local shortport = require "shortport"
local sip = require "sip"
local stdnse = require "stdnse"
local table = require "table"
description = [[
Spoofs a call to a SIP phone and detects the action taken by the target.
This works by sending a fake sip invite request to the target phone and checking
the responses. A response with status code 180 means that the phone is ringing.
The script waits for the next responses until timeout is reached or a special
response is received. Special responses include: Busy (486), Decline (603),
Timeout (408) or Hang up (200).
]]
---
--@args sip-call-spoof.ua Source application's user agent. Defaults to
-- Ekiga
.
--
--@args sip-call-spoof.from Caller user ID. Defaults to Home
.
--
--@args sip-call-spoof.extension SIP Extension to send request from. Defaults to
-- 100
.
--
--@args sip-call-spoof.src Source address to spoof.
--
--@args sip-call-spoof.timeout Time to wait for a response. Defaults to
-- 5
seconds.
--
-- @usage
-- nmap --script=sip-call-spoof -sU -p 5060
-- nmap --script=sip-call-spoof -sU -p 5060 --script-args
-- 'sip-call-spoof.ua=Nmap, sip-call-spoof.from=Boss'
--
--@output
-- 5060/udp open sip
-- | sip-call-spoof:
-- |_ Target hung up. (After 10.9 seconds)
author = "Hani Benhabiles"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive"}
portrule = shortport.port_or_service(5060, "sip", {"tcp", "udp"})
--- Function that sends an invite request with given parameters.
-- @arg session SIP Session to use.
-- @arg ua User Agent to use.
-- @arg from SIP From field.
-- @arg src Request source address to spoof.
-- @arg extension Request SIP extension.
-- @return status True if we got a response, false else.
-- @return resp Response table if status is true, error string else.
local sendinvite = function(session, ua, from, src, extension)
local request = sip.Request:new(sip.Method.INVITE)
request:setUri("sip:" .. session.sessdata:getServer())
request:setUA(ua)
if src then
session.sessdata:setDomain(src)
end
session.sessdata:setUsername(extension)
session.sessdata:setName(from)
request:setSessionData(session.sessdata)
return session:exch(request)
end
--- Function that waits for certain responses for an amount of time.
-- @arg session SIP Session to use.
-- @arg timeout Max time to wait for responses other than ringing.
-- @return ringing True if we got a ringing response, false else.
-- @return responsecode Code for the latest meaningful response.
-- could be 180, 200, 486, 408 or 603
local waitresponses = function(session,timeout)
local response, status, data, responsecode, ringing, waittime
local start = nmap.clock_ms()
while (nmap.clock_ms() - start) < timeout do
status, data = session.conn:recv()
if status then
response = sip.Response:new(data)
responsecode = response:getErrorCode()
waittime = nmap.clock_ms() - start
if responsecode == sip.Error.RING then
ringing = true
elseif responsecode == sip.Error.BUSY then
return ringing, sip.Error.BUSY
elseif responsecode == sip.Error.DECLINE then
return ringing, sip.Error.DECLINE, waittime
elseif responsecode == sip.Error.OK then
return ringing, sip.Error.OK, waittime
elseif responsecode == sip.Error.TIMEOUT then
return ringing, sip.Error.OK
end
end
end
if ringing then
return ringing, sip.Error.RING
end
end
--- Function that spoofs an invite request and listens for responses.
-- @arg session SIP Session to use.
-- @arg ua User Agent to use.
-- @arg from SIP From field.
-- @arg src Request source address to spoof.
-- @arg extension Request SIP extension.
-- @arg timeout Max time to wait for responses other than ringing.
-- @return ringing True if we got a ringing response, false else.
-- @return responsecode Code for the latest meaningful response.
-- could be 180, 200, 486, 408 or 603
local invitespoof = function(session, ua, from, src, extension, timeout)
local status, response = sendinvite(session, ua, from, src, extension)
-- check if we got a 100 Trying response.
if status and response:getErrorCode() == 100 then
-- wait for responses
return waitresponses(session, timeout)
end
end
action = function(host, port)
local status, session
local ua = stdnse.get_script_args(SCRIPT_NAME .. ".ua") or "Ekiga"
local from = stdnse.get_script_args(SCRIPT_NAME .. ".from") or "Home"
local src = stdnse.get_script_args(SCRIPT_NAME .. ".src")
local extension = stdnse.get_script_args(SCRIPT_NAME .. ".extension") or 100
local timeout = tonumber(stdnse.get_script_args(SCRIPT_NAME .. ".timeout"))
-- Default timeout value = 5 seconds.
if timeout then
timeout = timeout * 1000
else
timeout = 5000
end
session = sip.Session:new(host, port)
status = session:connect()
if not status then
return "ERROR: Failed to connect to the SIP server."
end
local ringing, result, waittime = invitespoof(session, ua, from, src, extension, timeout)
-- If we get a response, we set the port to open.
if result then
if nmap.get_port_state(host, port) ~= "open" then
nmap.set_port_state(host, port, "open")
end
end
-- We check for ringing to skip false positives.
if ringing then
if result == sip.Error.BUSY then
return stdnse.format_output(true, "Target line is busy.")
elseif result == sip.Error.DECLINE then
return stdnse.format_output(true, ("Target declined the call. (After %.1f seconds)"):format(waittime / 1000))
elseif result == sip.Error.OK then
return stdnse.format_output(true, ("Target hung up. (After %.1f seconds)"):format(waittime / 1000))
elseif result == sip.Error.TIMEOUT then
return stdnse.format_output(true, "Ringing, no answer.")
elseif result == sip.Error.RING then
return stdnse.format_output(true, "Ringing, got no answer. (script timeout)")
end
else
stdnse.print_debug(SCRIPT_NAME .. "Target phone didn't ring.")
end
end