Sipscan is a very fast scanner for SIP services over UDP. It uses multithread and can scan large ranges of networks.
Sipscan works sending and waiting well-formed SIP packages. For example, Nmap is a great tool for scanning networks, but over UDP it is better and faster to send well-formed SIP packages and wait valid responses.
Sipscan tries, by default, to connect over the UDP protocol. If the connection fails, it will try over TCP. You can also force to use only over UDP or TCP.
Sipscan allows us to:
- Identify PBX servers and SIP devices (SIP proxy, PBX, phone, gateway, etc).
- Connect over UDP or TCP protocol.
- Test over UDP and TCP at the same time.
- Use different methods like REGISTER, INVITE or OPTIONS.
- Scan large ranges of networks.
- Scan large ranges of ports.
- Analyze responses using verbose mode.
- Check if there is a web panel.
- Get all the phones on a network to ring at the same time (using INVITE as method).
- Allow us to customize the UserAgent.
- It is possible to save all operations into a database.
- It is possible to run it in silent mode.
- It uses multithread to run faster.
$ perl sipscan.pl SipSCAN - by Pepelux <email@example.com> ------- Usage: perl sipscan.pl -h <host> [options] == Options == -m <string> = Method: REGISTER/INVITE/OPTIONS (default: OPTIONS) -u <string> = Username -s <integer> = Source number (CallerID) (default: 100) -d <integer> = Destination number (default: 100) -r <integer> = Remote port (default: 5060) -proto <string> = Protocol (udp, tcp or all (both of them) - By default: ALL) -ip <string> = Source IP (by default it is the same as host) -db = Save results into database (sippts.db) -nolog = Don't show anything on the console -v = Verbose (trace information) -vv = More verbose (more detailed trace) == Examples == $ perl /usr/share/sippts/sipscan.pl -h 192.168.0.1 To search SIP services on 192.168.0.1 port 5060 (using OPTIONS method) To search several ranges $ perl /usr/share/sippts/sipscan.pl -h 192.168.0.1,192.168.2.0/22.214.171.124.1-192.168.20.200 To search SIP services using INVITE method $ perl /usr/share/sippts/sipscan.pl -h 192.168.0.1 -m INVITE To search SIP services on 192.168.0.1 port 5060 (using INVITE method) $ perl /usr/share/sippts/sipscan.pl -h 192.168.0.0/24 -v -proto tcp To search SIP services on 192.168.0.0 network by TCP connection (using OPTIONS method) $ perl /usr/share/sippts/sipscan.pl -h 192.168.0.1-192.168.0.100 -r 5060-5070 -vv To search SIP services on 192.168.0.100 ports from 5060 to 5070 (using OPTIONS method)
- To search SIP services on a simple IP address, for example 192.168.0.1 port 5060 (using OPTIONS method).
$ perl sipscan.pl -h 192.168.0.1
- To search SIP services on 192.168.0.0 network (over TCP connection).
$ perl sipscan.pl -h 192.168.0.0/24 -proto tcp
- To search a large range of SIP services (using REGISTER method).
$ perl sipscan.pl -h 192.168.0.1-192.168.254.254 -m REGISTER
- To search a large network range of SIP services on a large port range (using INVITE method).
$ perl sipscan.pl -h 192.168.0.1-192.168.254.254 -r 5060-5090 -m INVITE
- If you want to save all operations into a database, you can use -db parameter.
$ perl sipscan.pl -h 192.168.0.1 -db
- Also you can run it in silent mode.
$ perl sipscan.pl -h 192.168.0.1 -db -nolog
- Maybe 'pplsip' is a known UserAgent and the system automatically blocks the SIP messages. You can change it with a -ua parameter.
$ perl sipscan.pl -h 192.168.0.1-192.168.254.254 -ua myUserAgent
$ perl sipscan.pl -h 192.168.0.0/24 -r 5060-5070 [+] 192.168.0.51:5060 - Sending OPTIONS 100 => 100 [-] 401 Unauthorized [+] 192.168.0.55:5060 - Sending OPTIONS 100 => 100 [-] 200 OK [+] 192.168.0.54:5060 - Sending OPTIONS 100 => 100 [-] 483 Too Many Hops IP address Port Proto User-Agent Web ========== ==== ===== ========== === 192.168.0.51 5060 udp kamailio (4.2.1 (x86_64/linux)) 192.168.0.51 5060 tcp kamailio (4.2.1 (x86_64/linux)) 192.168.0.55 5060 udp Asterisk PBX 126.96.36.199~dfsg1-3+deb7u3 192.168.0.126 5064 udp Grandstream GXP2130 188.8.131.52 80/tcp 192.168.0.153 5060 udp Fanvil X6 1.4.5 0c383e1eb36c 80/tcp