In the last Honeynet Project's Forensic Challenge (FC4), one question (Section 1, question 2) caught my attention.
It was about the possibility that the given log file could have been generated using a "simple" Nmap UDP scan.
In the challenge, the answer was : No.
Because a "simple" Nmap's UDP scan uses UDP packets without any payload and thus could not generate valid SIP requests.
But, Nmap offers a powerful scripting engine: Nmap Scripting Engine or NSE.

With NSE it is possible to interact with the targetted host using simple to complex communication exchanges.

After having read the NSE part of the Nmap book, I decided to give a try at NSE.
My first NSE script (modestly) behaves like the SIPvicious tool: svmap.py.

This script, named sip-map.nse tries to find valid SIP server by sending a SIP OPTIONS request using the UDP protocol.


# Without version (User-Agent) information
sudo nmap -sU -p U:5060 --script sip-map.nse
# With version information
sudo nmap -sU -p U:5060 -sV --script sip-map.nse
Interesting ports on X.X.X.X:
5060/udp open sip Asterisk PBX
|_ sip-map: SIP 2.0 compliant device detected

sip-map.nse is the first script from a series of scripts I wish to write.
These scripts will be about SIP scanning with a behaviour close to the SIPvicious tools but using Nmap.

You can download it here: sip-map.nse

Feel free to leave a comment !