Aller au contenu | Aller au menu | Aller à la recherche

lundi, août 23 2010

Playing with SIP, NMAP and NSE, now writing a SIP library...


Since my last post, I finally decided to start writing a SIP library for nmap.
This lib will be minimalist and be largely based on the http.lua library taken from Nmap 5.0

It will be used by two NSE scripts:

  • sip-extscan.nse: a script which try to list (find) valid SIP extensions on a SIP registrar
  • sip-brute.nse: a script that try to bruteforce SIP extensions password on a registrar
Here are the first result:
The target used for the test is a Tribox based host (Asterisk PBX
With actually four extensions:
  • 5000 : protected with a good password
  • 5001: protected with a weak password
  • 5002: protected with the same weak password
  • 5003: not protected
Actually, sip-brute only try a dictionnary attack against the password and use the unpwdb library
sudo nmap -sU -p U:5060 -T5 --script sip-map2,sip-extscan3,sip-brute2 --script-args exten_range="5000-5010"
Starting Nmap 5.00 ( ) at 2010-08-23 23:20 CEST
Interesting ports on
5060/udp open sip
|_ sip-map2: SIP 2.0 device detected
| sip-extscan3:
| Unprotected Extensions
| 5003
| Protected Extensions
| 5000
| 5001
|_ 5002
| sip-brute2:
| exten: 5001 Password: 1234
|_ exten: 5002 Password: 1234

Nmap done: 1 IP address (1 host up) scanned in 107.24 seconds
It seems that the work is in the good way, however, a lot of testing must still be done.

mardi, août 17 2010

Playing with SIP, NMAP and NSE


In the last Honeynet Project's Forensic Challenge (FC4), one question (Section 1, question 2) caught my attention.
It was about the possibility that the given log file could have been generated using a "simple" Nmap UDP scan.
In the challenge, the answer was : No.
Because a "simple" Nmap's UDP scan uses UDP packets without any payload and thus could not generate valid SIP requests.
But, Nmap offers a powerful scripting engine: Nmap Scripting Engine or NSE.

With NSE it is possible to interact with the targetted host using simple to complex communication exchanges.

After having read the NSE part of the Nmap book, I decided to give a try at NSE.
My first NSE script (modestly) behaves like the SIPvicious tool:

This script, named sip-map.nse tries to find valid SIP server by sending a SIP OPTIONS request using the UDP protocol.


# Without version (User-Agent) information
sudo nmap -sU -p U:5060 --script sip-map.nse
# With version information
sudo nmap -sU -p U:5060 -sV --script sip-map.nse
Interesting ports on X.X.X.X:
5060/udp open sip Asterisk PBX
|_ sip-map: SIP 2.0 compliant device detected

sip-map.nse is the first script from a series of scripts I wish to write.
These scripts will be about SIP scanning with a behaviour close to the SIPvicious tools but using Nmap.

You can download it here: sip-map.nse

Feel free to leave a comment !

dimanche, juillet 25 2010

Honeynet Project's FC4 "VoIP": my submission

The Honeynet Project's team has published the results for the 4th Forensic Challenge 2010 VoIP.

My official results:

Thank you for participating in the 4th Honeynet Project Forensic Challenge 2010: VoIP.
Sjur, Ben, Jianwei, Roland, and Julia finished evaluating your submission. You have received a total of 62 of 63 points.
Below you will find your score per answer:

  • Answer 1.1 (1point): 1 points
  • Answer 1.2 (1point): 1 points
  • Answer 1.3a (1point): 1 points
  • Answer 1.3b (1point): 1 points
  • Answer 1.3c (2points): 2 points
  • Answer 1.4a (2points): 2 points
  • Answer 1.4b (6points (2 each)): 6 points
  • Answer 1.5 (1point): 1 points
  • Answer 1.6 (3points): 3 points
  • Answer 1.7 (5points): 5 points
  • Answer 1.8a (3points): 3 points
  • Answer 1.8b (3points): 3 points
  • Answer 2.1 (4points): 4 points
  • Answer 2.2a (1points): 1 points
  • Answer 2.2b (1points): 0 points
  • Answer 2.3 (2points): 2 points
  • Answer 2.4 (2points): 2 points
  • Answer 2.5a (10points): 10 points
  • Answer 2.5b (3points): 3 points
  • Answer 2.5c (2points): 2 points
  • Answer 2.6 (3points): 3 points
  • Answer 3.1 (2points): 2 points
  • Answer 3.2 (2points): 2 points
  • Answer 3.3 (2points): 2 points

A sample solution as well as the submissions of the winners has been posted to the challenge web page at Sjur, Ben, Jianwei, Roland, and Julia will be summarizing highlights from various submissions in a blog post shortly.

We are still finalizing our next challenge. Please subscribe to our RSS feed or check our web sites for announcements.

For this 4th challenge, we received a total of 21 submissions. With your score of 62, you came into position 1. Congratulations!!!!

You could find my submission for FC4 on the Honeynet Project's site. For this one, I've used a great visualization tool named PicViz written by Sébastien Tricaud from the French Chapter.
You should read his paper about his tool: Know Your Tools: use Picviz to find attacks

Feel free to leave a comment !