Pentesting framework using Node.js powers. Specially focused in VoIP/UC.
JavaScript HTML Shell


Black Hat Arsenal Continuos integration NSP Status

npm info

Pentesting framework using Node.js powers, no external dependencies. Specially focused in VoIP/UC.


  • Auto VoIP/UC penetration test
  • Report generation
  • Performance
  • RFC compliant
  • SIP TLS and IPv6 support
  • SIP over websockets (and WSS) support (RFC 7118)
  • SHODAN, and Google Dorks
  • SIP common security tools (scan, extension/password bruteforce, etc.)
  • Authentication and extension brute-forcing through different types of SIP requests
  • SIP Torture (RFC 4475) partial support
  • SIP SQLi check
  • SIP denial of service (DoS) testing
  • Web management panels discovery
  • DNS brute-force, zone transfer, etc.
  • Other common protocols brute-force: Asterisk AMI, MySQL, MongoDB, SSH, (S)FTP, HTTP(S), TFTP, LDAP, SNMP
  • Some common network tools: whois, ping (also TCP), traceroute, etc.
  • Asterisk AMI post-explotation
  • Dumb fuzzing
  • Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
  • Automatic vulnerability searching (CVE, OSVDB, NVD)
  • Geolocation
  • Command completion
  • Cross-platform support


  • Install the last Node.js stable version.

  • Get a copy of the code and install Node dependencies.

npm i -g bluebox-ng

 Kali GNU/Linux

  • curl -sL | sudo bash -



A pentesting environment.


To start the console client.



To run it from other Node code.

const BlueboxCli = require('bluebox-ng').Cli;

const cli = new BlueboxCli();

console.log('Modules info:');
console.log(JSON.stringify(, null, 2));'geolocation', { rhost: '' })
.then(res => {
.catch(err => {

New modules

You can add your own features to this environment following this tips:

  • Add a new module inside bin/lib/modules.
  • Use the most similar one as boilerplate.
  • The methods included in the next section will help you.
  • New ones can call another modules (the run method is always a promise).
  • Now it should appear in the pentesting environment.


You can also use externally the methods used in the modules as any other Node library:

const bluebox = require('bluebox-ng');

.then(res => {
.catch(err => {
  • Full API documentation here.

Developer guide


We still don't have a proper Docker setup. So, for now, the test have to be run locally. Please check its code before it, they often need a valid target service.

./node_modules/.bin/tap test/wifi
node test/wifi/*
./node_modules/.bin/tap test/wifi/scanAps.js
node test/wifi/scanAps.js


  • We use ESLint and Airbnb style guide.
  • Please run to be sure your code fits with it and the tests keep passing:
npm test

Commit messages rules

  • It should be formed by a one-line subject, followed by one line of white space. Followed by one or more descriptive paragraphs, each separated by one line of white space. All of them finished by a dot.
  • If it fixes an issue, it should include a reference to the issue ID in the first line of the commit.
  • It should provide enough information for a reviewer to understand the changes and their relation to the rest of the code.


We use the visionmedia module, so you have to use this environment variable:

DEBUG=bluebox* npm start
DEBUG=bluebox-ng:Cli* npm start


 Thanks to


This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see