Ловушка, имитирующая поведение VoIP телефонии. Принимает запросы по протоколу udp/tcp и отвечает на запросы:
- INVITE
- INVITE Authorization
- OPTIONS
- ACK
- BYE
- CANCEL
- voip-hpc
- honeysip [fork of voip-hpc]
- Зубодробильный документ по стандартам SIP [RFC 3261]
- описание эмулируемого телефона D-Link DPH-150S
docer-compose up
Ведет логирование сразу в два файла .json
для Kibana и .log
для контроля работы программы
- реализовать tcp протокол
- В случае неправильной авторизации, возвращать ответы
400 Bad Request
или481: b"Call/Transaction Does Not Exist",
- Доделать обманку для nmap
- SIP RFC 3261
- SDP RFC 2327
- RTP RFC 1889
- SNTP
- DNS & DNS SRV
- TFTP/FTP/HTTP для автоконфигурирования
- IP/TCP/UDP/ARP/ICMP
Если вы хотите сменить модель определяемого телефона, Вам надо найти его fingerprint
в базе данных nmap и вставить его в файл. После этого надо поменять переменную phonemodel
в docker-compose
. И, воздможно все заработает как и ожидалось, но это неточно, возможно еще где-то жестко прописана модель.
=== OPTIONS ===
OPTIONS sip:127.0.0.1 SIP/2.0
Via: SIP/2.0/TCP 127.0.0.1:39338;rport;branch=z9hG4bKhKcExzavijtat7swla_1z84oc
Max-Forwards: 70
From: "Nmap NSE" <sip:user@127.0.0.1>;tag=vN3pq0L0SQnHqXpPGF9D
To: "Nmap NSE" <sip:user@127.0.0.1>
Call-ID: 9561yUXyBJAPZ3aaLmruyZhzw7B2gnsfinWW8tJ93JORCosOPZ8Dzf2kb4c8
CSeq: 1234 OPTIONS
User-Agent: Nmap NSE
Contact: "Nmap NSE" <sip:user@127.0.0.1:39338>
Expires: 300
Allow: PRACK, INVITE ,ACK, BYE, CANCEL, UPDATE, SUBSCRIBE,NOTIFY, REFER, MESSAGE, OPTIONS
Accept: application/sdp
Content-Length: 0
=== INVITE ===
INVITE sip:100@localhost SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK87asdks7
From: socketHelper
To: 100@localhost
Call-ID: 1395
CSeq: 2 INVITE
Contact: socketHelper
Accept: application/sdp
Content-Type: application/sdp
Content-Length: 126
v=0
o=socketHelper 5566 7788 IN IP4 127.0.0.1
s=SDP Subject
i=SDP information
c=IN IP4 127.0.0.1
t=0 0
m=audio 30123 RTP/AVP 0
=== INVITE Authorization ===
INVITE sip:100@localhost SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK87asdks7
From: socketHelper
To: 100@localhost
Call-ID: 4512
CSeq: 3 INVITE
Contact: socketHelper
Accept: application/sdp
Content-Type: application/sdp
Content-Length: 126
Authorization: Digest username="100",
realm="100@localhost",
uri="sip:100@localhost",
nonce="a6b103fbb266224691906c0a60c41849",
response="dea6001bb802e6619a89cd5cf8d5d227"
v=0
o=socketHelper 5566 7788 IN IP4 127.0.0.1
s=SDP Subject
i=SDP information
c=IN IP4 127.0.0.1
t=0 0
m=audio 30123 RTP/AVP 0
sudo nmap -sV -T4 -O -A -f --version-light 192.168.*.*
- Настоящий телефонStarting Nmap 7.80 ( https://nmap.org ) at 2020-11-26 12:54 MSK Nmap scan report for 192.168.*.* Host is up (0.0055s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet VBrick 4300 video encoder telnetd 80/tcp open http RapidLogic httpd 1.1 5060/tcp open sip? |_sip-methods: INVITE, ACK, OPTIONS, BYE, CANCEL, REFER, NOTIFY, INFO, PRACK, UPDATE, MESSAGE Aggressive OS guesses: Rockwell Automation 1769-L23E-QB1 PLC (93%), AirSpan ProST WiMAX access point (92%), HP ProCurve 2510 switch (91%), Cisco SPA 502G VoIP phone (91%), Xerox WorkCentre Pro 7245 printer (89%), Enterasys Matrix E1 switch (88%), HP MSA2000-series NAS device (88%), Nortel NVR1750D VPN router (87%), 3Com 7760 WAP (87%), Linksys WRT54G or WRT54G2, or Netgear WGR614 or WPN824v2 wireless broadband router (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 3 hops Service Info: Device: media device TRACEROUTE (using port 143/tcp) HOP RTT ADDRESS 1 0.18 ms 192.168.*.* 2 3.84 ms 10.2.8.1 3 6.47 ms 192.168.*.* OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 45.35 seconds
sudo nmap -sV -T4 -O -A -f --version-light 172.28.3.2
- Ловушка
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-13 23:27 MSK
Stats: 0:00:04 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 23:27 (0:00:00 remaining)
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 23:28 (0:00:19 remaining)
WARNING: RST from 172.28.3.2 port 80 -- is this port really open?
Nmap scan report for 172.28.3.2
Host is up (0.081s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
23/tcp closed telnet
80/tcp open http RapidLogic httpd 1.1
5060/tcp open sip (SIP end point; Status: 200 OK)
|_sip-methods: INVITE, ACK, OPTIONS, BYE, CANCEL, REFER, NOTIFY, INFO, PRACK, UPDATE, MESSAGE
MAC Address: 02:42:AC:1C:03:02 (Unknown)
Device type: VoIP phone
Running: D-Link embedded
OS CPE: cpe:/h:dlink:dph-150s
OS details: D-Link DPH-150S VoIP phone
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 80.92 ms 172.28.3.2
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.04 seconds