Re: SIP version detection script

[Matt Selsky <selsky () columbia edu>]

On Nov 23, 2009, at 6:49 AM, Patrik Karlsson wrote:

> It probably should, and maybe even 5061/tcp (SIP over TLS)?! However, as I started fixing the script I noticed I got 
> some strange answers back, like the version being written twice. I then ran tcpdump and found that Nmap is already 
> probing 5060/tcp. Greping for a pattern in this packet revealed:
>
> [root@localhost ~]# grep -r "nm@nm" /usr/share/nmap/
> /usr/share/nmap/nmap-service-probes:Probe TCP SIPOptions q|OPTIONS sip:nm SIP/2.0\r\nVia: SIP/2.0/TCP 
> nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 
> OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application/sdp\r\n\r\n|
>
> So, you tell me, should I be running the script against these TCP ports as well? Why doesn't the nmap-service-probes 
> contain the same SIP probes for UDP?

Is there any way to say that all "match" lines for "Probe TCP SIPOptions" are also valid for "Probe UDP SIPOptions" 
without having to copy and paste?


-- 
Matt
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/