Nmap Development mailing list archives
Re: SIP version detection script
From: Matt Selsky <selsky () columbia edu>
Date: Tue, 24 Nov 2009 08:58:31 -0500
On Nov 23, 2009, at 6:49 AM, Patrik Karlsson wrote:
On 23 nov 2009, at 06.17, Matt Selsky wrote:On Nov 22, 2009, at 1:09 PM, Patrik Karlsson wrote:I just finished my first nmap script with some great help from Ron Bowes. Like the e-mail subject states it does version detection for the SIP protocol. I've done some basic testing and it looks as if it does what it't intended to. Here's some sample output: Interesting ports on 192.168.56.3: PORT STATE SERVICE VERSION 5060/udp open|filtered sip Asterisk PBX Interesting ports on 192.168.56.4: PORT STATE SERVICE VERSION 5060/udp open|filtered sip 3CXPhoneSystem 8.0.9844.0 Bug reports or comments and suggestions on things that could be done better/differently are most welcome.Any reason not to run this script on 5060/tcp as well? -- MattIt probably should, and maybe even 5061/tcp (SIP over TLS)?! However, as I started fixing the script I noticed I got some strange answers back, like the version being written twice. I then ran tcpdump and found that Nmap is already probing 5060/tcp. Greping for a pattern in this packet revealed: [root@localhost ~]# grep -r "nm@nm" /usr/share/nmap/ /usr/share/nmap/nmap-service-probes:Probe TCP SIPOptions q|OPTIONS sip:nm SIP/2.0\r\nVia: SIP/2.0/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application/sdp\r\n\r\n| So, you tell me, should I be running the script against these TCP ports as well? Why doesn't the nmap-service-probes contain the same SIP probes for UDP?
Because when I originally wrote the SIP OPTIONS probe, I only had access to a tcp SIP server (5060/udp was firewalled)? :-) Since you have access to a 5060/udp SIP server, can you try adding a udp version of the same/similar probe to nmap-service-probes? -- Matt _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- SIP version detection script Patrik Karlsson (Nov 22)
- Re: SIP version detection script Matt Selsky (Nov 22)
- Re: SIP version detection script Patrik Karlsson (Nov 23)
- Re: SIP version detection script Matt Selsky (Nov 24)
- Re: SIP version detection script Patrik Karlsson (Nov 24)
- Re: SIP version detection script Matt Selsky (Nov 25)
- Re: SIP version detection script David Fifield (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 23)
- Re: SIP version detection script Matt Selsky (Nov 22)
- Re: SIP version detection script Patrik Karlsson (Nov 24)
- Re: SIP version detection script Fyodor (Nov 24)
- Re: SIP version detection script Patrik Karlsson (Nov 24)
- Re: SIP version detection script Matt Selsky (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 25)
- Re: SIP version detection script Matt Selsky (Nov 25)