Since my last post, I finally decided to start writing a SIP library for nmap.
This lib will be minimalist and be largely based on the http.lua library taken from Nmap 5.0

It will be used by two NSE scripts:

  • sip-extscan.nse: a script which try to list (find) valid SIP extensions on a SIP registrar
  • sip-brute.nse: a script that try to bruteforce SIP extensions password on a registrar
Here are the first result:
The target used for the test is a Tribox based host (Asterisk PBX
With actually four extensions:
  • 5000 : protected with a good password
  • 5001: protected with a weak password
  • 5002: protected with the same weak password
  • 5003: not protected
Actually, sip-brute only try a dictionnary attack against the password and use the unpwdb library
sudo nmap -sU -p U:5060 -T5 --script sip-map2,sip-extscan3,sip-brute2 --script-args exten_range="5000-5010"
Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-23 23:20 CEST
Interesting ports on
5060/udp open sip
|_ sip-map2: SIP 2.0 device detected
| sip-extscan3:
| Unprotected Extensions
| 5003
| Protected Extensions
| 5000
| 5001
|_ 5002
| sip-brute2:
| exten: 5001 Password: 1234
|_ exten: 5002 Password: 1234

Nmap done: 1 IP address (1 host up) scanned in 107.24 seconds
It seems that the work is in the good way, however, a lot of testing must still be done.