Playing with SIP, NMAP and NSE

Par malphx le mardi, août 17 2010, 19:04 - Scripting - Lien permanent

In the last Honeynet Project's Forensic Challenge (FC4), one question (Section 1, question 2) caught my attention.
It was about the possibility that the given log file could have been generated using a "simple" Nmap UDP scan.
In the challenge, the answer was : No.
Because a "simple" Nmap's UDP scan uses UDP packets without any payload and thus could not generate valid SIP requests.
But, Nmap offers a powerful scripting engine: Nmap Scripting Engine or NSE.

With NSE it is possible to interact with the targetted host using simple to complex communication exchanges.

After having read the NSE part of the Nmap book, I decided to give a try at NSE.
My first NSE script (modestly) behaves like the SIPvicious tool: svmap.py.

This script, named sip-map.nse tries to find valid SIP server by sending a SIP OPTIONS request using the UDP protocol.

Usage:

# Without version (User-Agent) information
sudo nmap -sU -p U:5060 --script sip-map.nse 
# With version information
sudo nmap -sU -p U:5060 -sV --script sip-map.nse

Output:

Interesting ports on X.X.X.X:
PORT     STATE SERVICE VERSION
5060/udp open  sip     Asterisk PBX 1.6.0.26-FONCORE-r78
|_ sip-map: SIP 2.0 compliant device detected

sip-map.nse is the first script from a series of scripts I wish to write.
These scripts will be about SIP scanning with a behaviour close to the SIPvicious tools but using Nmap.

You can download it here: sip-map.nse

Feel free to leave a comment !

malphx://blog

Playing with SIP, NMAP and NSE

Commentaires

Ajouter un commentaire

La discussion continue ailleurs

Recherche

Catégories

Tags

Export en PDF

S'abonner