Nmap Development mailing list archives
Re: Service Detection: SIP end point
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 20 Mar 2008 23:21:14 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 20 Mar 2008 18:10:42 -0500 Tom Sellers <nmap () fadedcode net> wrote:
I have attached a patch below that detects a generic SIP end point. There are several match lines in the service-probes file for SIP end points, but each seems to be for a specific device. None of these detected the SIP service on the Cisco devices in the environment I was testing in. None of the SIP responses provided by the devices returned information that would seem to allow the fingerprinting of a specific SIP implementation on Cisco gear as opposed to any other device. The attached patch adds a match line that detects a standard SIP response to the nmap SIPOptions probe. It its current state, the match line should capture a standard SIP response and return the service identity as well as placing the status in the info field. I hope this isn't too much information. On standard ports the information field will say "Status: 200 OK" which might not be that helpful. When the port not in an OK state the output would be more useful, such as "Status: 503 Service Unavailable" or "Status: 600 Busy Everywhere". According to the following link, the match line should work on all standard implementations: http://en.wikipedia.org/wiki/SIP_Responses Tom Sellers
Hey Tom, This is good work. The issue though with match lines that are too generic is that they will prevent more accurate service fingerprints from ever being printed or submitted. The line could probably be better suited as a softmatch like so: softmatch sip m|^SIP/2\.0 ([-\w\s.]+)\r\n| i/SIP end point; Status: $1/ Can you give that a whirl and report back if you see any issue with it? Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD4DBQFH4vFrqaGPzAsl94IRApWLAJdQgYBnM0Q+jWpRa8Nyh8UjDSo6AKDIRAkn Fr2Z9qAN6u54BNTWB2wN6w== =nzQA -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Service Detection: SIP end point Tom Sellers (Mar 20)
- Re: Service Detection: SIP end point Brandon Enright (Mar 20)
- Re: Service Detection: SIP end point Tom Sellers (Mar 20)
- Re: Service Detection: SIP end point (1 match, 2 softmatch) Tom Sellers (Mar 21)
- Re: Service Detection: SIP end point Brandon Enright (Mar 20)