

New modules

You can add your own features to this environment following this tips:

  • Add a new file inside /modules and it should appear in the pentesting environment.
  • Use the most similar among the actual ones as boilerplate.


We still don’t have a proper Docker setup. So, for now, the test have to be run locally. Please check its code before it, they often need a valid target service.

./node_modules/.bin/tap test/wifi
node test/wifi/*
./node_modules/.bin/tap test/wifi/scanAps.js
node test/wifi/scanAps.js


  • We use ESLint and Airbnb style guide.
  • Please run to be sure your code fits with it and the tests keep passing:
npm run posttest

Commit messages rules

  • It should be formed by a one-line subject, followed by one line of white space. Followed by one or more descriptive paragraphs, each separated by one line of white space. All of them finished by a dot.
  • If it fixes an issue, it should include a reference to the issue ID in the first line of the commit.
  • It should provide enough information for a reviewer to understand the changes and their relation to the rest of the code.

About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment