Skip to content

Command scan

Jose Luis Verdeguer edited this page Sep 18, 2024 · 3 revisions

SIPPTS scan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks.

Features

Scan works sending and waiting well-formed SIP packages. It is posible to scan several IP addresses or network ranges, over UDP, TCP or TLS.

Scan allows us to:

  • Identify PBX servers and SIP devices (SIP proxy, PBX, phone, gateway, SBC, etc).
  • Connection via UDP, TCP or TLS protocol.
  • Test over UDP, TCP and TLS at the same time.
  • Use different methods like REGISTER, INVITE or OPTIONS.
  • Scan large ranges of networks.
  • Load several IP addresses or network ranges from a file.
  • Scan large ranges of ports.
  • Analyze responses using verbose mode.
  • Get all the phones on a network to ring at the same time (using INVITE as method).
  • Try to fingerprinting the server or device. It is not exact but it can be useful for any servers with a custom User-Agent.
  • To customize several headers, like UserAgent, From (user, name, domain), To (user, name, domain), contact, etc.
  • It is possible to save all operations into a file.
  • It uses multithread to run faster.

Usage

$ sippts scan -h

Target:
  -i IP|HOST          Host/IP address/network (ex: mysipserver.com | 192.168.0.10 | 192.168.0.0/24)
  -f FILE             File with several IPs or network ranges
  -r REMOTE_PORT      Ports to scan. Ex: 5060 | 5070,5080 | 5060-5080 | 5060,5062,5070-5080 | ALL for 1-65536 (default: 5060)
  -p PROTOCOL         Protocol: udp|tcp|tls|all (default: udp)
  -proxy IP:PORT      Use an outbound proxy (ex: 192.168.1.1 or 192.168.1.1:5070)

Headers:
  -m METHOD           Method used to scan: options, invite, register (default: options)
  -d DOMAIN           SIP Domain or IP address. Ex: my.sipserver.com (default: target IP address)
  -cd CONTACT_DOMAIN  Domain or IP address for Contact header. Ex: 10.0.1.2
  -fn FROM_NAME       From Name. Ex: Bob
  -fu FROM_USER       From User (default: 100)
  -fd FROM_DOMAIN     From Domain. Ex: 10.0.0.1
  -tn TO_NAME         To Name. Ex: Alice
  -tu TO_USER         To User (default: 100)
  -td TO_DOMAIN       To Domain. Ex: 10.0.0.1
  -ua USER_AGENT      User-Agent header (default: pplsip)
  -ppi PPI            P-Preferred-Identity
  -pai PAI            P-Asserted-Identity

Log:
  -v                  Increase verbosity
  -vv                 Increase more verbosity
  -nocolor            Show result without colors
  -o FILE             Save data into a log file
  -cve                Show possible CVEs

Other options:
  -th THREADS         Number of threads (default: 200)
  -ping               Ping host before scan
  -fp                 Try to fingerprinting
  -random             Randomize target hosts
  -local-ip IP        Set local IP address (by default try to get it)
  -h, --help          Show this help
  • To search SIP services on a simple IP address, for example 192.168.0.1 port 5060 (using OPTIONS method).
$ sippts scan -i 192.168.0.1
  • To search SIP services on a simple IP address, for example 192.168.0.1 port 5060 (using OPTIONS method).
$ sippts scan -i 192.168.0.1
  • To search SIP services on 192.168.0.0 network (over TLS connection).
$ sippts scan -i 192.168.0.0/24 -p tls
$ sippts scan -i 192.168.0.0-192.168.0.255 -p tls
  • To search several IPs (using REGISTER method).
$ sippts scan -i 192.168.0.1,192.168.0.2,192.168.2.0/24 -m register
  • To search several IPs and a large network range of SIP services on a large port range (using INVITE method).
$ sippts scan -i 192.168.0.1,192.168.0.2,192.168.2.0/24 -r 5060-5090 -m invite
  • To load one or more IPs, ranges or networks you can write all of then into a file (one per line).
$ sippts scan -f mydatafile.txt
  • Maybe 'pplsip' is a known User-Agent and the system automatically blocks the SIP messages. You can change it with a -ua parameter.
$ sippts scan -i 192.168.0.0/16 -ua myCustomUserAgent

Examples

$ sippts scan -i 192.168.2.0/24 -p all -r 5060-5080 -th 200 -ua Cisco

[!] IP/Network: 192.168.2.0/24
[!] Port range: 5060-5080
[!] Protocol: UDP, TCP, TLS
[!] Method to scan: OPTIONS
[!] Customized User-Agent: Cisco
[!] Used threads: 200

 -----------------------------------------------------------------------------------------------
| IP address    | Port | Proto | Response         | User-Agent                         | Type   |
 -----------------------------------------------------------------------------------------------
| 192.168.2.154 | 5080 | UDP   | 200 OK           | Grandstream GXP2100 1.0.8.6        | Device |
| 192.168.2.203 | 5060 | UDP   | 403 Not relaying | kamailio (5.2.1 (arm6/linux))      | Server |
| 192.168.2.203 | 5080 | UDP   | 404 Not Found    | Asterisk PBX 16.2.1~dfsg-1+deb10u2 | Server |
| 192.168.2.235 | 5060 | UDP   | 200 OK           | Grandstream GXP2130 1.0.9.69       | Device |
| 192.168.2.235 | 5064 | UDP   | 200 OK           | Grandstream GXP2130 1.0.9.69       | Device |
| 192.168.2.235 | 5080 | UDP   | 200 OK           | Grandstream GXP2130 1.0.9.69       | Device |
| 192.168.2.154 | 5080 | UDP   | 200 OK           | Grandstream GXP2100 1.0.8.6        | Device |
| 192.168.2.235 | 5060 | UDP   | 200 OK           | Grandstream GXP2130 1.0.9.69       | Device |
| 192.168.2.235 | 5080 | UDP   | 200 OK           | Grandstream GXP2130 1.0.9.69       | Device |
 -----------------------------------------------------------------------------------------------
$ sippts scan -i 192.168.2.203 -ua Cisco -fp
[!] IP/Network: 192.168.2.203
[!] Port range: 5060
[!] Protocol: UDP
[!] Method to scan: OPTIONS
[!] Customized User-Agent: Cisco
[!] Used threads: 1

 ------------------------------------------------------------------------------------------------------------
| IP address    | Port | Proto | Response      | User-Agent                    | Type   | Fingerprinting     |
 ------------------------------------------------------------------------------------------------------------
| 192.168.2.203 | 5060 | UDP   | 200 Keepalive | kamailio (5.2.1 (arm6/linux)) | Server | Kamailio SIP Proxy |
 ------------------------------------------------------------------------------------------------------------
$ sippts scan -i 192.168.2.203 -ua Cisco -fp -cve
[!] IP/Network: 192.168.2.203
[!] Port range: 5060
[!] Protocol: UDP
[!] Method to scan: OPTIONS
[!] Customized User-Agent: Cisco
[!] Used threads: 1

 ------------------------------------------------------------------------------------------------------------
| IP address    | Port | Proto | Response      | User-Agent                    | Type   | Fingerprinting     |
 ------------------------------------------------------------------------------------------------------------
| 192.168.2.203 | 5060 | UDP   | 200 Keepalive | kamailio (5.2.1 (arm6/linux)) | Server | Kamailio SIP Proxy |
 ------------------------------------------------------------------------------------------------------------

 ----------------------------------------------------------------------------------------------------------------------------------------------------
| Potential known vulnerabilities                                                                                                                    |
 ----------------------------------------------------------------------------------------------------------------------------------------------------
| Device   | Version              | CVE            | Type                                            | URL                                           |
 ----------------------------------------------------------------------------------------------------------------------------------------------------
| kamailio | 4.0.1-1              | cve-2013-7426  | insecure temporary file vulnerability           | https://www.cvedetails.com/cve/cve-2013-7426  |
| kamailio | <= 4.2.8             | cve-2015-1590  | kamcmd vulnerability                            | https://www.cvedetails.com/cve/cve-2015-1590  |
| kamailio | <= 4.2.0-1.1         | cve-2015-1591  | privilege escalation                            | https://www.cvedetails.com/cve/cve-2015-1591  |
| kamailio | <= 4.3.4             | cve-2016-2385  | denial of service (dos)                         | https://www.cvedetails.com/cve/cve-2016-2385  |
| kamailio | < 5.0.7              | cve-2018-14767 | denial of service (dos)                         | https://www.cvedetails.com/cve/cve-2018-14767 |
| kamailio | >= 5.1.0 and < 5.1.4 | cve-2018-14767 | denial of service (dos)                         | https://www.cvedetails.com/cve/cve-2018-14767 |
| kamailio | < 5.0.7              | cve-2018-16657 | denial of service (dos)                         | https://www.cvedetails.com/cve/cve-2018-16657 |
| kamailio | >= 5.1.0 and < 5.1.4 | cve-2018-16657 | denial of service (dos)                         | https://www.cvedetails.com/cve/cve-2018-16657 |
| kamailio | < 5.5.0              | cve-2020-27507 | denial of service (dos)                         | https://www.cvedetails.com/cve/cve-2020-27507 |
| kamailio | < 5.4.0              | cve-2020-28361 | bypass of a header-removal protection mechanism | https://www.cvedetails.com/cve/cve-2020-28361 |
 ----------------------------------------------------------------------------------------------------------------------------------------------------
Clone this wiki locally