Script sip-enum-users

Script types: portrule
Categories: auth, intrusive

Script Summary

Enumerates a SIP server's valid extensions (users).

The script works by sending REGISTER SIP requests to the server with the specified extension and checking for the response status code in order to know if an extension is valid. If a response status code is 401 or 407, it means that the extension is valid and requires authentication. If the response status code is 200, it means that the extension exists and doesn't require any authentication while a 403 response status code means that extension exists but access is forbidden. To skip false positives, the script begins by sending a REGISTER request for a random extension and checking for response status code.

Script Arguments


If set, will also enumerate users from userslist file.


Extension value to start enumeration from. Defaults to 0.


Path to list of users. Defaults to nselib/data/usernames.lst.


Number of digits to pad zeroes up to. Defaults to 0. No padding if this is set to zero.


Extension value to end enumeration at. Defaults to 999.


See the documentation for the sip library.


See the documentation for the creds library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap --script=sip-enum-users -sU -p 5060 <targets>

nmap --script=sip-enum-users -sU -p 5060 <targets> --script-args
'sip-enum-users.padding=4, sip-enum-users.minext=1000,

Script Output

5060/udp open sip
| sip-enum-users:
|   Accounts
|     101: Auth required
|     120: No auth
|   Statistics
|_    Performed 1000 guesses in 50 seconds, average tps: 20



  • Hani Benhabiles

License: Same as Nmap--See