| Server IP : 80.87.202.40 / Your IP : 216.73.216.169 Web Server : Apache System : Linux rospirotorg.ru 5.14.0-539.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 5 22:26:13 UTC 2024 x86_64 User : bitrix ( 600) PHP Version : 8.2.27 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /usr/share/nmap/scripts/ |
Upload File : |
local nmap = require "nmap"
local shortport = require "shortport"
local sip = require "sip"
local stdnse = require "stdnse"
description = [[
Spoofs a call to a SIP phone and detects the action taken by the target (busy, declined, hung up, etc.)
This works by sending a fake sip invite request to the target phone and checking
the responses. A response with status code 180 means that the phone is ringing.
The script waits for the next responses until timeout is reached or a special
response is received. Special responses include: Busy (486), Decline (603),
Timeout (408) or Hang up (200).
]]
---
--@args sip-call-spoof.ua Source application's user agent. Defaults to
-- <code>Ekiga</code>.
--
--@args sip-call-spoof.from Caller user ID. Defaults to <code>Home</code>.
--
--@args sip-call-spoof.extension SIP Extension to send request from. Defaults to
-- <code>100</code>.
--
--@args sip-call-spoof.src Source address to spoof.
--
--@args sip-call-spoof.timeout Time to wait for a response. Defaults to
-- <code>5s</code>
--
-- @usage
-- nmap --script=sip-call-spoof -sU -p 5060 <targets>
-- nmap --script=sip-call-spoof -sU -p 5060 --script-args
-- 'sip-call-spoof.ua=Nmap, sip-call-spoof.from=Boss' <targets>
--
--@output
-- 5060/udp open sip
-- | sip-call-spoof:
-- |_ Target hung up. (After 10.9 seconds)
author = "Hani Benhabiles"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive"}
portrule = shortport.port_or_service(5060, "sip", {"tcp", "udp"})
--- Function that sends an invite request with given parameters.
-- @arg session SIP Session to use.
-- @arg ua User Agent to use.
-- @arg from SIP From field.
-- @arg src Request source address to spoof.
-- @arg extension Request SIP extension.
-- @return status True if we got a response, false else.
-- @return resp Response table if status is true, error string else.
local sendinvite = function(session, ua, from, src, extension)
local request = sip.Request:new(sip.Method.INVITE)
request:setUri("sip:" .. session.sessdata:getServer())
request:setUA(ua)
if src then
session.sessdata:setDomain(src)
end
session.sessdata:setUsername(extension)
session.sessdata:setName(from)
request:setSessionData(session.sessdata)
return session:exch(request)
end
--- Function that waits for certain responses for an amount of time.
-- @arg session SIP Session to use.
-- @arg timeout Max time to wait for responses other than ringing.
-- @return ringing True if we got a ringing response, false else.
-- @return responsecode Code for the latest meaningful response.
-- could be 180, 200, 486, 408 or 603
local waitresponses = function(session,timeout)
local response, status, data, responsecode, ringing, waittime
local start = nmap.clock_ms()
while (nmap.clock_ms() - start) < timeout do
status, data = session.conn:recv()
if status then
response = sip.Response:new(data)
responsecode = response:getErrorCode()
waittime = nmap.clock_ms() - start
if responsecode == sip.Error.RING then
ringing = true
elseif responsecode == sip.Error.BUSY then
return ringing, sip.Error.BUSY
elseif responsecode == sip.Error.DECLINE then
return ringing, sip.Error.DECLINE, waittime
elseif responsecode == sip.Error.OK then
return ringing, sip.Error.OK, waittime
elseif responsecode == sip.Error.TIMEOUT then
return ringing, sip.Error.OK
end
end
end
if ringing then
return ringing, sip.Error.RING
end
end
--- Function that spoofs an invite request and listens for responses.
-- @arg session SIP Session to use.
-- @arg ua User Agent to use.
-- @arg from SIP From field.
-- @arg src Request source address to spoof.
-- @arg extension Request SIP extension.
-- @arg timeout Max time to wait for responses other than ringing.
-- @return ringing True if we got a ringing response, false else.
-- @return responsecode Code for the latest meaningful response.
-- could be 180, 200, 486, 408 or 603
local invitespoof = function(session, ua, from, src, extension, timeout)
local status, response = sendinvite(session, ua, from, src, extension)
-- check if we got a 100 Trying response.
if status and response:getErrorCode() == 100 then
-- wait for responses
return waitresponses(session, timeout)
end
end
action = function(host, port)
local status, session
local ua = stdnse.get_script_args(SCRIPT_NAME .. ".ua") or "Ekiga"
local from = stdnse.get_script_args(SCRIPT_NAME .. ".from") or "Home"
local src = stdnse.get_script_args(SCRIPT_NAME .. ".src")
local extension = stdnse.get_script_args(SCRIPT_NAME .. ".extension") or 100
local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout"))
-- Default timeout value = 5 seconds.
timeout = (timeout or 5) * 1000
session = sip.Session:new(host, port)
status = session:connect()
if not status then
return stdnse.format_output(false, "Failed to connect to the SIP server.")
end
local ringing, result, waittime = invitespoof(session, ua, from, src, extension, timeout)
-- If we get a response, we set the port to open.
if result then
if nmap.get_port_state(host, port) ~= "open" then
nmap.set_port_state(host, port, "open")
end
end
-- We check for ringing to skip false positives.
if ringing then
if result == sip.Error.BUSY then
return stdnse.format_output(true, "Target line is busy.")
elseif result == sip.Error.DECLINE then
return stdnse.format_output(true, ("Target declined the call. (After %.1f seconds)"):format(waittime / 1000))
elseif result == sip.Error.OK then
return stdnse.format_output(true, ("Target hung up. (After %.1f seconds)"):format(waittime / 1000))
elseif result == sip.Error.TIMEOUT then
return stdnse.format_output(true, "Ringing, no answer.")
elseif result == sip.Error.RING then
return stdnse.format_output(true, "Ringing, got no answer. (script timeout)")
end
else
stdnse.debug1("Target phone didn't ring.")
end
end