Skip to content


Jose Luis Verdeguer edited this page May 21, 2019 · 9 revisions

Sipscan is a very fast scanner for SIP services over UDP. It uses multithread and can scan large ranges of networks.


Sipscan works sending and waiting well-formed SIP packages. For example, Nmap is a great tool for scanning networks, but over UDP it is better and faster to send well-formed SIP packages and wait valid responses.

Sipscan tries, by default, to connect over the UDP protocol. If the connection fails, it will try over TCP. You can also force to use only over UDP or TCP.

Sipscan allows us to:

  • Identify PBX servers and SIP devices (SIP proxy, PBX, phone, gateway, etc).
  • Connect over UDP or TCP protocol.
  • Test over UDP and TCP at the same time.
  • Use different methods like REGISTER, INVITE or OPTIONS.
  • Scan large ranges of networks.
  • Scan large ranges of ports.
  • Analyze responses using verbose mode.
  • Check if there is a web panel.
  • Get all the phones on a network to ring at the same time (using INVITE as method).
  • Allow us to customize the UserAgent.
  • It is possible to save all operations into a database.
  • It is possible to run it in silent mode.
  • It uses multithread to run faster.


$ perl 

SipSCAN - by Pepelux <>

Usage: perl -h <host> [options]
== Options ==
-m  <string>     = Method: REGISTER/INVITE/OPTIONS (default: OPTIONS)
-u  <string>     = Username
-s  <integer>    = Source number (CallerID) (default: 100)
-d  <integer>    = Destination number (default: 100)
-r  <integer>    = Remote port (default: 5060)
-proto <string>  = Protocol (udp, tcp or all (both of them) - By default: ALL)
-ip <string>     = Source IP (by default it is the same as host)
-db              = Save results into database (sippts.db)
-nolog           = Don't show anything on the console
-v               = Verbose (trace information)
-vv              = More verbose (more detailed trace)
== Examples ==
$ perl /usr/share/sippts/ -h
        To search SIP services on port 5060 (using OPTIONS method)
        To search several ranges
$ perl /usr/share/sippts/ -h,
        To search SIP services using INVITE method
$ perl /usr/share/sippts/ -h -m INVITE
        To search SIP services on port 5060 (using INVITE method)
$ perl /usr/share/sippts/ -h -v -proto tcp
        To search SIP services on network by TCP connection (using OPTIONS method)
$ perl /usr/share/sippts/ -h -r 5060-5070 -vv
        To search SIP services on ports from 5060 to 5070 (using OPTIONS method)
  • To search SIP services on a simple IP address, for example port 5060 (using OPTIONS method).
$ perl -h
  • To search SIP services on network (over TCP connection).
$ perl -h -proto tcp
  • To search a large range of SIP services (using REGISTER method).
$ perl -h -m REGISTER
  • To search a large network range of SIP services on a large port range (using INVITE method).
$ perl -h -r 5060-5090 -m INVITE
  • If you want to save all operations into a database, you can use -db parameter.
$ perl -h -db
  • Also you can run it in silent mode.
$ perl -h -db -nolog
  • Maybe 'pplsip' is a known UserAgent and the system automatically blocks the SIP messages. You can change it with a -ua parameter.
$ perl -h -ua myUserAgent


$ perl -h -r 5060-5070
[+] - Sending OPTIONS 100 => 100
[-] 401 Unauthorized
[+] - Sending OPTIONS 100 => 100
[-] 200 OK
[+] - Sending OPTIONS 100 => 100
[-] 483 Too Many Hops

IP address	Port	Proto	User-Agent	                      Web
==========	====	=====	==========	                      ===    5060    udp	kamailio (4.2.1 (x86_64/linux))    5060    tcp	kamailio (4.2.1 (x86_64/linux))    5060    udp	Asterisk PBX	5064	udp	Grandstream GXP2130	      80/tcp	5060	udp	Fanvil X6 1.4.5 0c383e1eb36c	      80/tcp
You can’t perform that action at this time.