SIP Enumeration
> netcat (http://netcat.sourceforge.net/)
nc IP_Address Port
> sipflanker (http://code.google.com/p/sipflanker/)
python sipflanker.py 192.168.1-254
> Sipscan (http://www.hackingvoip.com/tools/sipscan.msi)
> smap
smap IP_Address/Subnet_Mask
smap -o IP_Address/Subnet_Mask
smap -l IP_Address

SIP Packet Crafting etc.
> sipsak (http://sipsak.org/)
Tracing paths: - sipsak -T -s sip:usernaem@domain
Options request:- sipsak -vv -s sip:username@domain
Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
> siprogue (http://www.hackingvoip.com/tools/sip_rogue.tar.gz)

SIP Vulnerability Scanning/ Brute Force
> tftp bruteforcer (http://www.hackingexposedcisco.com/tools/TFTP-bruteforce.tar.gz)
Default dictionary file
./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
> VoIPaudit (http://www.voipshield.com/)
> SiVuS (http://www.vopsecurity.org/)

Examine Configuration Files
> SIPDefault.cnf
> asterisk.conf
> sip.conf
> phone.conf
> sip_notify.conf
> <Ethernet address>.cfg
> 000000000000.cfg
> phone1.cfg
> sip.cfg etc. etc.