Re: SIP version detection script

[Patrik Karlsson <patrik () cqure net>]

On 23 nov 2009, at 06.17, Matt Selsky wrote:

> On Nov 22, 2009, at 1:09 PM, Patrik Karlsson wrote:
>
> > I just finished my first nmap script with some great help from Ron Bowes. 
> > Like the e-mail subject states it does version detection for the SIP protocol.
> > I've done some basic testing and it looks as if it does what it't intended to.
> >
> > Here's some sample output:
> >
> > Interesting ports on 192.168.56.3:
> > PORT     STATE         SERVICE VERSION
> > 5060/udp open|filtered sip     Asterisk PBX
> >
> > Interesting ports on 192.168.56.4:
> > PORT     STATE         SERVICE VERSION
> > 5060/udp open|filtered sip     3CXPhoneSystem 8.0.9844.0
> >
> > Bug reports or comments and suggestions on things that could be done better/differently are most welcome.
>
> Any reason not to run this script on 5060/tcp as well?
>
>
> -- 
> Matt

It probably should, and maybe even 5061/tcp (SIP over TLS)?! However, as I started fixing the script I noticed I got 
some strange answers back, like the version being written twice. I then ran tcpdump and found that Nmap is already 
probing 5060/tcp. Greping for a pattern in this packet revealed:

[root@localhost ~]# grep -r "nm@nm" /usr/share/nmap/
/usr/share/nmap/nmap-service-probes:Probe TCP SIPOptions q|OPTIONS sip:nm SIP/2.0\r\nVia: SIP/2.0/TCP 
nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 
70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application/sdp\r\n\r\n|

So, you tell me, should I be running the script against these TCP ports as well? Why doesn't the nmap-service-probes 
contain the same SIP probes for UDP?

// Patrik

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/