Nmap Development mailing list archives

Re: SIP version detection script

From: Matt Selsky <selsky () columbia edu>
Date: Wed, 25 Nov 2009 11:41:34 -0500

On Nov 25, 2009, at 4:51 AM, Patrik Karlsson wrote:

I applied your patch and it worked correctly against my Asterisk boxes. I added a match for them in the submitted 
patch. They didn't match any of the softmatch rules as Asterisk returns it's server information in the User-Agent 
header, rather than the Server header. However, the patch did not work against my OpenSer SIP proxy. I'm running: 
OpenSER SIP Server 1.3.2-tls (x86_64/linux)

When looking at the tcpdump I noticed something that I previously missed. The server is actually answering with a 
response that should match. However, it's sending it's response back to the client using 5060/udp as destination. I 
didn't have this problem with my SIP version script and was able to narrow it down to the rport attribute of the Via 
header. I have modified your probe so it sends this as well and it works as expected against my boxes now.

Here's how the Asterisk info looks, incase you need to improve my match:

SF-Port5060-UDP:V=5.00%I=7%D=11/25%Time=4B0CF293%P=i686-redhat-linux-gnu%r
SF:(SIPOptions,16A,"SIP/2\.0\x20200\x20OK\r\nVia:\x20SIP/2\.0/UDP\x20nm;br
SF:anch=foo;received=192\.168\.56\.4\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nT
SF:o:\x20<sip:nm2@nm2>;tag=as3f61201f\r\nCall-ID:\x2050000\r\nCSeq:\x2042\
SF:x20OPTIONS\r\nUser-Agent:\x20Asterisk\x20PBX\r\nAllow:\x20INVITE,\x20AC
SF:K,\x20CANCEL,\x20OPTIONS,\x20BYE,\x20REFER,\x20SUBSCRIBE,\x20NOTIFY,\x2
SF:0INFO\r\nSupported:\x20replaces\r\nContact:\x20<sip:192\.168\.56\.4>\r\
SF:nAccept:\x20application/sdp\r\nContent-Length:\x200\r\n\r\n");


Good work on the "rport" option.

I updated the Asterisk match line to look for \r\n since I still want to catch the case where Asterisk returns a 
version number too.  I added some of the TCP match lines that I could test like OpenSER, SER, OpenSIPS, and SIP Router. 
 Can you try this updated version of my patch?


-- 
Matt

Attachment: sip-v2.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: SIP version detection script, (continued)
- - - Re: SIP version detection script Matt Selsky (Nov 24)
    - Re: SIP version detection script Patrik Karlsson (Nov 24)
    - Re: SIP version detection script Matt Selsky (Nov 25)
    - Re: SIP version detection script David Fifield (Nov 25)
- Re: SIP version detection script Tom Sellers (Nov 23)
  - Re: SIP version detection script Patrik Karlsson (Nov 24)
    - Re: SIP version detection script Fyodor (Nov 24)
    - Re: SIP version detection script Patrik Karlsson (Nov 24)
    - Re: SIP version detection script Matt Selsky (Nov 25)
    - Re: SIP version detection script Patrik Karlsson (Nov 25)
    - Re: SIP version detection script Matt Selsky (Nov 25)
    - Re: SIP version detection script Patrik Karlsson (Nov 25)
    - Re: SIP version detection script David Fifield (Nov 25)
    - Re: SIP version detection script Patrik Karlsson (Nov 26)
    - Re: SIP version detection script Matt Selsky (Nov 30)
    - Re: SIP version detection script David Fifield (Dec 12)
    - Re: SIP version detection script Matt Selsky (Nov 25)
    - Re: SIP version detection script Patrik Karlsson (Nov 25)
- SIP version detection script Patrik Karlsson (Nov 22)