Nmap Development mailing list archives
Re: SIP version detection script
From: David Fifield <david () bamsoftware com>
Date: Wed, 25 Nov 2009 18:54:09 -0700
On Wed, Nov 25, 2009 at 05:48:41PM +0100, Patrik Karlsson wrote:
On 25 nov 2009, at 17.41, Matt Selsky wrote:On Nov 25, 2009, at 4:51 AM, Patrik Karlsson wrote:I applied your patch and it worked correctly against my Asterisk boxes. I added a match for them in the submitted patch. They didn't match any of the softmatch rules as Asterisk returns it's server information in the User-Agent header, rather than the Server header. However, the patch did not work against my OpenSer SIP proxy. I'm running: OpenSER SIP Server 1.3.2-tls (x86_64/linux) When looking at the tcpdump I noticed something that I previously missed. The server is actually answering with a response that should match. However, it's sending it's response back to the client using 5060/udp as destination. I didn't have this problem with my SIP version script and was able to narrow it down to the rport attribute of the Via header. I have modified your probe so it sends this as well and it works as expected against my boxes now. Here's how the Asterisk info looks, incase you need to improve my match: SF-Port5060-UDP:V=5.00%I=7%D=11/25%Time=4B0CF293%P=i686-redhat-linux-gnu%r SF:(SIPOptions,16A,"SIP/2\.0\x20200\x20OK\r\nVia:\x20SIP/2\.0/UDP\x20nm;br SF:anch=foo;received=192\.168\.56\.4\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nT SF:o:\x20<sip:nm2@nm2>;tag=as3f61201f\r\nCall-ID:\x2050000\r\nCSeq:\x2042\ SF:x20OPTIONS\r\nUser-Agent:\x20Asterisk\x20PBX\r\nAllow:\x20INVITE,\x20AC SF:K,\x20CANCEL,\x20OPTIONS,\x20BYE,\x20REFER,\x20SUBSCRIBE,\x20NOTIFY,\x2 SF:0INFO\r\nSupported:\x20replaces\r\nContact:\x20<sip:192\.168\.56\.4>\r\ SF:nAccept:\x20application/sdp\r\nContent-Length:\x200\r\n\r\n");Good work on the "rport" option. I updated the Asterisk match line to look for \r\n since I still want to catch the case where Asterisk returns a version number too. I added some of the TCP match lines that I could test like OpenSER, SER, OpenSIPS, and SIP Router. Can you try this updated version of my patch?Looking good! Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-25 17:47 CET Interesting ports on sip.testpbx.lo (192.168.56.4): PORT STATE SERVICE VERSION 5060/udp open sip-proxy Asterisk PBX Interesting ports on 192.168.56.3: PORT STATE SERVICE VERSION 5060/udp open sip-proxy OpenSER SIP Server 1.3.2-tls (x86_64/linux) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 2 IP addresses (2 hosts up) scanned in 7.92 seconds
This patch is looking great and I have committed it in r16209. I have one question--is it worth adding "sslports 5061" to the TCP SIPOptions probe? Does someone have that set up so they can test it? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: SIP version detection script, (continued)
- Re: SIP version detection script Matt Selsky (Nov 25)
- Re: SIP version detection script David Fifield (Nov 25)
- Re: SIP version detection script Tom Sellers (Nov 23)
- Re: SIP version detection script Patrik Karlsson (Nov 24)
- Re: SIP version detection script Fyodor (Nov 24)
- Re: SIP version detection script Patrik Karlsson (Nov 24)
- Re: SIP version detection script Matt Selsky (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 25)
- Re: SIP version detection script Matt Selsky (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 25)
- Re: SIP version detection script David Fifield (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 26)
- Re: SIP version detection script Matt Selsky (Nov 30)
- Re: SIP version detection script David Fifield (Dec 12)
- Re: SIP version detection script Patrik Karlsson (Nov 24)
- Re: SIP version detection script Matt Selsky (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 25)