Re: [NSE] sip-extensions.nse

[David Fifield <david () bamsoftware com>]

On Sun, Jul 15, 2012 at 12:07:23AM +0100, Hani Benhabiles wrote:
> On 07/14/2012 10:38 PM, Aleksandar Nikolic wrote:
> > On Sat, Jul 14, 2012 at 11:26 PM, Hani Benhabiles <kroosec () gmail com> wrote:
> > > On 07/04/2012 12:45 PM, David Fifield wrote:
> > > > On Sat, Jun 30, 2012 at 11:14:41AM +0100, Hani Benhabiles wrote:
> > > > > On 06/29/2012 09:07 PM, Patrik Karlsson wrote:
> > > > > > There seems to be some overlap here with sip-enum-users?
> > > > > > Or am I missing something?
> > > > > Hi Patrik,
> > > > >
> > > > > SIP servers in the wild use usually either usernames or numbers as
> > > > > extensions. The later seems to be more common as I came across it
> > > > > more often and given how many testing tools and suites (i.e
> > > > > sipvicious, metasploit aux etc...) focus on scanning ranges of
> > > > > numbers (with things such as padding 0's) rather than on usernames
> > > > > from a dictionnary list. I believe having two separates scripts that
> > > > > do simple and effective work depending on the situation is better
> > > > > than one bloated script with many options and requiring the user to
> > > > > supply many script-arguments.
> > > > I disagree with this thought. There should not be two scripts with two
> > > > implementations of what is basically the same function.
> > > >
> > > > Both scripts should be the same script and should probably use the brute
> > > > library. A custom user name iterator can handle creating all the numeric
> > > > extensions. There are not many name in usernames.lst, so checking them
> > > > in addition to extensions will not be much more cost.
> > > >
> > > > David Fifield
> > > Hi,
> > >
> > > I am attaching an overhauled version (renamed to sip-enum-extensions). The
> > > script now is ported to brute.lua and also allows iterating over users list
> > > (from usernames.lst or one provided by the user).
>
> Thanks for the quick input!
>
> No, it doesn't iterate over passwords from default list, just
> repeating the same password value as username.
> As an example, if I provide as script arguments, minext=1, maxext=3
> and users=1 (later means, use usernames.lst), the script will try
> these combinations:
>
> username    password
>     1                    1
>     2                    2
>     3                    3
>    root               root
>    admin           admin
>     ...                    ...
>
> Obviously, the script is using the usernames values only. This is
> due to brute.useraspass's default value being true. But you have a
> good point, though. In case default values for brute.lua are changed
> (either in the library, or as user set arguments for other brute
> scripts), this may end up adding iterating over default passwords.
> So, for precaution, I am changing the script to using the password
> values, setPasswordIterator and brute.options.passonly to true.

This looks pretty good to me. But what about combining this with the
sip-enum-users script? If I understand correctly, they are making the
same probes, except that one is using numeric-looking things and the
other is using user name–looking things. Why not just concat_iterators
and handle both in one script? Adding 1000 extensions (by default) to
the beginning of the user name list is no big deal.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/