Re: SIP version detection script

[Patrik Karlsson <patrik () cqure net>]

On 25 nov 2009, at 09.01, Matt Selsky wrote:

> On Nov 24, 2009, at 6:13 PM, Patrik Karlsson wrote:
>
> > Thanks for the explanation. It turned out that there's no need for that dynamic stuff to be in there in order to 
> > trigger a response, at least not for the equipment I tested it against using the static probe already in nmap. I did 
> > a quick test against UDP using the static probe and got answers back that seemed equivalent to those recieved over 
> > TCP. For some reason they failed to match any of the existing lines though?
>
> Patrik,
>
> Do you have any examples of the output you did get?
>
> I added a UDP probe was able to detect the SIP Express Router and SIP Router software running on sip.iptel.org:
>
> # nmap -sT -sV -sU -p 5060 sip.iptel.org
>
> Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-25 02:50 EST
> Interesting ports on sip.iptel.org (213.192.59.75):
> PORT     STATE SERVICE   VERSION
> 5060/tcp open  sip-proxy SIP Router 2.99.99-pre3 (i386/linux)
> 5060/udp open  sip-proxy SIP Router 2.99.99-pre3 (i386/linux)
>
> Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 8.82 seconds
>
> # nmap -sT -sV -sU -p 5060 sip.iptel.org
>
> Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-25 02:51 EST
> Interesting ports on sip.iptel.org (213.192.59.75):
> PORT     STATE SERVICE   VERSION
> 5060/tcp open  sip-proxy SIP Express Router 2.1.0-dev23-make (i386/linux)
> 5060/udp open  sip-proxy SIP Router 2.99.99-pre3 (i386/linux)
>
> Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 8.39 seconds
>
> Let me know what you get against your server.
>
>
> -- 
> Matt
>
> <sip.patch>
Hi Matt,

I applied your patch and it worked correctly against my Asterisk boxes. I added a match for them in the submitted 
patch. They didn't match any of the softmatch rules as Asterisk returns it's server information in the User-Agent 
header, rather than the Server header. However, the patch did not work against my OpenSer SIP proxy. I'm running: 
OpenSER SIP Server 1.3.2-tls (x86_64/linux)

When looking at the tcpdump I noticed something that I previously missed. The server is actually answering with a 
response that should match. However, it's sending it's response back to the client using 5060/udp as destination. I 
didn't have this problem with my SIP version script and was able to narrow it down to the rport attribute of the Via 
header. I have modified your probe so it sends this as well and it works as expected against my boxes now.

Here's how the Asterisk info looks, incase you need to improve my match:

SF-Port5060-UDP:V=5.00%I=7%D=11/25%Time=4B0CF293%P=i686-redhat-linux-gnu%r
SF:(SIPOptions,16A,"SIP/2\.0\x20200\x20OK\r\nVia:\x20SIP/2\.0/UDP\x20nm;br
SF:anch=foo;received=192\.168\.56\.4\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nT
SF:o:\x20<sip:nm2@nm2>;tag=as3f61201f\r\nCall-ID:\x2050000\r\nCSeq:\x2042\
SF:x20OPTIONS\r\nUser-Agent:\x20Asterisk\x20PBX\r\nAllow:\x20INVITE,\x20AC
SF:K,\x20CANCEL,\x20OPTIONS,\x20BYE,\x20REFER,\x20SUBSCRIBE,\x20NOTIFY,\x2
SF:0INFO\r\nSupported:\x20replaces\r\nContact:\x20<sip:192\.168\.56\.4>\r\
SF:nAccept:\x20application/sdp\r\nContent-Length:\x200\r\n\r\n");

--
Patrik

Attachment: sip.rport.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/