SCTP Support for Nmap
I have been working on implementing comprehensive SCTP support for Nmap since 2009. If you are interested in SCTP and Nmap, please give it a whirl and let me know how it goes. I’m especially interested in tests against real-world, proprietary SCTP stacks, but also in any suggestions for improving the scan techniques.
Getting an SCTP enabled Nmap
Current Nmap releases have complete SCTP support.
Development on the SCTP port scanning code takes place in the
Nmap repository trunk at /nmap. To check out the code, use e.g.:
$ svn co --username guest --password "" svn://svn.insecure.org/nmap nmap-trunk
$ cd nmap-trunk
$ ./configure
$ gmake
$ su
# NMAPDIR=. ./nmap -v --reason -PY -sY scanme.roe.ch
Use make instead of gmake if you are on a GNU system.
SCTP Scanme Server
I operate scanme.roe.ch, an embedded FreeBSD server running
four different, interactive dummy SCTP services for your SCTP
scanning pleasure. It is reachable over both IPv4 and IPv6.
UDP and TCP are filtered.
The source code of the dummy SCTP services live in the Nmap
developer’s private repository under sctp-utils.
Status
For a list of open issues, check out todo/TODO.sctp in the
Nmap source code. Here’s the list of SCTP related changes:
- The SCTP dummy services on the scanme system
scanme.roe.chare now reachable over IPv6 as well as IPv4. - Ncat now has support for SCTP associations both as a client and as a server, including SSL support.
- Zenmap now supports the new SCTP options.
- SCTP support was released as part of Nmap 4.85 BETA 10.
- Deployed an SCTP scanme system at
scanme.roe.ch. - Added SCTP client support to Ncat in
nmap-sctp. - Merged SCTP support into trunk in preparation for the upcoming stable release of Nmap.
- Added SCTP COOKIE ECHO scan (
-sZ). This SCTP scan type sends a COOKIE ECHO chunk. Closed ports will return an ABORT, open ports will not solicit any answer. COOKIE ECHO scanning is a novel scan method I haven’t seen implemented in any other utility. - The
--tracerouteoption now works with SCTP INIT scans. - Added SCTP INIT ping probe support (
-PY). - Added support for the deprecated Adler32 checksum in
addition to CRC32C (activated by
--adler32). - IP protocol scan (
-sO) for protocolsctpor132now sends an SCTP INIT packet instead of an empty IP packet. - SCTP INIT scan type (
-sY) added. This is a ‘stealth’ scan, much like a SYN scan in the TCP world. An SCTP packet containing an INIT chunk is sent; the response is an INIT_ACK chunk if the port is open or an ABORT chunk if closed. - Patched libdnet-stripped with rather minimal SCTP support.
- Added a list of 42 well-known SCTP ports to
nmap-services.
Stream Control Transmission Protocol (SCTP)
SCTP is a transport layer protocol like TCP or UDP and also has 16 bit port numbers. One reason why SCTP might be of interest is it’s use by telco stuff migrated to the IP world (SS7/SIGTRAN).
- RFC 4960 (obsoletes RFC 2960 and RFC 3309)
- http://en.wikipedia.org/wiki/SCTP_packet_structure
- SCTP for Beginners
- Better networking with SCTP
- SCTP Tutorial by IEC
- BSDCan 2008: Stream Control Transmission Protocol
- SS7 / SIGTRAN Protocol Family
Note that plain SCTP usually does not work through network address translators unless UDP encapsulation is used. This is because legacy NAT boxes typically do not know how to translate SCTP packets.
Other Tools / References
- http://code.google.com/p/libdnet/
- Reasons to worry about SCTP:
CVE-2009-0065 Linux SCTP FWD Chunk Memory Corruption Exploit - SCTPscan by Philippe Langlois:
http://sctp.tstf.net/index.php/SCTPscan/SCTPscan (timeout)
http://philippelanglois.free.fr/dotclear/index.php?2007/01/26/158-sctpscan-new-tool-release
http://github.com/philpraxis/sctpscan - Locating Mobile Phones using SS7:
http://events.ccc.de/congress/2008/Fahrplan/events/2997.en.html - PySCTP:
http://nixbit.com/cat/system/networking/pysctp/
Thanks
- Significant parts of the development were kindly sponsored by Compass Security AG, Switzerland.