#!/usr/bin/perl# -=-=-=-=-=-=# Sipscan v1.0# -=-=-=-=-=-=## Pepelux <pepelu

1. #!/usr/bin/perl
2. # -=-=-=-=-=-=
3. # Sipscan v1.0
4. # -=-=-=-=-=-=
5. #
6. # Pepelux <pepeluxx[at]gmail[dot]com>
7.  
8. use warnings;
9. use strict;
10. use IO::Socket;
11. use NetAddr::IP;
12. use threads;
13. use threads::shared;
14. use Getopt::Long;
15. use Digest::MD5;
16.  
17. my $maxthreads = 300;
18. my $time_ping = 2; # wait secs
19.  
20. my $threads : shared = 0;
21. my $found : shared = 0;
22. my $count : shared = 0;
23. my $percent : shared = 0;
24. my @range;
25. my @results;
26.  
27. my $host = ''; # hosts to scan
28. my $port = ''; # ports to scan
29. my $method = ''; # method to use (INVITE, REGISTER, OPTIONS)
30. my $v = 0; # verbose mode
31.  
32. my $user = "100";
33. my $pass = "aaaaaa";
34. my $lport = "5061";
35. my $myip = "anonymous";
36. my $tmpfile = "sipscan".time().".txt";
37.  
38. open(OUTPUT,">$tmpfile");
39.  
40. OUTPUT->autoflush(1);
41. STDOUT->autoflush(1);
42.  
43. sub init() {
44. my $pini;
45. my $pfin;
46.  
47. if ($^O =~ /Win/) {system("cls");}else{system("clear");}
48.  
49. # check params
50. my $result = GetOptions ("h=s" => \$host,
51. "m=s" => \$method,
52. "p=s" => \$port,
53. "v+" => \$v);
54.  
55. help() if ($host eq "");
56.  
57. $port = "5060" if ($port eq "");
58. $method = uc($method);
59. $method = "OPTIONS" if ($method eq "");
60.  
61. if ($host =~ /\-/) {
62. my $ip = $host;
63.  
64. $ip =~ /([0-9|\.]*)-([0-9|\.]*)/;
65. my $ipini = $1;
66. my $ipfin = $2;
67.  
68. my $ip2 = $ipini;
69. $ip2 =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/;
70. my $ip2_1 = int($1);
71. my $ip2_2 = int($2);
72. my $ip2_3 = int($3);
73. my $ip2_4 = int($4);
74.  
75. my $ip3 = $ipfin;
76. $ip3 =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/;
77. my $ip3_1 = int($1);
78. my $ip3_2 = int($2);
79. my $ip3_3 = int($3);
80. my $ip3_4 = int($4);
81.  
82. for (my $i1 = $ip2_1; $i1 <= $ip3_1; $i1++) {
83. for (my $i2 = $ip2_2; $i2 <= $ip3_2; $i2++) {
84. for (my $i3 = $ip2_3; $i3 <= $ip3_3; $i3++) {
85. for (my $i4 = $ip2_4; $i4 <= $ip3_4; $i4++) {
86. $ip = "$i1.$i2.$i3.$i4";
87. push @range, $ip;
88. }
89. }
90. }
91. }
92.  
93. }
94. else {
95. my $ip = new NetAddr::IP($host);
96.  
97. if ($ip < $ip->broadcast) {
98. $ip++;
99.  
100. while ($ip < $ip->broadcast) {
101. my $ip2 = $ip;
102. $ip2 =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/;
103. $ip2 = "$1.$2.$3.$4";
104. push @range, $ip2;
105. $ip++;
106. }
107. }
108. else {
109. push @range, $host;
110. }
111. }
112.  
113. if ($port =~ /\-/) {
114. $port =~ /([0-9]*)-([0-9]*)/;
115. $pini = $1;
116. $pfin = $2;
117. }
118. else {
119. $pini = $port;
120. $pfin = $port;
121. }
122.  
123. my $nhost = @range;
124.  
125. for (my $i = 0; $i <= $nhost; $i++) {
126. for (my $j = $pini; $j <= $pfin; $j++) {
127. while (1) {
128. if ($threads < $maxthreads) {
129. last unless defined($range[$i]);
130. my $thr = threads->new(\&scan, $range[$i], $j);
131. $thr->detach();
132. $percent = ($count/($nhost*($pfin-$pini+1)))*100;
133. $percent = sprintf("%.1f", $percent);
134. print "THREADS: $threads || STATUS: $percent% || FOUND: $found \r";
135.  
136. last;
137. }
138. else {
139. sleep(1);
140. }
141. }
142. }
143. }
144.  
145. sleep(1);
146.  
147. close(OUTPUT);
148.  
149. print "THREADS: 0 || STATUS: 100% || FOUND: $found \r\n";
150.  
151. open(OUTPUT, $tmpfile);
152.  
153. print "\nIP:port\t\t\t User-Agent\n";
154. print "=======\t\t\t ==========\n";
155.  
156. my @results = <OUTPUT>;
157. close (OUTPUT);
158.  
159. unlink($tmpfile);
160.  
161. @results = sort(@results);
162.  
163. foreach(@results) {
164. print $_;
165. }
166.  
167. print "\n";
168.  
169. exit;
170. }
171.  
172. sub scan {
173. my $ip = shift;
174. my $nport = shift;
175.  
176. if ($method eq "REGISTER") {
177. register($ip, $nport);
178. }
179. if ($method eq "INVITE") {
180. invite($ip, $nport);
181. }
182. if ($method eq "OPTIONS") {
183. options($ip, $nport);
184. }
185. }
186.  
187. sub options {
188. {lock($count);$count++;}
189. {lock($threads);$threads++;}
190.  
191. my $ip = shift;
192. my $nport = shift;
193.  
194. my $sc = new IO::Socket::INET->new(PeerPort=>$nport, Proto=>'udp', PeerAddr=>$ip);
195.  
196. $lport = $sc->sockport();
197.  
198. my $branch = &generate_random_string(71, 0);
199. my $callerid = &generate_random_string(32, 1);
200.  
201. my $msg = "OPTIONS sip:$ip SIP/2.0\n";
202. $msg .= "Supported: \n";
203. $msg .= "Allow: INVITE, ACK, OPTIONS, CANCEL, BYE\n";
204. $msg .= "Contact: $user <sip:".$user."@".$ip.":$lport>\n";
205. $msg .= "Via: SIP/2.0/UDP $ip:$lport;branch=$branch\n";
206. $msg .= "Call-id: $callerid\n";
207. $msg .= "Cseq: 1 OPTIONS\n";
208. $msg .= "From: $user <sip:".$user."@".$ip.">;tag=ddb044893807095baf1cf07269f03118\n";
209. $msg .= "Max-forwards: 70\n";
210. $msg .= "To: $user <sip:".$user."@".$ip.">\n";
211. $msg .= "Content-length: 0\n\n";
212.  
213. print $sc $msg;
214.  
215. print "\nSending:\n=======\n$msg\n\n" if ($v eq 1);
216.  
217. my $data = "";
218. my $server = "";
219. my $useragent = "";
220.  
221. LOOP: {
222. while (<$sc>) {
223. my $line = $_;
224.  
225. if ($line =~ /[Ss]erver/ && $server eq "") {
226. $line =~ /[Ss]erver\:\s(.+)\r\n/;
227.  
228. if ($1) {
229. $server = $1;
230. }
231. }
232.  
233. if ($line =~ /[Uu]ser\-[Aa]gent/ && $useragent eq "") {
234. $line =~ /[Uu]ser\-[Aa]gent\:\s(.+)\r\n/;
235.  
236. if ($1) {
237. $useragent = $1;
238. }
239. }
240.  
241. $data .= $line;
242.  
243. if ($line =~ /^\r\n/) {
244. last LOOP;
245. }
246. }
247. }
248.  
249. if ($data ne "") {
250. if ($v eq 1) {
251. print "\nReceiving:\n=========\n$data\n\n";
252. }
253.  
254. if ($server eq "") {
255. $server = $useragent;
256. }
257. else {
258. if ($useragent ne "") {
259. $server .= " - $useragent";
260. }
261. }
262.  
263. my $dhost = "$ip:$nport";
264. $dhost .= "\t" if (length($dhost) < 10);
265. $server = "Unknown" if ($server eq "");
266. print OUTPUT "$dhost\t| $server\n";
267. {lock($found);$found++;}
268. }
269.  
270. {lock($threads);$threads--;}
271. }
272.  
273. sub invite {
274. {lock($count);$count++;}
275. {lock($threads);$threads++;}
276.  
277. my $ip = shift;
278. my $nport = shift;
279.  
280. my $sc = new IO::Socket::INET->new(PeerPort=>$nport, Proto=>'udp', PeerAddr=>$ip, Timeout => 2);
281.  
282. $lport = $sc->sockport();
283.  
284. my $branch = &generate_random_string(71, 0);
285. my $callerid = &generate_random_string(32, 1);
286.  
287. my $msg = "INVITE sip:$ip SIP/2.0\n";
288. $msg .= "Supported: \n";
289. $msg .= "Allow: INVITE, ACK, OPTIONS, CANCEL, BYE\n";
290. $msg .= "Contact: $user <sip:".$user."@".$myip.":$lport>\n";
291. $msg .= "Via: SIP/2.0/UDP $myip:$lport;branch=$branch\n";
292. $msg .= "Call-id: $callerid\n";
293. $msg .= "Cseq: 1 INVITE\n";
294. $msg .= "From: $user <sip:".$user."@".$myip.">;tag=ddb044893807095baf1cf07269f03118\n";
295. $msg .= "Max-forwards: 70\n";
296. $msg .= "To: $user <sip:".$user."@".$ip.">\n";
297. $msg .= "Content-length: 123\n\n";
298. $msg .= "v=0\n";
299. $msg .= "o=anonymous 1312841870 1312841870 IN IP4 $ip\n";
300. $msg .= "s=session\n";
301. $msg .= "c=IN IP4 $ip\n";
302. $msg .= "t=0 0\n";
303. $msg .= "m=audio 2362 RTP/AVP 0\n\n";
304.  
305. print $sc $msg;
306.  
307. print "\nSending:\n=======\n$msg\n\n" if ($v eq 1);
308.  
309. my $data = "";
310. my $server = "";
311. my $useragent = "";
312. my $line = "";
313.  
314. LOOP: {
315. while (<$sc>) {
316. $line = $_;
317.  
318. if ($line =~ /[Ss]erver/ && $server eq "") {
319. $line =~ /[Ss]erver\:\s(.+)\r\n/;
320.  
321. if ($1) {
322. $server = $1;
323. }
324. }
325.  
326. if ($line =~ /[Uu]ser\-[Aa]gent/ && $useragent eq "") {
327. $line =~ /[Uu]ser\-[Aa]gent\:\s(.+)\r\n/;
328.  
329. if ($1) {
330. $useragent = $1;
331. }
332. }
333.  
334. $data .= $line;
335.  
336. if ($line =~ /^\r\n/) {
337. last LOOP;
338. }
339. }
340. }
341.  
342. if ($data ne "") {
343. if ($v eq 1) {
344. print "\nReceiving:\n=========\n$data\n\n";
345. }
346.  
347. if ($server eq "") {
348. $server = $useragent;
349. }
350. else {
351. if ($useragent ne "") {
352. $server .= " - $useragent";
353. }
354. }
355.  
356. my $dhost = "$ip:$nport";
357. $dhost .= "\t" if (length($dhost) < 10);
358. $server = "Unknown" if ($server eq "");
359. print OUTPUT "$dhost\t| $server\n";
360. {lock($found);$found++;}
361. }
362.  
363. {lock($threads);$threads--;}
364. }
365.  
366. sub register {
367. {lock($count);$count++;}
368. {lock($threads);$threads++;}
369.  
370. my $ip = shift;
371. my $nport = shift;
372.  
373. my $sc = new IO::Socket::INET->new(PeerPort=>$nport, Proto=>'udp', PeerAddr=>$ip);
374.  
375. $lport = $sc->sockport();
376.  
377. my $branch = &generate_random_string(71, 0);
378. my $callerid = &generate_random_string(32, 1);
379.  
380. my $msg = "REGISTER sip:$ip SIP/2.0\n";
381. $msg .= "Via: SIP/2.0/UDP $myip:$lport;branch=$branch\n";
382. $msg .= "Call-id: $callerid\n";
383. $msg .= "Contact: $user <sip:".$user."@".$myip.":$lport>\n";
384. $msg .= "Cseq: 1 REGISTER\n";
385. $msg .= "Expires: 900\n";
386. $msg .= "From: $user <sip:".$user."@".$myip.">;tag=ddb044893807095baf1cf07269f03118\n";
387. $msg .= "Max-forwards: 70\n";
388. $msg .= "To: $user <sip:".$user."@".$ip.">\n";
389. $msg .= "Content-length: 0\n\n";
390.  
391. print $sc $msg;
392.  
393. print "\nSending:\n=======\n$msg\n\n" if ($v eq 1);
394.  
395. my $nonce = "";
396. my $realm = "";
397. my $data = "";
398.  
399. LOOP: {
400. while (<$sc>) {
401. my $line = $_;
402.  
403. if ($line =~ /nonce/ && $nonce eq "") {
404. $line =~ /nonce\=\"(\w+)\"/i;
405.  
406. if ($1) {
407. $nonce = $1;
408. }
409. }
410.  
411. if ($line =~ /realm/ && $realm eq "") {
412. $line =~ /realm\=\"(\w+)\"/i;
413.  
414. if ($1) {
415. $realm = $1;
416. }
417. }
418.  
419. $data .= $line;
420.  
421. if ($line =~ /^\r\n/) {
422. last LOOP;
423. }
424. }
425. }
426.  
427. if ($data ne "") {
428. print "\nReceiving:\n=========\n$data\n\n" if ($v eq 1);
429.  
430. $branch = &generate_random_string(71, 0);
431.  
432. my $md5 = Digest::MD5->new;
433. $md5->add($user, ':', $realm, ':', $pass);
434. my $HXA = $md5->hexdigest;
435. my $uri = "sip:$ip";
436.  
437. $md5 = Digest::MD5->new;
438. $md5->add('REGISTER', ':', $uri);
439. my $HXB = $md5->hexdigest;
440.  
441. $md5 = Digest::MD5->new;
442. $md5->add($HXA, ':', $nonce, ':', $HXB);
443. my $response = $md5->hexdigest;
444.  
445. $msg = "REGISTER sip:$ip SIP/2.0\n";
446. $msg .= "Via: SIP/2.0/UDP $myip:$lport;branch=$branch\n";
447. $msg .= "Call-id: $callerid\n";
448. $msg .= "Contact: $user <sip:".$user."@".$myip.":$lport>\n";
449. $msg .= "Expires: 900\n";
450. $msg .= "From: $user <sip:".$user."@".$myip.">;tag=ddb044893807095baf1cf07269f03118\n";
451. $msg .= "Max-forwards: 70\n";
452. $msg .= "To: $user <sip:".$user."@".$ip.">\n";
453. $msg .= "Authorization: Digest username=\"$user\",realm=\"$realm\",nonce=\"$nonce\",uri=\"sip:$ip\",response=\"$response\"\n";
454. $msg .= "Cseq: 2 REGISTER\n";
455. $msg .= "Content-length: 0\n\n";
456.  
457. print $sc $msg;
458.  
459. print "Sending:\n=======\n$msg\n\n" if ($v eq 1);
460.  
461. $data = "";
462. my $server = "";
463.  
464. LOOP: {
465. while (<$sc>) {
466. my $line = $_;
467.  
468. if ($line =~ /[Ss]erver/ && $server eq "") {
469. $line =~ /[Ss]erver\:\s(.+)\r\n/;
470.  
471. if ($1) {
472. $server = $1;
473. }
474. }
475.  
476. $data .= $line;
477.  
478. if ($line =~ /^\r\n/) {
479. last LOOP;
480. }
481. }
482. }
483.  
484. if ($v eq 1) {
485. print "\nReceiving:\n=========\n$data\n\n";
486. }
487.  
488. my $dhost = "$ip:$nport";
489. $dhost .= "\t" if (length($dhost) < 10);
490. $server = "Unknown" if ($server eq "");
491. print OUTPUT "$dhost\t| $server\n";
492. {lock($found);$found++;}
493. }
494.  
495. {lock($threads);$threads--;}
496. }
497.  
498. sub generate_random_string {
499. my $length_of_randomstring = shift;
500. my $only_hex = shift;
501. my @chars;
502.  
503. if ($only_hex == 0) {
504. @chars = ('a'..'z','0'..'9');
505. }
506. else {
507. @chars = ('a'..'f','0'..'9');
508. }
509. my $random_string;
510. foreach (1..$length_of_randomstring) {
511. $random_string.=$chars[rand @chars];
512. }
513. return $random_string;
514. }
515.  
516. sub help {
517. print qq{
518. Usage: $0 -h <host> [options]
519.  
520. == Options ==
521. -m <string> = Method: REGISTER/INVITE/OPTIONS/ALL (default: REGISTER)
522. -p <integer> = Remote SIP port (default: 5060)
523. -v = Verbose mode
524.  
525. == Examples ==
526. \$$0 -h 192.168.0.1 -m invite
527. \$$0 -h 192.168.0.0/24 -p 5060-5070
528. \$$0 -h 192.168.0.1-192.168.0.100 -p 5060-5070 -v
529.  
530. };
531.  
532. exit 1;
533. }
534.  
535. init();