Command scan - Pepelux/sippts GitHub Wiki
SIPPTS scan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks.
Features
Scan works sending and waiting well-formed SIP packages. It is posible to scan several IP addresses or network ranges, over UDP, TCP or TLS.
Scan allows us to:
- Identify PBX servers and SIP devices (SIP proxy, PBX, phone, gateway, SBC, etc).
- Connection via UDP, TCP or TLS protocol.
- Test over UDP, TCP and TLS at the same time.
- Use different methods like REGISTER, INVITE or OPTIONS.
- Scan large ranges of networks.
- Load several IP addresses or network ranges from a file.
- Scan large ranges of ports.
- Analyze responses using verbose mode.
- Get all the phones on a network to ring at the same time (using INVITE as method).
- Try to fingerprinting the server or device. It is not exact but it can be useful for any servers with a custom User-Agent.
- To customize several headers, like UserAgent, From (user, name, domain), To (user, name, domain), contact, etc.
- It is possible to save all operations into a file.
- It uses multithread to run faster.
Usage
$ sippts scan -h
Target:
-i IP|HOST Host/IP address/network (ex: mysipserver.com | 192.168.0.10 | 192.168.0.0/24)
-f FILE File with several IPs or network ranges
-r REMOTE_PORT Ports to scan. Ex: 5060 | 5070,5080 | 5060-5080 | 5060,5062,5070-5080 | ALL for 1-65536 (default: 5060)
-p PROTOCOL Protocol: udp|tcp|tls|all (default: udp)
-proxy IP:PORT Use an outbound proxy (ex: 192.168.1.1 or 192.168.1.1:5070)
Headers:
-m METHOD Method used to scan: options, invite, register (default: options)
-d DOMAIN SIP Domain or IP address. Ex: my.sipserver.com (default: target IP address)
-cd CONTACT_DOMAIN Domain or IP address for Contact header. Ex: 10.0.1.2
-fn FROM_NAME From Name. Ex: Bob
-fu FROM_USER From User (default: 100)
-fd FROM_DOMAIN From Domain. Ex: 10.0.0.1
-tn TO_NAME To Name. Ex: Alice
-tu TO_USER To User (default: 100)
-td TO_DOMAIN To Domain. Ex: 10.0.0.1
-ua USER_AGENT User-Agent header (default: pplsip)
-ppi PPI P-Preferred-Identity
-pai PAI P-Asserted-Identity
Log:
-v Increase verbosity
-vv Increase more verbosity
-nocolor Show result without colors
-o FILE Save data into a log file
-cve Show possible CVEs
Other options:
-th THREADS Number of threads (default: 200)
-ping Ping host before scan
-fp Try to fingerprinting
-random Randomize target hosts
-local-ip IP Set local IP address (by default try to get it)
-h, --help Show this help
- To search SIP services on a simple IP address, for example 192.168.0.1 port 5060 (using OPTIONS method).
$ sippts scan -i 192.168.0.1
- To search SIP services on a simple IP address, for example 192.168.0.1 port 5060 (using OPTIONS method).
$ sippts scan -i 192.168.0.1
- To search SIP services on 192.168.0.0 network (over TLS connection).
$ sippts scan -i 192.168.0.0/24 -p tls
$ sippts scan -i 192.168.0.0-192.168.0.255 -p tls
- To search several IPs (using REGISTER method).
$ sippts scan -i 192.168.0.1,192.168.0.2,192.168.2.0/24 -m register
- To search several IPs and a large network range of SIP services on a large port range (using INVITE method).
$ sippts scan -i 192.168.0.1,192.168.0.2,192.168.2.0/24 -r 5060-5090 -m invite
- To load one or more IPs, ranges or networks you can write all of then into a file (one per line).
$ sippts scan -f mydatafile.txt
- Maybe 'pplsip' is a known User-Agent and the system automatically blocks the SIP messages. You can change it with a -ua parameter.
$ sippts scan -i 192.168.0.0/16 -ua myCustomUserAgent
Examples
$ sippts scan -i 192.168.2.0/24 -p all -r 5060-5080 -th 200 -ua Cisco
[!] IP/Network: 192.168.2.0/24
[!] Port range: 5060-5080
[!] Protocol: UDP, TCP, TLS
[!] Method to scan: OPTIONS
[!] Customized User-Agent: Cisco
[!] Used threads: 200
-----------------------------------------------------------------------------------------------
| IP address | Port | Proto | Response | User-Agent | Type |
-----------------------------------------------------------------------------------------------
| 192.168.2.154 | 5080 | UDP | 200 OK | Grandstream GXP2100 1.0.8.6 | Device |
| 192.168.2.203 | 5060 | UDP | 403 Not relaying | kamailio (5.2.1 (arm6/linux)) | Server |
| 192.168.2.203 | 5080 | UDP | 404 Not Found | Asterisk PBX 16.2.1~dfsg-1+deb10u2 | Server |
| 192.168.2.235 | 5060 | UDP | 200 OK | Grandstream GXP2130 1.0.9.69 | Device |
| 192.168.2.235 | 5064 | UDP | 200 OK | Grandstream GXP2130 1.0.9.69 | Device |
| 192.168.2.235 | 5080 | UDP | 200 OK | Grandstream GXP2130 1.0.9.69 | Device |
| 192.168.2.154 | 5080 | UDP | 200 OK | Grandstream GXP2100 1.0.8.6 | Device |
| 192.168.2.235 | 5060 | UDP | 200 OK | Grandstream GXP2130 1.0.9.69 | Device |
| 192.168.2.235 | 5080 | UDP | 200 OK | Grandstream GXP2130 1.0.9.69 | Device |
-----------------------------------------------------------------------------------------------
$ sippts scan -i 192.168.2.203 -ua Cisco -fp
[!] IP/Network: 192.168.2.203
[!] Port range: 5060
[!] Protocol: UDP
[!] Method to scan: OPTIONS
[!] Customized User-Agent: Cisco
[!] Used threads: 1
------------------------------------------------------------------------------------------------------------
| IP address | Port | Proto | Response | User-Agent | Type | Fingerprinting |
------------------------------------------------------------------------------------------------------------
| 192.168.2.203 | 5060 | UDP | 200 Keepalive | kamailio (5.2.1 (arm6/linux)) | Server | Kamailio SIP Proxy |
------------------------------------------------------------------------------------------------------------
$ sippts scan -i 192.168.2.203 -ua Cisco -fp -cve
[!] IP/Network: 192.168.2.203
[!] Port range: 5060
[!] Protocol: UDP
[!] Method to scan: OPTIONS
[!] Customized User-Agent: Cisco
[!] Used threads: 1
------------------------------------------------------------------------------------------------------------
| IP address | Port | Proto | Response | User-Agent | Type | Fingerprinting |
------------------------------------------------------------------------------------------------------------
| 192.168.2.203 | 5060 | UDP | 200 Keepalive | kamailio (5.2.1 (arm6/linux)) | Server | Kamailio SIP Proxy |
------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------
| Potential known vulnerabilities |
----------------------------------------------------------------------------------------------------------------------------------------------------
| Device | Version | CVE | Type | URL |
----------------------------------------------------------------------------------------------------------------------------------------------------
| kamailio | 4.0.1-1 | cve-2013-7426 | insecure temporary file vulnerability | https://www.cvedetails.com/cve/cve-2013-7426 |
| kamailio | <= 4.2.8 | cve-2015-1590 | kamcmd vulnerability | https://www.cvedetails.com/cve/cve-2015-1590 |
| kamailio | <= 4.2.0-1.1 | cve-2015-1591 | privilege escalation | https://www.cvedetails.com/cve/cve-2015-1591 |
| kamailio | <= 4.3.4 | cve-2016-2385 | denial of service (dos) | https://www.cvedetails.com/cve/cve-2016-2385 |
| kamailio | < 5.0.7 | cve-2018-14767 | denial of service (dos) | https://www.cvedetails.com/cve/cve-2018-14767 |
| kamailio | >= 5.1.0 and < 5.1.4 | cve-2018-14767 | denial of service (dos) | https://www.cvedetails.com/cve/cve-2018-14767 |
| kamailio | < 5.0.7 | cve-2018-16657 | denial of service (dos) | https://www.cvedetails.com/cve/cve-2018-16657 |
| kamailio | >= 5.1.0 and < 5.1.4 | cve-2018-16657 | denial of service (dos) | https://www.cvedetails.com/cve/cve-2018-16657 |
| kamailio | < 5.5.0 | cve-2020-27507 | denial of service (dos) | https://www.cvedetails.com/cve/cve-2020-27507 |
| kamailio | < 5.4.0 | cve-2020-28361 | bypass of a header-removal protection mechanism | https://www.cvedetails.com/cve/cve-2020-28361 |
----------------------------------------------------------------------------------------------------------------------------------------------------