Skip to content

SIPScan

Jose Luis Verdeguer edited this page May 21, 2019 · 9 revisions

Sipscan is a very fast scanner for SIP services over UDP. It uses multithread and can scan large ranges of networks.

Features

Sipscan works sending and waiting well-formed SIP packages. For example, Nmap is a great tool for scanning networks, but over UDP it is better and faster to send well-formed SIP packages and wait valid responses.

Sipscan tries, by default, to connect over the UDP protocol. If the connection fails, it will try over TCP. You can also force to use only over UDP or TCP.

Sipscan allows us to:

  • Identify PBX servers and SIP devices (SIP proxy, PBX, phone, gateway, etc).
  • Connect over UDP or TCP protocol.
  • Test over UDP and TCP at the same time.
  • Use different methods like REGISTER, INVITE or OPTIONS.
  • Scan large ranges of networks.
  • Scan large ranges of ports.
  • Analyze responses using verbose mode.
  • Check if there is a web panel.
  • Get all the phones on a network to ring at the same time (using INVITE as method).
  • Allow us to customize the UserAgent.
  • It is possible to save all operations into a database.
  • It is possible to run it in silent mode.
  • It uses multithread to run faster.

Usage

$ perl sipscan.pl 

SipSCAN - by Pepelux <pepeluxx@gmail.com>
-------

Usage: perl sipscan.pl -h <host> [options]
 
== Options ==
-m  <string>     = Method: REGISTER/INVITE/OPTIONS (default: OPTIONS)
-u  <string>     = Username
-s  <integer>    = Source number (CallerID) (default: 100)
-d  <integer>    = Destination number (default: 100)
-r  <integer>    = Remote port (default: 5060)
-proto <string>  = Protocol (udp, tcp or all (both of them) - By default: ALL)
-ip <string>     = Source IP (by default it is the same as host)
-db              = Save results into database (sippts.db)
-nolog           = Don't show anything on the console
-v               = Verbose (trace information)
-vv              = More verbose (more detailed trace)
 
== Examples ==
$ perl /usr/share/sippts/sipscan.pl -h 192.168.0.1
        To search SIP services on 192.168.0.1 port 5060 (using OPTIONS method)
        To search several ranges
$ perl /usr/share/sippts/sipscan.pl -h 192.168.0.1,192.168.2.0/24.192.168.3.1-192.168.20.200
        To search SIP services using INVITE method
$ perl /usr/share/sippts/sipscan.pl -h 192.168.0.1 -m INVITE
        To search SIP services on 192.168.0.1 port 5060 (using INVITE method)
$ perl /usr/share/sippts/sipscan.pl -h 192.168.0.0/24 -v -proto tcp
        To search SIP services on 192.168.0.0 network by TCP connection (using OPTIONS method)
$ perl /usr/share/sippts/sipscan.pl -h 192.168.0.1-192.168.0.100 -r 5060-5070 -vv
        To search SIP services on 192.168.0.100 ports from 5060 to 5070 (using OPTIONS method)
  • To search SIP services on a simple IP address, for example 192.168.0.1 port 5060 (using OPTIONS method).
$ perl sipscan.pl -h 192.168.0.1
  • To search SIP services on 192.168.0.0 network (over TCP connection).
$ perl sipscan.pl -h 192.168.0.0/24 -proto tcp
  • To search a large range of SIP services (using REGISTER method).
$ perl sipscan.pl -h 192.168.0.1-192.168.254.254 -m REGISTER
  • To search a large network range of SIP services on a large port range (using INVITE method).
$ perl sipscan.pl -h 192.168.0.1-192.168.254.254 -r 5060-5090 -m INVITE
  • If you want to save all operations into a database, you can use -db parameter.
$ perl sipscan.pl -h 192.168.0.1 -db
  • Also you can run it in silent mode.
$ perl sipscan.pl -h 192.168.0.1 -db -nolog
  • Maybe 'pplsip' is a known UserAgent and the system automatically blocks the SIP messages. You can change it with a -ua parameter.
$ perl sipscan.pl -h 192.168.0.1-192.168.254.254 -ua myUserAgent

Example

$ perl sipscan.pl -h 192.168.0.0/24 -r 5060-5070
[+] 192.168.0.51:5060 - Sending OPTIONS 100 => 100
[-] 401 Unauthorized
[+] 192.168.0.55:5060 - Sending OPTIONS 100 => 100
[-] 200 OK
[+] 192.168.0.54:5060 - Sending OPTIONS 100 => 100
[-] 483 Too Many Hops

IP address	Port	Proto	User-Agent	                      Web
==========	====	=====	==========	                      ===
192.168.0.51    5060    udp	kamailio (4.2.1 (x86_64/linux))
192.168.0.51    5060    tcp	kamailio (4.2.1 (x86_64/linux))
192.168.0.55    5060    udp	Asterisk PBX 1.8.13.1~dfsg1-3+deb7u3
192.168.0.126	5064	udp	Grandstream GXP2130 1.0.9.69	      80/tcp
192.168.0.153	5060	udp	Fanvil X6 1.4.5 0c383e1eb36c	      80/tcp
You can’t perform that action at this time.