This repository has been archived by the owner. It is now read-only.
Pentesting framework using Node.js powers, focused in VoIP.
JavaScript HTML Shell
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


Black Hat Arsenal Continuos integration NSP Status

npm info

Pentesting framework using Node.js powers. Focused in VoIP.

DISCLAIMER: Pointing this tool at other people's servers is NOT legal in most countries.

  • Auto VoIP/UC penetration test
  • Report generation
  • Performance
  • RFC compliant
  • SIP TLS and IPv6 support
  • SIP over websockets (and WSS) support (RFC 7118)
  • SHODAN, and Google Dorks
  • SIP common security tools (scan, extension/password bruteforce, etc.)
  • Authentication and extension brute-forcing through different types of SIP requests
  • SIP Torture (RFC 4475) partial support
  • SIP SQLi check
  • SIP denial of service (DoS) testing
  • Web management panels discovery
  • DNS brute-force, zone transfer, etc.
  • Other common protocols brute-force: Asterisk AMI, MySQL, MongoDB, SSH, (S)FTP, HTTP(S), TFTP, LDAP, SNMP
  • Some common network tools: whois, ping (also TCP), traceroute, etc.
  • Asterisk AMI post-explotation
  • Dumb fuzzing
  • Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
  • Automatic vulnerability searching (CVE, OSVDB, NVD)
  • Geolocation
  • Command completion
  • Cross-platform support


npm i -g bluebox-ng

Kali GNU/Linux

  • curl -sL | sudo bash -



To start the console client.



To run it from other Node code.

const Bluebox = require('bluebox-ng');

const box = new Bluebox();'gather/network/geo', { rhost: '' })
.then(res => {
.catch(err => {

Developer guide


  • Get a copy of the code and install the dependencies.
git clone
cd bluebox-ng
npm i # or use yarn


We use the visionmedia module, so you have to use this environment variable:

DEBUG=bluebox-ng* npm start

New modules

You can add your own features to this environment following this tips:

  • Add a new file inside /modules and it should appear in the pentesting environment.
  • Use the most similar among the actual ones as boilerplate.


We still don't have a proper Docker setup. So, for now, the test have to be run locally. Please check its code before it, they often need a valid target service.

./node_modules/.bin/tap test/wifi
node test/wifi/*
./node_modules/.bin/tap test/wifi/scanAps.js
node test/wifi/scanAps.js


  • We use ESLint and Airbnb style guide.
  • Please run to be sure your code fits with it and the tests keep passing:
npm run posttest

Commit messages rules

  • It should be formed by a one-line subject, followed by one line of white space. Followed by one or more descriptive paragraphs, each separated by one line of white space. All of them finished by a dot.
  • If it fixes an issue, it should include a reference to the issue ID in the first line of the commit.
  • It should provide enough information for a reviewer to understand the changes and their relation to the rest of the code.


Thanks to