Re: SIP version detection script

[Patrik Karlsson <patrik () cqure net>]

On 24 nov 2009, at 14.58, Matt Selsky wrote:

> On Nov 23, 2009, at 6:49 AM, Patrik Karlsson wrote:
>
> > On 23 nov 2009, at 06.17, Matt Selsky wrote:
> >
> > > On Nov 22, 2009, at 1:09 PM, Patrik Karlsson wrote:
> > >
> > > > I just finished my first nmap script with some great help from Ron Bowes. 
> > > > Like the e-mail subject states it does version detection for the SIP protocol.
> > > > I've done some basic testing and it looks as if it does what it't intended to.
> > > >
> > > > Here's some sample output:
> > > >
> > > > Interesting ports on 192.168.56.3:
> > > > PORT     STATE         SERVICE VERSION
> > > > 5060/udp open|filtered sip     Asterisk PBX
> > > >
> > > > Interesting ports on 192.168.56.4:
> > > > PORT     STATE         SERVICE VERSION
> > > > 5060/udp open|filtered sip     3CXPhoneSystem 8.0.9844.0
> > > >
> > > > Bug reports or comments and suggestions on things that could be done better/differently are most welcome.
> > >
> > > Any reason not to run this script on 5060/tcp as well?
> > >
> > >
> > > -- 
> > > Matt
> >
> > It probably should, and maybe even 5061/tcp (SIP over TLS)?! However, as I started fixing the script I noticed I got 
> > some strange answers back, like the version being written twice. I then ran tcpdump and found that Nmap is already 
> > probing 5060/tcp. Greping for a pattern in this packet revealed:
> >
> > [root@localhost ~]# grep -r "nm@nm" /usr/share/nmap/
> > /usr/share/nmap/nmap-service-probes:Probe TCP SIPOptions q|OPTIONS sip:nm SIP/2.0\r\nVia: SIP/2.0/TCP 
> > nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 
> > OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application/sdp\r\n\r\n|
> >
> > So, you tell me, should I be running the script against these TCP ports as well? Why doesn't the nmap-service-probes 
> > contain the same SIP probes for UDP?
>
> Because when I originally wrote the SIP OPTIONS probe, I only had access to a tcp SIP server (5060/udp was 
> firewalled)?  :-)
>
> Since you have access to a 5060/udp SIP server, can you try adding a udp version of the same/similar probe to 
> nmap-service-probes?
>
>
> -- 
> Matt

I ran the exact same probe by simply changing the TCP to UDP in nmap-service-probes. I have attached the responses I 
received. Both contain version information but were not matched. I guess there's more to it than just switching the 
protocol in the probe?

SIP/2.0 476 Unresolvable destination (476/TM)
Via: SIP/2.0/TCP nm;branch=foo;received=192.168.56.4
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>;tag=fa997f81440371de71ab448ebdb9af56-fe3b
Call-ID: 50000
CSeq: 42 OPTIONS
Server: OpenSER (1.3.2-tls (x86_64/linux))
Content-Length: 0

SIP/2.0 200 OK
Via: SIP/2.0/TCP nm;branch=foo;received=127.0.0.1
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>;tag=as70b83097
Call-ID: 50000
CSeq: 42 OPTIONS
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Contact: <sip:127.0.0.1>
Accept: application/sdp
Content-Length: 0

//Patrik


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/