Re: SIP version detection script

[Patrik Karlsson <patrik () cqure net>]

On 26 nov 2009, at 02.54, David Fifield wrote:

> On Wed, Nov 25, 2009 at 05:48:41PM +0100, Patrik Karlsson wrote:
> > On 25 nov 2009, at 17.41, Matt Selsky wrote:
> > > On Nov 25, 2009, at 4:51 AM, Patrik Karlsson wrote:
> > >
> > > > I applied your patch and it worked correctly against my Asterisk boxes. I added a match for them in the submitted 
> > > > patch. They didn't match any of the softmatch rules as Asterisk returns it's server information in the User-Agent 
> > > > header, rather than the Server header. However, the patch did not work against my OpenSer SIP proxy. I'm running: 
> > > > OpenSER SIP Server 1.3.2-tls (x86_64/linux)
> > > >
> > > > When looking at the tcpdump I noticed something that I previously missed. The server is actually answering with a 
> > > > response that should match. However, it's sending it's response back to the client using 5060/udp as destination. 
> > > > I didn't have this problem with my SIP version script and was able to narrow it down to the rport attribute of the 
> > > > Via header. I have modified your probe so it sends this as well and it works as expected against my boxes now.
> > > >
> > > > Here's how the Asterisk info looks, incase you need to improve my match:
> > > >
> > > > SF-Port5060-UDP:V=5.00%I=7%D=11/25%Time=4B0CF293%P=i686-redhat-linux-gnu%r
> > > > SF:(SIPOptions,16A,"SIP/2\.0\x20200\x20OK\r\nVia:\x20SIP/2\.0/UDP\x20nm;br
> > > > SF:anch=foo;received=192\.168\.56\.4\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nT
> > > > SF:o:\x20<sip:nm2@nm2>;tag=as3f61201f\r\nCall-ID:\x2050000\r\nCSeq:\x2042\
> > > > SF:x20OPTIONS\r\nUser-Agent:\x20Asterisk\x20PBX\r\nAllow:\x20INVITE,\x20AC
> > > > SF:K,\x20CANCEL,\x20OPTIONS,\x20BYE,\x20REFER,\x20SUBSCRIBE,\x20NOTIFY,\x2
> > > > SF:0INFO\r\nSupported:\x20replaces\r\nContact:\x20<sip:192\.168\.56\.4>\r\
> > > > SF:nAccept:\x20application/sdp\r\nContent-Length:\x200\r\n\r\n");
> > >
> > > Good work on the "rport" option.
> > >
> > > I updated the Asterisk match line to look for \r\n since I still
> > > want to catch the case where Asterisk returns a version number too.
> > > I added some of the TCP match lines that I could test like OpenSER,
> > > SER, OpenSIPS, and SIP Router.  Can you try this updated version of
> > > my patch?
> >
> >
> > Looking good!
> >
> > Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-25 17:47 CET
> >
> > Interesting ports on sip.testpbx.lo (192.168.56.4):
> > PORT     STATE SERVICE   VERSION
> > 5060/udp open  sip-proxy Asterisk PBX
> >
> > Interesting ports on 192.168.56.3:
> > PORT     STATE SERVICE   VERSION
> > 5060/udp open  sip-proxy OpenSER SIP Server 1.3.2-tls (x86_64/linux)
> >
> > Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
> > Nmap done: 2 IP addresses (2 hosts up) scanned in 7.92 seconds
>
> This patch is looking great and I have committed it in r16209. I have
> one question--is it worth adding "sslports 5061" to the TCP SIPOptions
> probe? Does someone have that set up so they can test it?
>
> David Fifield

I tested adding the sslports 5061 to the probe. It got me the same results but in a third of the time it took without 
it.

//
Patrik

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/