[Plugins-writers] SIP Detect

From: Ferdy Riphagen (f.riphagen@private)
Date: Thu Jan 19 2006 - 05:08:21 PST

If someone can check this SIP nasl or test it more I'll appriciate it.


-- Ferdy

# Script Written By Ferdy Riphagen 
# <f[dot]riphagen[at]nsec[dot]nl>
# Script distributed under the GNU GPLv2 License.

desc["english"] = "
Synopsis :

The remote system is a SIP signaling device. 

Description :

The remote system is listening to and sending Session Initiation 
Protocol (SIP) requests.

SIP is a messaging protocol to initiate communication sessions
between systems. It is a protocol used mostly in IP Telephony 
networks/systems to setup, control and teardown sessions
between two or more systems.  

Solution :

If the service is not needed disable it, or filter incoming
requests to the ports.

See Also :


Risk factor :


if (description) {
script_version("$Revision: 1.0 $");

name["english"] = "SIP Device Detection";


summary["english"] = "Check if the remote system is accepting SIP requests";

script_family(english:"Service detection");

script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");



port = 5060;
if (!get_udp_port_state(port)) exit(0);

# Check if we are scanning our local system.
# If so we can't use source port 5060, but it is worth a try.
if (islocalhost()) {
 soc = open_sock_udp(port);

# Some systems only want to talk if the source port is 5060.
else soc = open_priv_sock_udp(sport:5060, dport:port);
if (!soc) exit(0);

# Generate a "SIP OPTION" message.
# This will result in a "404 or 484" error if we get a response. 
payload = string(
	"OPTIONS sip:*@", get_host_name(), "SIP/2.0\r\n",
	"Via: SIP/2.0/UDP ", this_host(), "\r\n",
  "To: <sip:*@", get_host_name(), ">\r\n",
  "From: <sip:*@", this_host(), ">\r\n",
  "Call-ID: 1234567890@", this_host(), "\r\n", 
  "CSeq: 123456 OPTIONS\r\n",
  "User-Agent: Nessus Vulnerability Scanner\r\n",
	"Content-Type: application/sdp\r\n",
	"Content-Length: 0\r\n",

debug_print("payload: ", payload, "\n");
send(socket:soc, data:payload);

recv = recv(socket:soc, length:512);
debug_print("recv: ", recv, "\n");
if (recv == NULL) exit(0);

# Check if we can get a good response back.
if ("Via: SIP/2.0/UDP" >< recv && 
   (agent = egrep(pattern:"User-Agent: |Server: ", string:recv))) { 

 banner = ereg_replace(pattern:".*User-Agent: |.*Server: ", string:agent, replace:"");
 banner = chomp(banner); 
 if (banner == agent) banner = NULL;    
 debug_print("banner: ", banner, "\n"); 

 # Also try to report the remote capabilities.
 options = egrep(pattern:"^Allow:.+OPTIONS", string:recv);
 if (options) options = options - string("Allow: ");
 debug_print("options: ", options, "\n"); 

 if (banner != NULL) {
  # Create the report.
  report = string(desc["english"], "\n\n", 
  "Plugin output:\n\n",
  "The remote SIP device is a:\n", 
  # Register the banner information in KB.
  set_kb_item(name:"sip/banner/" + port, value:banner);  
  if (options != NULL) {
   report = string(report, "\n\n",
   "The system is supporting the following options:\n",  
 else report = desc["english"];

 register_service(ipproto:"udp", proto:"sip", port:port);
 security_note(port:port, data:report);

Plugins-writers mailing list

This archive was generated by hypermail 2.1.3 : Thu Jan 19 2006 - 06:09:14 PST