RE: Sipflanker finds fulnerable Web GUIs deployed by IP phones and PBXs

Hi Jason,

Thank you for your comments, I appreciate it.
Indeed you are right, SIP runs on UDP on 5060. The TCP socket connection
only tests if the port responds. Do you think it would be better to use UDP?

I did think about adding 5061, but given the unfortunate fact that TLS is
hardly ever used, and also to make the scan faster, I left it out for the
time being. But I will add it in future versions.

Thanks! :)

Regards,

Sergio

-----Mensaje original-----
De: Jason Ross [mailto:algorythm@xxxxxxxxx]
Enviado el: Miércoles, 28 de Mayo de 2008 04:58 p.m.
Para: Sergio Castro
CC: pen-test@xxxxxxxxxxxxxxxxx
Asunto: Re: Sipflanker finds fulnerable Web GUIs deployed by IP phones and
PBXs

On Tue, May 27, 2008 at 4:00 PM,
Sergio Castro <sergio.castro@xxxxxxxxxx> wrote:


What the application does is search the range of IPs you specify, and
checks if port 5060 is available. Whether open or close, port usually
5060 indicates the presence of a SIP device.
Then it checks if port 80 (http) is open.

Looking through the code, it's a very decent start, and a good idea IMO.

One thing you may want to consider is that SIP generally runs on UDP/5060.

Your portscan.py script calls both port 80 and 5060 with AF_INET and
SOCK_STREAM which would mean TCP both times.

It may make sense to break the SIP scan out such that it checks for both UDP
and TCP port 5060 (and you may also want to add TCP/5061 to the mix, as
SIP/TLS generally uses that port.)

Other than that, like I said, a decent bit of work I think.

Regards,
Jason

__________ NOD32 3142 (20080528) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Relevant Pages

  • Re: Open port PIX 501
    ... :i can't open the port in my PIX. ... :I need open the port 1000 to point to the IP 10.254.254.222. ... in practice only DNS servers doing zone transfers need tcp. ... of UDP, it would be a highly unusual client which did not stick ...
    (comp.dcom.sys.cisco)
  • RE: DNS Records
    ... tcp>1023 53 Client queries with long replies ... On other client types, ... if you lock down all but port ... a client queries an initial server from an unreserved port number to UDP ...
    (Security-Basics)
  • Re: Settings for Mercenaries and MS MN500 Wireless Router
    ... When you type "27960-27960 tcp and udp" exactly where are those entries ... Enable Description Outbound Port Trigger Type Inbound Port Public Type ... > inside the game. ...
    (microsoft.public.games)
  • Re: using routers ACL to substitute firewall
    ... > You can handle TCP responses with a statement such as ... > systems have any programs that dynamically allocate UDP source ... > packets with a UDP source port of 137, ... > For incoming connections, UDP is again a problem, in that UDP ...
    (comp.security.misc)
  • Re: using routers ACL to substitute firewall
    ... > You can handle TCP responses with a statement such as ... > systems have any programs that dynamically allocate UDP source ... > packets with a UDP source port of 137, ... > For incoming connections, UDP is again a problem, in that UDP ...
    (alt.computer.security)