2/11/2012

Scanning the world with Sipvicious


Hi, I´m scanning a large number of ranges with Sipvicious ("svmap.py") and I would like to share some tips which helped me during the process:

- The use of sessions (-s) and reports ("svreport.py") is necessary to prevent mixing of obtained data.

- It´s a good idea to scan not only port 5060, you should add successive ports because some sysadmins configure their SIP services to run there (-p5060-5065).

- There is a well known "problem" about SIP and NAT, if you have installed an Asterisk you have heard about it sure :(, so we need to specify our external IP address to Sipvicious with (-x) parameter. Moreover port 5060(Sipvicious outcoming port) has to be forwarded to host which is scanning, in case that you were scanning with more than one instance at the same time successive ports should be forwarded too. I usually put the host int the DMZ trying to avoid these problems.

- "svreport.py" tries to make a DNS lookup with the discovered IPs but it takes too much time in case of too many hosts so we can disable it (-n).

- Normally, some hosts aren't recognized and marked as "unknown", you could run tcpdump in order to capture the responses and avoid the loss of information.

- I wrote that dirty bash script which reflects exposed ideas:

Code:
-----------------------------------------
#!/bin/bash
# It scans ranges from a text file with sipvicious
# Use: ./scanRange.sh

SVMAP="/home/baguira/Installed/sipvicious/svmap.py"
SVREPORT="/home/baguira/Installed/sipvicious/svreport.py"

# just in case "unknown" devices
sudo tcpdump udp and dst host 192.168.9.5 -s 65535 -w capture1.pcap &
# scan all ranges
for RANGE in $(cat ranges1.txt)
do
RNAME=$(echo $RANGE | awk -F / '{print $1}')
EXTIP=$(curl -s icanhazip.com)
$SVMAP -p5060-5065 -s $RNAME -x $EXTIP --randomize $RANGE
NEXTIP=$(curl -s icanhazip.com)
# external ip change check
if [ "$EXTIP" != "$NEXTIP" ]
then
# wait until router finish reboot
sleep 180
$SVREPORT delete -s $RNAME
EXTIP=$(curl -s icanhazip.com)
$SVMAP -p5060-5065 -s $RNAME -x $EXTIP --randomize $RANGE
fi
$SVREPORT export -s $RNAME -f txt -o $RNAME.txt -n
done
sudo killall tcpdump > /dev/null

-----------------------------------------

To sum up I would like to thank Sandro Gauci (Sipvicious developer) for the software and for being really nice whith my doubts. Thank you man! ;)