10th May 2011

SCTP Support for Nmap

I have been working on implementing comprehensive SCTP support for Nmap since 2009. If you are interested in SCTP and Nmap, please give it a whirl and let me know how it goes. I’m especially interested in tests against real-world, proprietary SCTP stacks, but also in any suggestions for improving the scan techniques.

Getting an SCTP enabled Nmap

Current Nmap releases have complete SCTP support.

Development on the SCTP port scanning code takes place in the Nmap repository trunk at /nmap. To check out the code, use e.g.:

$ svn co --username guest --password "" svn://svn.insecure.org/nmap nmap-trunk
$ cd nmap-trunk
$ ./configure
$ gmake
$ su
# NMAPDIR=. ./nmap -v --reason -PY -sY scanme.roe.ch

Use make instead of gmake if you are on a GNU system.

SCTP Scanme Server

I operate scanme.roe.ch, an embedded FreeBSD server running four different, interactive dummy SCTP services for your SCTP scanning pleasure. It is reachable over both IPv4 and IPv6. UDP and TCP are filtered.

The source code of the dummy SCTP services live in the Nmap developer’s private repository under sctp-utils.

Status

For a list of open issues, check out todo/TODO.sctp in the Nmap source code. Here’s the list of SCTP related changes:

  • The SCTP dummy services on the scanme system scanme.roe.ch are now reachable over IPv6 as well as IPv4.
  • Ncat now has support for SCTP associations both as a client and as a server, including SSL support.
  • Zenmap now supports the new SCTP options.
  • SCTP support was released as part of Nmap 4.85 BETA 10.
  • Deployed an SCTP scanme system at scanme.roe.ch.
  • Added SCTP client support to Ncat in nmap-sctp.
  • Merged SCTP support into trunk in preparation for the upcoming stable release of Nmap.
  • Added SCTP COOKIE ECHO scan (-sZ). This SCTP scan type sends a COOKIE ECHO chunk. Closed ports will return an ABORT, open ports will not solicit any answer. COOKIE ECHO scanning is a novel scan method I haven’t seen implemented in any other utility.
  • The --traceroute option now works with SCTP INIT scans.
  • Added SCTP INIT ping probe support (-PY).
  • Added support for the deprecated Adler32 checksum in addition to CRC32C (activated by --adler32).
  • IP protocol scan (-sO) for protocol sctp or 132 now sends an SCTP INIT packet instead of an empty IP packet.
  • SCTP INIT scan type (-sY) added. This is a ‘stealth’ scan, much like a SYN scan in the TCP world. An SCTP packet containing an INIT chunk is sent; the response is an INIT_ACK chunk if the port is open or an ABORT chunk if closed.
  • Patched libdnet-stripped with rather minimal SCTP support.
  • Added a list of 42 well-known SCTP ports to nmap-services.

Stream Control Transmission Protocol (SCTP)

SCTP is a transport layer protocol like TCP or UDP and also has 16 bit port numbers. One reason why SCTP might be of interest is it’s use by telco stuff migrated to the IP world (SS7/SIGTRAN).

Note that plain SCTP usually does not work through network address translators unless UDP encapsulation is used. This is because legacy NAT boxes typically do not know how to translate SCTP packets.

Other Tools / References

Thanks

  • Significant parts of the development were kindly sponsored by Compass Security AG, Switzerland.

In the Press

Ƿ