Nmap Development mailing list archives
Re: SIP version detection script
From: Matt Selsky <selsky () columbia edu>
Date: Wed, 25 Nov 2009 11:41:34 -0500
On Nov 25, 2009, at 4:51 AM, Patrik Karlsson wrote:
I applied your patch and it worked correctly against my Asterisk boxes. I added a match for them in the submitted patch. They didn't match any of the softmatch rules as Asterisk returns it's server information in the User-Agent header, rather than the Server header. However, the patch did not work against my OpenSer SIP proxy. I'm running: OpenSER SIP Server 1.3.2-tls (x86_64/linux) When looking at the tcpdump I noticed something that I previously missed. The server is actually answering with a response that should match. However, it's sending it's response back to the client using 5060/udp as destination. I didn't have this problem with my SIP version script and was able to narrow it down to the rport attribute of the Via header. I have modified your probe so it sends this as well and it works as expected against my boxes now. Here's how the Asterisk info looks, incase you need to improve my match: SF-Port5060-UDP:V=5.00%I=7%D=11/25%Time=4B0CF293%P=i686-redhat-linux-gnu%r SF:(SIPOptions,16A,"SIP/2\.0\x20200\x20OK\r\nVia:\x20SIP/2\.0/UDP\x20nm;br SF:anch=foo;received=192\.168\.56\.4\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nT SF:o:\x20<sip:nm2@nm2>;tag=as3f61201f\r\nCall-ID:\x2050000\r\nCSeq:\x2042\ SF:x20OPTIONS\r\nUser-Agent:\x20Asterisk\x20PBX\r\nAllow:\x20INVITE,\x20AC SF:K,\x20CANCEL,\x20OPTIONS,\x20BYE,\x20REFER,\x20SUBSCRIBE,\x20NOTIFY,\x2 SF:0INFO\r\nSupported:\x20replaces\r\nContact:\x20<sip:192\.168\.56\.4>\r\ SF:nAccept:\x20application/sdp\r\nContent-Length:\x200\r\n\r\n");
Good work on the "rport" option. I updated the Asterisk match line to look for \r\n since I still want to catch the case where Asterisk returns a version number too. I added some of the TCP match lines that I could test like OpenSER, SER, OpenSIPS, and SIP Router. Can you try this updated version of my patch? -- Matt
Attachment:
sip-v2.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: SIP version detection script, (continued)
- Re: SIP version detection script Matt Selsky (Nov 24)
- Re: SIP version detection script Patrik Karlsson (Nov 24)
- Re: SIP version detection script Matt Selsky (Nov 25)
- Re: SIP version detection script David Fifield (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 24)
- Re: SIP version detection script Fyodor (Nov 24)
- Re: SIP version detection script Patrik Karlsson (Nov 24)
- Re: SIP version detection script Matt Selsky (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 25)
- Re: SIP version detection script Matt Selsky (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 25)
- Re: SIP version detection script David Fifield (Nov 25)
- Re: SIP version detection script Patrik Karlsson (Nov 26)
- Re: SIP version detection script Matt Selsky (Nov 30)
- Re: SIP version detection script David Fifield (Dec 12)