[Plugins-writers] IAX2 Protocol Detection.

• Previous message: Josh Zlatin-Amishav: "Re: [Plugins-writers] Nasl function for file data access and manipulation (Andrea Governatori)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Attached a nasl plugin for IAX2 detection.

-- Ferdy


#
# Script Written By Ferdy Riphagen 
# <f[dot]riphagen[at]nsec[dot]nl>
#
# Script distributed under the GNU GPLv2 License.
#

if (description) {
script_id(200025);
script_version("$Revision: 1.0 $");

name["english"] = "Inter-Asterisk eXchange Protocol Detection";
script_name(english:name["english"]);

desc["english"] = "
Synopsis :

The remote system is running the Inter-Asterisk eXchange Protocol.

Description :

The Inter-Asterisk eXchange protocol (IAX2) is used by the Asterisk PBX 
Server and other IP Telephony clients/servers to enable 
voice communication between them. 

IAX2 is listening and sending UDP streams by default over port 4569/udp.

Solution :

If possible filter incoming connections to the port so that 
it can be used by trusted sources only. 

Risk factor :

None";

script_description(english:desc["english"]);

summary["english"] = "Checks if the remote system is running the IAX2 protocol";
script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);
script_family(english:"Service detection");
script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
script_require_udp_ports(4569);
exit(0);
}

include("misc_func.inc");

port = 4569;
if (!get_udp_port_state(port)) exit(0);

# Generate the "IAX2 poke packet.
poke_msg = raw_string(
        0x80, 0x00,             # IAX2 Full Packet Type
        0x00, 0x00,             # Destination Call
        0x00, 0x00, 0x00, 0x00, # Timestamp
        0x00,                   # Outbound Seq No
        0x00,                   # Inbound Seq No
        0x06,                   # IAX Type
        0x1E);                  # IAX2 Poke Command

# Generate the IP packet.
ip_pkt = forge_ip_packet(
	ip_v:4,
	ip_hl:5,
	ip_tos:0,
	ip_len:20,
	ip_off:0,
	ip_id:rand(),
 	ip_p:IPPROTO_UDP,
	ip_ttl:64,
	ip_src:this_host());

# Generate the UDP packet.
udp_pkt = forge_udp_packet(
	ip:ip_pkt,
	uh_sport:rand % 65535 + 1024,
	uh_dport:4569,
	uh_ulen: 8 + strlen(poke_msg),
	data:poke_msg);

filter = string("udp and src host ", get_host_ip(), " and src port ", 4569);

# Send the IP packet.
send_pkt = send_packet(udp_pkt, pcap_active:TRUE, pcap_filter:filter);

if(send_pkt) {
 recv_pkt = get_udp_element(udp:send_pkt, element:"data");

 # Check if we get the right response. 
 if (strlen(recv_pkt) < 12) exit(0);
 if (ord(recv_pkt[10]) == 6 && 
    (ord(recv_pkt[11]) == 3 || 
     ord(recv_pkt[11]) == 4))  {
  
  security_note(port);
  register_service(ipproto:"udp", proto:"iax2", port:port);
  exit(0);
 }
}



_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

• Previous message: Josh Zlatin-Amishav: "Re: [Plugins-writers] Nasl function for file data access and manipulation (Andrea Governatori)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Sun Jan 29 2006 - 12:51:56 PST