Re: SIP version detection script

[Patrik Karlsson <patrik () cqure net>]

On 24 nov 2009, at 23.58, Fyodor wrote:

> On Tue, Nov 24, 2009 at 09:01:36AM +0100, Patrik Karlsson wrote:
> > I have an updated script that does that and works against 5060/tcp
> > and 5061/tcp (SIP TLS).  However, as I posted earlier I realized
> > that there is a static probe in nmap-service-probes that already
> > works against 5060/tcp. So I'm guessing that same probe could be
> > sent to 5060/udp as well and make my script redundant?
>
> Hi Patrik.  Thanks for sending your SIP script, and you make a good
> point here about the existing static probe.
>
> In general, it is best to handle version detection using that
> subsystem (e.g. nmap-service-probes) rather than NSE.
> Nmap-service-probes is less powerful and flexible, but more efficient
> to execute and maintain.  But it can only handle 1 static probe and a
> regex-parseable response.  I see that your script uses a more dynamic
> probe containing the source IP address, etc.
>
> Maybe you can experiment with 5060/udp and see if you can get the same
> version information with just a version detection probe and match
> line(s) in nmap-service-probes?  Like we do for TCP.  That would be
> the ideal case.  If that cannot be done, your new SIP script is a
> great fallback option.
>
> Cheers,
> -F

Hi Fyodor,

Thanks for the explanation. It turned out that there's no need for that dynamic stuff to be in there in order to 
trigger a response, at least not for the equipment I tested it against using the static probe already in nmap. I did a 
quick test against UDP using the static probe and got answers back that seemed equivalent to those recieved over TCP. 
For some reason they failed to match any of the existing lines though?

//Patrik
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/