Service Detection: SIP end point

[Tom Sellers <nmap () fadedcode net>]

I have attached a patch below that detects a generic SIP end point.
There are several match lines in the service-probes file for SIP end
points, but each seems to be for a specific device.  None of these
detected the SIP service on the Cisco devices in the environment
I was testing in.

None of the SIP responses provided by the devices returned information
that would seem to allow the fingerprinting of a specific SIP
implementation on Cisco gear as opposed to any other device.

The attached patch adds a match line that detects a standard SIP
response to the nmap SIPOptions probe.  It its current state, the
match line should capture a standard SIP response and return the service
identity as well as placing the status in the info field.

I hope this isn't too much information.  On standard ports the
information field will say "Status: 200 OK" which might not
be that helpful.  When the port not in an OK state the output
would be more useful, such as "Status: 503 Service Unavailable"
or "Status: 600 Busy Everywhere".

According to the following link, the match line should work on
all standard implementations:

http://en.wikipedia.org/wiki/SIP_Responses


Tom Sellers

Attachment: patch_generic_SIP_endpoint
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org