SCTP Support for Nmap
I am currently working on implementing comprehensive SCTP support for Nmap. If you are interested in SCTP and Nmap, please give it a whirl and let me know how it goes. I'm especially interested in tests against real-world, proprietary SCTP stacks, but also in any suggestions for improving the code.
Latest Release w/SCTP Support
Nmap 5.00 contains most of the SCTP support. To get a fully SCTP enabled Ncat binary, grab the latest revision from SVN trunk.
Latest Code
SCTP port scanning support has been merged into Nmap trunk
at /nmap. To try out the latest SCTP enabled Nmap, use
e.g.:
$ svn co --username guest --password "" svn://svn.insecure.org/nmap nmap-trunk
$ cd nmap-trunk
$ ./configure
$ gmake
$ su
# NMAPDIR=. ./nmap -v --reason -PY -sY scanme.csnc.ch
Use make instead of gmake if you are on a GNU system.
Helper code primarily useful for testing during development is
available to Nmap developers in the private repository area.
Status
For a list of open issues, check out docs/TODO.sctp in the
Nmap source code. Here’s the list of SCTP related changes:
- Ncat now has support for SCTP associations both as a client and as a server, including SSL support.
- Zenmap now supports the new SCTP options.
- SCTP support was released as part of Nmap 4.85 BETA 10.
- Deployed an SCTP scanme system at
scanme.csnc.ch. - Added SCTP client support to Ncat in
nmap-sctp. - Merged SCTP support into trunk in preparation for the upcoming stable release of Nmap.
- Added SCTP COOKIE ECHO scan (
-sZ). This SCTP scan type sends a COOKIE ECHO chunk. Closed ports will return an ABORT, open ports will not solicit any answer. COOKIE ECHO scanning is a novel scan method I haven’t seen implemented in any other utility. - The
--tracerouteoption now works with SCTP INIT scans. - Added SCTP INIT ping probe support (
-PY). - Added support for the deprecated Adler32 checksum in
addition to CRC32C (activated by
--adler32). - IP protocol scan (
-sO) for protocolsctpor132now sends an SCTP INIT packet instead of an empty IP packet. - SCTP INIT scan type (
-sY) added. This is a ‘stealth’ scan, much like a SYN scan in the TCP world. An SCTP packet containing an INIT chunk is sent; the response is an INIT_ACK chunk if the port is open or an ABORT chunk if closed. - Patched libdnet-stripped with rather minimal SCTP support.
- Added a list of 42 well-known SCTP ports to
nmap-services.
Stream Control Transmission Protocol (SCTP)
SCTP is a transport layer protocol like TCP or UDP and also has 16 bit port numbers. One reason why SCTP might be of interest is it’s use by telco stuff migrated to the IP world (SS7/SIGTRAN).
- RFC 4960 (obsoletes RFC 2960 and RFC 3309)
- http://en.wikipedia.org/wiki/SCTP_packet_structure
- SCTP for Beginners
- Better networking with SCTP
- SCTP Tutorial by IEC
- BSDCan 2008: Stream Control Transmission Protocol
- SS7 / SIGTRAN Protocol Family
Note that plain SCTP usually does not work through network address translators unless UDP encapsulation is used. This is because legacy NAT boxes typically do not know how to translate SCTP packets.
Other Tools / References
- http://code.google.com/p/libdnet/
- Reasons to worry about SCTP:
CVE-2009-0065 Linux SCTP FWD Chunk Memory Corruption Exploit - SCTPscan by Philippe Langlois:
http://sctp.tstf.net/index.php/SCTPscan/SCTPscan (timeout)
http://philippelanglois.free.fr/dotclear/index.php?2007/01/26/158-sctpscan-new-tool-release
http://github.com/philpraxis/sctpscan/tree/master - Locating Mobile Phones using SS7:
http://events.ccc.de/congress/2008/Fahrplan/events/2997.en.html - PySCTP:
http://nixbit.com/cat/system/networking/pysctp/
Thanks
- Significant parts of the development were kindly sponsored by Compass Security AG, Switzerland.