Shodan may find your SIP server

snuyzm · Post by **snuyzm** » Wed Feb 11, 2015 10:18 pm

1. Brekeke Product Name and Version: ANY

It seems Shodan (http://www.shodan.io/) uses Namp (http://nmap.org/) to search SIP servers.

If you are using Brekeke SIP Server version 3.0 or later, use this dialplan to hide your server.

[Matching Patterns]
$request = ^OPTIONS
From = sip:nm@nm
To = sip:nm2@nm2
Call-ID = 50000

[Deploy Patterns]
$action = block

mbylica · Post by **mbylica** » Tue Feb 17, 2015 6:25 am

How do you know that is should block the request?

Do you have any example OPTIONS message to take a look?
Are From/To/Call-ID headers always the same?

Thanks.

snuyzm · Post by **snuyzm** » Tue Feb 17, 2015 11:12 am

nmap's OPTIONS packet:

Code: Select all

OPTIONS sip:nm SIP/2.0
Via: SIP/2.0/TCP nm;branch=foo
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>
Call-ID: 50000
CSeq: 42 OPTIONS
Max-Forwards: 70
Content-Length: 0
Contact: <sip:nm@nm>
Accept: application/sdp

Source

Code: Select all

local sipprobe = "OPTIONS sip:nm SIP/2.0\r\nVia: SIP/2.0/UDP nm;branch=foo;rport\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application/sdp\r\n\r\n"

https://github.com/mcmasterathl/scan-to ... r-plus.nse