Playing with SIP, NMAP and NSE
Par malphx le mardi, août 17 2010, 19:04 - Scripting - Lien permanent
In the last Honeynet Project's Forensic Challenge (FC4), one question (Section 1, question 2) caught my attention.
It was about the possibility that the given log file could have been generated using a "simple" Nmap UDP scan.
In the challenge, the answer was : No.
Because a "simple" Nmap's UDP scan uses UDP packets without any payload and thus could not generate valid SIP requests.
But, Nmap offers a powerful scripting engine: Nmap Scripting Engine or NSE.
After having read the NSE part of the Nmap book, I decided to give a try at NSE.
My first NSE script (modestly) behaves like the SIPvicious tool: svmap.py.
This script, named sip-map.nse tries to find valid SIP server by sending a SIP OPTIONS request using the UDP protocol.
Usage:
# Without version (User-Agent) informationOutput:
sudo nmap -sU -p U:5060 --script sip-map.nse
# With version information
sudo nmap -sU -p U:5060 -sV --script sip-map.nse
Interesting ports on X.X.X.X:
PORT STATE SERVICE VERSION
5060/udp open sip Asterisk PBX 1.6.0.26-FONCORE-r78
|_ sip-map: SIP 2.0 compliant device detected
sip-map.nse is the first script from a series of scripts I wish to write.
These scripts will be about SIP scanning with a behaviour close to the SIPvicious tools but using Nmap.
You can download it here: sip-map.nse
Feel free to leave a comment !
Commentaires