Jan
23
2009




Asterisk Troubleshooting and Using nmap to determine port status of SIP and IAX2

nmap is a commonly used tool distributed with Linux (and available for many OSes) for mapping networks and port scanning.  Since almost every networked application runs on TCP/IP it is crucial to have the ability to troubleshoot every layer of the stack(OSI model).  A misconfigured firewall can easily cause hours of frustration.

We will use Asterisk as an example but the following tutorial could easily be applied to any network application.  If you run Asterisk PBX systems across many networks you have probably encountered firewalls.  Errant firewalls can cause huge headaches.  In some cases you may question if access to SIP & IAX2 ports on the firewall are being blocked.

Conventional wisdom:

[matt@mattcom1 ~]$ telnet localhost 22
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_5.1

Using Telnet to verify that a port is listening for incoming connections is great for a host of common TCP applications like smtp(25), http(80) or FTP(21).  But for large scale port mapping and network scanning you may need a beefier tool.  In comes nmap.

Lets start with some nmap basics then run through the IAX2/SIP scenario. Below is nmap with the ‘-O’ switch and my local subnet at home.  The ‘-O’ switch will set nmap to determine remote host Operating System.  192.168.1.0 means network (range) and ‘/24’ tells us that it is a 24 bit subnet mask or ‘255.255.255.0’.

[root@mattcom1 ~]# nmap -O 192.168.1.0/24


Starting Nmap 4.68 ( http://nmap.org ) at 2009-01-23 16:31 PST
Interesting ports on 192.168.1.1:
Not shown: 1714 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0F:66:CA:B7:B7 (Cisco-Linksys)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.68%D=1/23%OT=80%CT=1%CU=39191%PV=Y%DS=1%G=Y%M=000F66%TM=497A617
OS:A%P=i386-redhat-linux-gnu)SEQ(SP=0%GCD=64%ISR=50%TI=I%II=I%SS=S%TS=U)SEQ
OS:(SP=A%GCD=A%ISR=50%TI=I%II=I%SS=S%TS=U)OPS(O1=M5B4%O2=M5B4%O3=M5B4%O4=M5
OS:B4%O5=M5B4%O6=M5B4)WIN(W1=16D0%W2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)E
OS:CN(R=Y%DF=N%T=96%W=3%O=%CC=N%Q=U)T1(R=Y%DF=N%T=96%S=O%A=S+%F=AS%RD=0%Q=)
OS:T2(R=Y%DF=N%T=96%W=80%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=N%T=96%W=100%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=96%W=400%S=A%A=S%F=AR%O=%RD=0%Q=)T5(
OS:R=Y%DF=N%T=96%W=7A69%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=96%W=8000%S=
OS:A%A=S%F=AR%O=%RD=0%Q=)T7(R=Y%DF=N%T=96%W=FFFF%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=96%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=
OS:G)IE(R=Y%DFI=N%T=96%TOSI=Z%CD=S%SI=S%DLI=S)


Network Distance: 1 hop


Interesting ports on 192.168.1.2:
Not shown: 1714 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:90:4C:91:00:01 (Epigram)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 – 2.4.32 (likely embedded)
Uptime: 0.115 days (since Fri Jan 23 13:45:46 2009)
Network Distance: 1 hop


All 1715 scanned ports on 192.168.1.105 are filtered
MAC Address: 00:1E:8C:B4:17:D8 (Asustek Computer)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop


Interesting ports on 192.168.1.108:
Not shown: 1711 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
MAC Address: 00:1C:C4:2E:7F:33 (Hewlett Packard)
Device type: general purpose
Running: Microsoft Windows Vista
OS details: Microsoft Windows Vista
Uptime: 0.055 days (since Fri Jan 23 15:12:49 2009)
Network Distance: 1 hop


Interesting ports on 192.168.1.254:
Not shown: 1709 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2000/tcp open  callbook
6000/tcp open  X11
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 – 2.6.24
Uptime: 0.207 days (since Fri Jan 23 11:34:02 2009)
Network Distance: 0 hops


OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (5 hosts up) scanned in 32.049 seconds


Okay so if you look at my local Asterisk server(192.168.1.254) you will notice that many ports are open but none of them are SIP(5060)or IAX2(4569).  Why is that?  Below the ‘-sT’ switch means SYN scan of TCP ports.

[root@mattcom1 ~]# nmap -sT 192.168.1.254


Starting Nmap 4.68 ( http://nmap.org ) at 2009-01-23 17:37 PST
Interesting ports on 192.168.1.254:
Not shown: 1709 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2000/tcp open  callbook
6000/tcp open  X11

Even though Asterisk is up with a Polycom Soundpoint IP attached no SIP port appears open.  The mystery is solved if we take a close look at how a SIP calls are initiated.  SIP calls are initiated on UDP port 5060.  After the initial handshake the client opens up a series of RTP streams for audio, video, or whatever media is being relayed through SIP.  If we change the flags on the nmap tool we can see if the port is open.

[root@mattcom1 ~]# nmap -sU -p 5060 192.168.1.254


Starting Nmap 4.68 ( http://nmap.org ) at 2009-01-23 18:51 PST
Interesting ports on 192.168.1.254:
PORT     STATE         SERVICE
5060/udp open|filtered sip

We SYN scanned port UDP 5060 and the ‘STATE’ is ‘open|filtered’.  When asterisk is shut down… or the port is blocked, as we can see below…

[root@mattcom1 ~]# nmap -sU -p 5060 192.168.1.254


Starting Nmap 4.68 ( http://nmap.org ) at 2009-01-23 19:12 PST
Interesting ports on 192.168.1.254:
PORT     STATE  SERVICE
5060/udp closed sip


Nmap done: 1 IP address (1 host up) scanned in 0.114 seconds

The same is true for IAX2 as SIP.  When Asterisk is off the ‘STATE’ shows ‘closed’. One last note, the ‘open|filtered’ state could legitimately be filtered, but by checking when Asterisk(or whatever UDP service) is on and off you can tell for sure.  I got some great information at nmap.org, I encourage anyone interested to check it out.

If you like this article tell Google!!









Written by mattb in: Asterisk,Asterisk Post,Linux | Tags: , , , , , , , , ,

2 Comments »

  • Benjamin King

    Very good article. Can you elaborate on ‘STATE’ is ‘open|filtered’? I tried googling and couldn’t find any useful info about “open|filtered” ports other then it has something to do with firewalls. Any more info would be great. BTW I like the style of your blog.

    Comment | September 23, 2009
  • mattb

    Hi Ben,

    I believe ‘STATE’ is ‘open|filtered’ refers to a response back from a “listening” port. Just because a port is open doesn’t mean it’s not being filtered or willing to open a connection. However it is a good clue. Download wire shark and capture the packets on your Asterisk(or other SIP server). Take care.

    -Matt

    Comment | September 25, 2009

RSS feed for comments on this post. TrackBack URL

Leave a comment