Network Mapping -> Identify Live Hosts -> SCTPscan
SCTPscan was written by Philippe Langlois, for scanning SCTP endpoints. SCTP protocol is used for transmitting SS7 signaling over TCP/IP, and it's part of the SIGTRAN protocol family. This protocol is build in to most OSs like TCP (Linux kernel 2.6, Solaris 10, FreeBSD 7, Mac OS X...).
It usually doesn't work from behind NAT, as routers and firewalls doesn't know it, and they can't NAT it properly.
ptions:
-p, --port <port> (default: 10000)
port specifies the remote port number
-P, --loc_port <port> (default: 10000)
port specifies the local port number
-l, --loc_host <loc_host> (default: 127.0.0.1)
loc_host specifies the local (bind) host for the SCTP
stream with optional local port number
-r, --rem_host <rem_host> (default: 127.0.0.2)
rem_host specifies the remote (sendto) address for the SCTP
stream with optional remote port number
-s --scan -r aaa[.bbb[.ccc]]
scan all machines within network
-m --map
map all SCTP ports from 0 to 65535 (portscan)
-F --Frequent
Portscans the frequently used SCTP ports
Frequent SCTP ports: 1, 100, 128, 260, 250, 1167, 1812, 2097, 2225, 2427,
2477, 2577, 2904, 2905, 2944, 2945, 3097, 3565, 3863, 3864, 3868, 4739, 5000, 50
01, 5060, 5061, 5090, 5091, 5675, 6000, 6790, 6789, 7000, 7102, 7103, 7105, 7551
, 7626, 7701, 7800, 8001, 8787, 9006, 9899, 9911, 9900, 9901, 9902, 10000, 10001
, 11997, 11998, 11999, 14001, 30000, 32931, 32768
-a --autoportscan
Portscans automatically any host with SCTP aware TCP/IP stack
-i --linein
Receive IP to scan from stdin
-f --fuzz
Fuzz test all the remote protocol stack
-B --bothpackets
Send packets with INIT chunk for one, and SHUTDOWN_ACK for the other
-b --both_checksum
Send both checksum: new crc32 and old legacy-driven adler32
-C --crc32
Calculate checksums with the new crc32
-A --adler32
Calculate checksums with the old adler32
-Z --zombie
Does not collaborate to the SCTP Collaboration platform. No reporting.
-d --dummyserver
Starts a dummy SCTP server on port 10000. You can then try to scan it from
another machine.
-E --exec <script_name>
Executes <script_name> each time an open SCTP port is found.
Execution arguments: <script_name> host_ip sctp_port
Scan port 9999 on 192.168.1.24
./sctpscan -l 192.168.1.2 -r 192.168.1.24 -p 9999
Scans for availability of SCTP on 172.17.8.* and portscan any host with SCTP sta
ck
./sctpscan -s -l 172.22.1.96 -r 172.17.8
Scans frequently used ports on 172.17.8.*
./sctpscan -s -F -l 172.22.1.96 -r 172.17.8
Scans all class-B network for frequent port
./sctpscan -s -F -r 172.22 -l `ifconfig eth0 | grep 'inet addr:' | cut -d: -f2
| cut -d ' ' -f 1 `
Simple verification end to end on the local machine:
./sctpscan -d &
./sctpscan -s -l 192.168.1.24 -r 192.168.1 -p 10000
This tool does NOT work behind most NAT.
That means that most of the routers / firewall don't know how to NAT SCTP packet
s.
You _need_ to use this tool from a computer having a public IP address (i.e. non
-RFC1918)
root@bt:/pentest/scanners/sctpscan# ./sctpscan -r 192.168.1.11
Sending Crc32 checksumed packet
End of scan: duration=4 seconds packet_sent=1 packet_rcvd=1 (SCTP=0, ICMP=1)
root@bt:/pentest/scanners/sctpscan# ./sctpscan -r 192.168.1.11 -F
Portscanning with Crc32 checksumed packet
Portscanning Frequent Ports on 192.168.1.11
End of portscan on 192.168.1.11
Sending Crc32 checksumed packet
End of scan: duration=4 seconds packet_sent=2 packet_rcvd=2 (SCTP=0, ICMP=2)
root@bt:/pentest/scanners/sctpscan# ./sctpscan -r 192.168.1.11 -a
Sending Crc32 checksumed packet
End of scan: duration=5 seconds packet_sent=1 packet_rcvd=1 (SCTP=0, ICMP=1)
root@bt:/pentest/scanners/sctpscan# ./sctpscan -r 192.168.1.11 -m
Portscanning with Crc32 checksumed packet
Portscanning 65535 ports on 192.168.1.11
End of portscan on 192.168.1.11
End of scan: duration=116 seconds packet_sent=65536 packet_rcvd=22227 (SCTP=0, I
CMP=22227)
Additional details:
http://www.blackhat.com/presentations/bh-europe-07/Langlois/Whitepaper/bh-eu-07-langlois-WP.pdf