Port Scanning is an important phase of network mapping. All attacks and collected information rely on this phase. It's more important when discovering VoIP networks, because of UDP and IP based trust infrastructure. We can discover network services and SIP services via UDP scan, but we can detect only accessible servers. We need more information to execute SIP Trust based attacks.
However a simple technique helps us to discover inaccessible SIP servers. SIP Proxies redirect SIP requests to host in SIP URI. When the request contains this header "sip:HOST:PORT", SIP Proxy try to redirect request to the target HOST and its PORT. SIP Proxy returns HOST's response if there is a response, otherwise time out error generated. We can use this configuration to scan inaccessible servers such as trusted servers, 3rd party servers and private gateway services.
I developed a PoC scanning module to scan 3rd party servers via SIP Proxies. It's useful for UDP based SIP Server discovery. This module reports accessible servers, ports and SIP service software. I prepared a demo, this is a usage of scanning module to discover ports of 192.168.1.146 and 192.168.1.203. Vulnerable SIP Proxy is 192.168.1.145, we try to scan a port range of target hosts.
Viproy VoIP Penetration and Exploitation Kit - Github Page
http://github.com/fozavci/viproy-voipkit
http://www.viproy.com/voipkit
msf auxiliary(vsipportscan-options) > show options
Module options (auxiliary/scanner/sip/vsipportscan-options):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST 192.168.1.100 no The local client address
CPORT 5091 no The local client port
RHOSTS 192.168.1.146 192.168.1.203 yes IP Range for UDP Port Scan
RPORTS 5060-5065 yes Port Range for UDP Port Scan
SIP_SERVER_IP 192.168.1.145 yes Vulnerable SIP Server IP
SIP_SERVER_PORT 5060 yes Vulnerable SIP Server Port
THREADS 1 yes The number of concurrent threads
msf auxiliary(vsipportscan-options) > set RPORTS 5058-5062
RPORTS => 5058-5062
msf auxiliary(vsipportscan-options) > set VERBOSE true
VERBOSE => true
msf auxiliary(vsipportscan-options) > run
[*] Starting SIP Socket on 192.168.1.100:5091
[*] Sending Packet for 192.168.1.146:5058
[*] 192.168.1.146 5058 is Close/Filtered
[*] Sending Packet for 192.168.1.146:5059
[*] 192.168.1.146 5059 is Close/Filtered
[*] Sending Packet for 192.168.1.146:5060
[+] 192.168.1.146 5060 is Open
Server : FPBX-2.11.0beta2(11.2.1)
[*] Sending Packet for 192.168.1.146:5061
[*] 192.168.1.146 5061 is Close/Filtered
[*] Sending Packet for 192.168.1.146:5062
[*] 192.168.1.146 5062 is Close/Filtered
[*] Sending Packet for 192.168.1.203:5058
[*] 192.168.1.203 5058 is Close/Filtered
[*] Sending Packet for 192.168.1.203:5059
[*] 192.168.1.203 5059 is Close/Filtered
[*] Sending Packet for 192.168.1.203:5060
[+] 192.168.1.203 5060 is Open
User-Agent : 3CXPhoneSystem 11.0.28976.849 (28862)
[*] Sending Packet for 192.168.1.203:5061
[*] 192.168.1.203 5061 is Close/Filtered
[*] Sending Packet for 192.168.1.203:5062
[*] 192.168.1.203 5062 is Close/Filtered
[*] Stopping SIP Sockets...
[*] Auxiliary module execution completed
