Playing with SIP, NMAP and NSE
In the last Honeynet Project's Forensic Challenge (FC4), one question (Section 1, question 2) caught my attention.
It was about the possibility that the given log file could have been generated using a "simple" Nmap UDP scan.
In the challenge, the answer was : No.
Because a "simple" Nmap's UDP scan uses UDP packets without any payload and thus could not generate valid SIP requests.
But, Nmap offers a powerful scripting engine: Nmap Scripting Engine or NSE.
This script, named sip-map.nse tries to find valid SIP server by sending a SIP OPTIONS request using the UDP protocol.
# Without version (User-Agent) informationOutput:
sudo nmap -sU -p U:5060 --script sip-map.nse
# With version information
sudo nmap -sU -p U:5060 -sV --script sip-map.nse
Interesting ports on X.X.X.X:
PORT STATE SERVICE VERSION
5060/udp open sip Asterisk PBX 126.96.36.199-FONCORE-r78
|_ sip-map: SIP 2.0 compliant device detected
sip-map.nse is the first script from a series of scripts I wish to write.
These scripts will be about SIP scanning with a behaviour close to the SIPvicious tools but using Nmap.
You can download it here: sip-map.nse
Feel free to leave a comment !