SCTPscan
Description
SCTPscan is a tool written by Philippe Langlois, to scan SCTP endpoints. SCTP is a protocol that is used to carry SS7 over TCP/IP, among other things. It is part of the SIGTRAN protocol family, for SIGnalling TRANsport. It is a protocol like TCP with builtin support in major OS (Linux kernel 2.6, Solaris 10, FreeBSD 7, Mac OS X with kernel extension, ...). SCTP has some very interesting features (multihoming, multi-stream, resists well to Denial of Service - DoS, high performance). It's used for telecommunication backbone over IP (SS7 over IP aka SIGTRAN), Internet2 transfers, Cluster high-speed communication.
Some of the characteristics:
- like nmap for SCTP
- released as a GPL Open Source free software
- allows to scan remote hosts, frequent ports or all ports, or even whole networks
- research tool of TSTF (Telecom Security Task Force)
For more information, download Philippe Langlois' presentation at BlackHat: http://www.blackhat.com/presentations/bh-europe-07/Langlois/Whitepaper/bh-eu-07-langlois-WP.pdf.
Installation
Prerequisites
$ sudo apt-get install libglib2.0-dev git-core
Installation of SCTPscan
First create a directory and download sources:
$ mkdir -p /pentest/scanners/ $ cd /pentest/scanners/ $ git clone https://github.com/philpraxis/sctpscan.git
Then compile SCTPscan:
$ cd sctpscan $ make
You should have sctpscan executable:
$ ./sctpscan -h
Check that you don't have error.
Usage
Basic syntax
$ ./sctpscan [options]
Options
- -p, --port <port>
- port specifies the remote port number
- (default: 10000)
- -P, --loc_port <port>
- port specifies the local port number
- (default: 10000)
- -l, --loc_host <loc_host>
- loc_host specifies the local (bind) host for the SCTP stream with optional local port number
- (default: 127.0.0.1)
- -r, --rem_host <rem_host>
- rem_host specifies the remote (sendto) address for the SCTP stream with optional remote port number
- (default: 127.0.0.2)
- -s, --scan -r aaa[.bbb[.ccc]]
- scan all machines within network
- -m, --map
- map all SCTP ports from 0 to 65535 (portscan)
- -F, --Frequent
- Portscans the frequently used SCTP ports (1, 7, 9, 20, 21, 22, 80, 100, 128, 179, 260, 250, 443, 1167, 1812, 2097, 2000, 2001, 2010, 2011, 2020, 2021, 2100, 2110, 2120, 2225, 2427, 2477, 2577, 2904, 2905, 2906, 2907, 2908, 2909, 2944, 2945, 3000, 3097, 3565, 3740, 3863, 3864, 3868, 4000, 4739, 4740, 5000, 5001, 5060, 5061, 5090, 5091, 5672, 5675, 6000, 6100, 6110, 6120, 6130, 6140, 6150, 6160, 6170, 6180, 6190, 6529, 6700, 6701, 6702, 6789, 6790, 7000, 7001, 7102, 7103, 7105, 7551, 7626, 7701, 7800, 8000, 8001, 8471, 8787, 9006, 9084, 9899, 9911, 9900, 9901, 9902, 10000, 10001, 11146, 11997, 11998, 11999, 12205, 12235, 13000, 13001, 14000, 14001, 20049, 29118, 29168, 30000, 32905, 32931, 32768)
- -a, --autoportscan
- Portscans automatically any host with SCTP aware TCP/IP stack
- -i, --linein
- Receive IP to scan from stdin
- -f, --fuzz
- Fuzz test all the remote protocol stack
- -B, --bothpackets
- Send packets with INIT chunk for one, and SHUTDOWN_ACK for the other
- -b, --both_checksum
- Send both checksum: new crc32 and old legacy-driven adler32
- -C, --crc32
- Calculate checksums with the new crc32
- -A, --adler32
- Calculate checksums with the old adler32
- -Z, --zombie
- Does not collaborate to the SCTP Collaboration platform. No reporting.
- -d, --dummyserver
- Starts a dummy SCTP server on port 10000. You can then try to scan it from another machine.
- -E, --exec <script_name>
- Executes <script_name> each time an open SCTP port is found.
- Execution arguments: <script_name> host_ip sctp_port
- -t, --tcpbridge <listen TCP port>
- Bridges all connection from <listen TCP port> to remote designated SCTP port.
- -S, --streams <number of streams>
- Tries to establish SCTP association with the specified <number of streams> to remote designated SCTP destination.
Examples
$ sudo ./sctpscan -r 192.168.100.18 SCTPscan - Copyright (C) 2002 - 2009 Philippe Langlois. Sending Crc32 checksumed packet SCTP packet received from 192.168.100.18 port 10000 type 1 (Initiation (INIT)) End of scan: duration=4 seconds packet_sent=1 packet_rcvd=1 (SCTP=1, ICMP=0)
$ sudo ./sctpscan -r 192.168.100.19 SCTPscan - Copyright (C) 2002 - 2009 Philippe Langlois. Sending Crc32 checksumed packet End of scan: duration=4 seconds packet_sent=1 packet_rcvd=1 (SCTP=0, ICMP=1)