SIP Username Enumeration

medium Nessus Plugin ID 56983


The SIP server on the remote host allows the enumeration of users.


The SIP server on the remote host appears to respond differently to registration requests for valid and invalid usernames. Using that fact, Nessus was able to enumerate some of the valid usernames.


Configure the SIP server to respond identically to valid and invalid usernames. This can be done in Asterisk, for example, by setting 'alwaysauthreject=yes' in sip.conf.

See Also

Plugin Details

Severity: Medium

ID: 56983

File Name: sip_enumeration.nasl

Version: 1.6

Type: remote

Family: Misc.

Published: 12/1/2011

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information


Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N