Re: SIP version detection script

[Fyodor <fyodor () insecure org>]

On Tue, Nov 24, 2009 at 09:01:36AM +0100, Patrik Karlsson wrote:
> I have an updated script that does that and works against 5060/tcp
> and 5061/tcp (SIP TLS).  However, as I posted earlier I realized
> that there is a static probe in nmap-service-probes that already
> works against 5060/tcp. So I'm guessing that same probe could be
> sent to 5060/udp as well and make my script redundant?

Hi Patrik.  Thanks for sending your SIP script, and you make a good
point here about the existing static probe.

In general, it is best to handle version detection using that
subsystem (e.g. nmap-service-probes) rather than NSE.
Nmap-service-probes is less powerful and flexible, but more efficient
to execute and maintain.  But it can only handle 1 static probe and a
regex-parseable response.  I see that your script uses a more dynamic
probe containing the source IP address, etc.

Maybe you can experiment with 5060/udp and see if you can get the same
version information with just a version detection probe and match
line(s) in nmap-service-probes?  Like we do for TCP.  That would be
the ideal case.  If that cannot be done, your new SIP script is a
great fallback option.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/