Nmap Development mailing list archives

Re: SIP version detection script

From: Matt Selsky <selsky () columbia edu>
Date: Tue, 24 Nov 2009 08:58:31 -0500


On Nov 23, 2009, at 6:49 AM, Patrik Karlsson wrote:


On 23 nov 2009, at 06.17, Matt Selsky wrote:

On Nov 22, 2009, at 1:09 PM, Patrik Karlsson wrote:

I just finished my first nmap script with some great help from Ron Bowes. 
Like the e-mail subject states it does version detection for the SIP protocol.
I've done some basic testing and it looks as if it does what it't intended to.

Here's some sample output:

Interesting ports on 192.168.56.3:
PORT     STATE         SERVICE VERSION
5060/udp open|filtered sip     Asterisk PBX

Interesting ports on 192.168.56.4:
PORT     STATE         SERVICE VERSION
5060/udp open|filtered sip     3CXPhoneSystem 8.0.9844.0

Bug reports or comments and suggestions on things that could be done better/differently are most welcome.


Any reason not to run this script on 5060/tcp as well?


-- 
Matt


It probably should, and maybe even 5061/tcp (SIP over TLS)?! However, as I started fixing the script I noticed I got 
some strange answers back, like the version being written twice. I then ran tcpdump and found that Nmap is already 
probing 5060/tcp. Greping for a pattern in this packet revealed:

[root@localhost ~]# grep -r "nm@nm" /usr/share/nmap/
/usr/share/nmap/nmap-service-probes:Probe TCP SIPOptions q|OPTIONS sip:nm SIP/2.0\r\nVia: SIP/2.0/TCP 
nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 
OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application/sdp\r\n\r\n|

So, you tell me, should I be running the script against these TCP ports as well? Why doesn't the nmap-service-probes 
contain the same SIP probes for UDP?


Because when I originally wrote the SIP OPTIONS probe, I only had access to a tcp SIP server (5060/udp was firewalled)? 
 :-)

Since you have access to a 5060/udp SIP server, can you try adding a udp version of the same/similar probe to 
nmap-service-probes?


-- 
Matt
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

SIP version detection script Patrik Karlsson (Nov 22)
- Re: SIP version detection script Matt Selsky (Nov 22)
  - Re: SIP version detection script Patrik Karlsson (Nov 23)
    - Re: SIP version detection script Matt Selsky (Nov 24)
    - Re: SIP version detection script Patrik Karlsson (Nov 24)
    - Re: SIP version detection script Matt Selsky (Nov 25)
    - Re: SIP version detection script David Fifield (Nov 25)
- Re: SIP version detection script Tom Sellers (Nov 23)
  - Re: SIP version detection script Patrik Karlsson (Nov 24)
    - Re: SIP version detection script Fyodor (Nov 24)
    - Re: SIP version detection script Patrik Karlsson (Nov 24)
    - Re: SIP version detection script Matt Selsky (Nov 25)
    - Re: SIP version detection script Patrik Karlsson (Nov 25)
    - Re: SIP version detection script Matt Selsky (Nov 25)

(Thread continues...)