Re: [NSE] sip-extensions.nse

[Hani Benhabiles <kroosec () gmail com>]

On 06/29/2012 09:07 PM, Patrik Karlsson wrote:
> On Fri, Jun 29, 2012 at 9:41 PM, Hani Benhabiles <kroosec () gmail com 
> <mailto:kroosec () gmail com>> wrote:
>
>     Hi list,
>
>     description = [[
>     Scans a numeric range of SIP extensions to find valid ones.
>
>     The script works by sending REGISTER SIP requests to the server
>     with the
>     specified extension number and checking for the response status
>     code in order
>     to know if an extension is valid. If a response status code is 401 or
>     407, it means that the extension is valid and requires
>     authentication. If the
>     response status code is 200, it means that the extension exists
>     and doesn't
>     require any authentication while a 403 response status code means that
>     extension exists but access is forbidden. To skip false positives,
>     the script
>     begins by sending a REGISTER request for a random extension and
>     checking for
>     response status code.
>     ]]
>
>     ---
>     --@args sip-extensions.minext Extension value to start enumeration
>     from.
>     --  Defaults to <code>0</code>.
>     -- 
>     --@args sip-extensions.maxext Extension value to end enumeration at.
>     --  Defaults to <code>999</code>.
>     --
>     --@args sip-extensions.padding Number of digits to pad zeroes up to.
>     --  Defaults to <code>0</code>. No padding if this is set to zero.
>     --
>     --@args sip-extensions.threads Number of threads to use.
>     --  Defaults to <code>1</code>.
>     -- 
>     --@usage
>     -- nmap --script=sip-extensions -sU -p 5060 <targets>
>     --
>     -- nmap --script=sip-extensions -sU -p 5060 <targets>
>     -- script-args sip-extensions.padding=4, sip-extensions.minext=1000,
>     -- sip-extensions.maxext=9999
>     --
>     --@output
>     -- 5060/udp open sip
>     -- | sip-extensions:
>     -- |   101 : Authentication required.
>     -- |   112 : Authentication required.
>     -- |_  150 : No authentication.
>
>
>     -- 
>     Hani Benhabiles
>
>     Twitter: https://twitter.com/#!/kroosec
>     <https://twitter.com/#%21/kroosec>
>     Blog: http://kroosec.blogspot.com
>
>
>     _______________________________________________
>     Sent through the nmap-dev mailing list
>     http://cgi.insecure.org/mailman/listinfo/nmap-dev
>     Archived at http://seclists.org/nmap-dev/
>
>
> Hi Hani,
> There seems to be some overlap here with sip-enum-users?
> Or am I missing something?
>
> Cheers,
> //Patrik
>
> --
> Patrik Karlsson
> http://www.cqure.net
> http://twitter.com/nevdull77
Hi Patrik,

SIP servers in the wild use usually either usernames or numbers as 
extensions. The later seems to be more common as I came across it more 
often and given how many testing tools and suites (i.e sipvicious, 
metasploit aux etc...) focus on scanning ranges of numbers (with things 
such as padding 0's) rather than on usernames from a dictionnary list. I 
believe having two separates scripts that do simple and effective work 
depending on the situation is better than one bloated script with many 
options and requiring the user to supply many script-arguments.

Though, I believe that the name sip-extensions which is not very clear 
should be changed to something more descriptive such as sip-enum-numbers.

Cheers,
Hani.

--
Hani Benhabiles

Twitter: https://twitter.com/#!/kroosec
Blog: http://kroosec.blogspot.com

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/