Re: SIP version detection script

[David Fifield <david () bamsoftware com>]

On Wed, Nov 25, 2009 at 11:51:47AM -0500, Matt Selsky wrote:
> On Nov 23, 2009, at 6:49 AM, Patrik Karlsson wrote:
>
> > It probably should, and maybe even 5061/tcp (SIP over TLS)?! However, as I started fixing the script I noticed I 
> > got some strange answers back, like the version being written twice. I then ran tcpdump and found that Nmap is 
> > already probing 5060/tcp. Greping for a pattern in this packet revealed:
> >
> > [root@localhost ~]# grep -r "nm@nm" /usr/share/nmap/
> > /usr/share/nmap/nmap-service-probes:Probe TCP SIPOptions q|OPTIONS sip:nm SIP/2.0\r\nVia: SIP/2.0/TCP 
> > nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 
> > OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application/sdp\r\n\r\n|
> >
> > So, you tell me, should I be running the script against these TCP ports as well? Why doesn't the 
> > nmap-service-probes contain the same SIP probes for UDP?
>
> Is there any way to say that all "match" lines for "Probe TCP SIPOptions" are also valid for "Probe UDP SIPOptions" 
> without having to copy and paste?

I tried doing it with a fallback, but fallbacks are protocol-specific so
a UDP probe can't refer to a TCP probe. Copying the tested match lines
sounds okay.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/