contact@p1sec.com

Introduction

SCTPscan is a tool to scan SCTP enabled machines. Typically, these are Telecom oriented machines carrying SS7 and SIGTRAN over IP. Using SCTPscan, you can find entry points to Telecom networks. This is especially useful when doing pentests on Telecom Core Network infrastructures. SCTP is also used in high-performance networks (internet2).

Download

Download SCTPscan: tar or zip format. (These are the source code packages).

Some binary-only distribution are available, most notably on BackTrack live linux distribution.

Sources

Access the sources on GitHub.

You can also check out the sources from the SCTPscan GIT repository:

git clone git@github.com:philpraxis/sctpscan.git

This gives typically in a shell session:

$ git clone git@github.com:philpraxis/sctpscan.git
Initialized empty Git repository in /tmp/sctpscan/.git/
remote: Counting objects: 77, done.
remote: Compressing objects: 100% (66/66), done.
Indexing 77 objects...
remote: Total 77 (delta 38), reused 24 (delta 8 )
 100% (77/77) done
Resolving 38 deltas...
 100% (38/38) done
$

And here you have an up to date working copy of the GIT repository of SCTPscan.

Known limitations

NAT

This tool does NOT work behind most NAT. It’s not a limitation of the tool but of the NAT routers.
That means that most of the routers / firewall don’t know how to NAT SCTP packets.
You _need_ to use this tool from a computer having a public IP address (i.e. non-RFC1918)

Code readability

We accept patches.

Usage

SCTPscan - Copyright (C) 2002 - 2009 Philippe Langlois.
SCTPscan comes with ABSOLUTELY NO WARRANTY; for details read the LICENSE or COPYING file.
Usage:  sctpscan [options]
Options:
 -p, --port <port>           (default: 10000)
 port specifies the remote port number
 -P, --loc_port <port>           (default: 10000)
 port specifies the local port number
 -l, --loc_host <loc_host>   (default: 127.0.0.1)
 loc_host specifies the local (bind) host for the SCTP
 stream with optional local port number
 -r, --rem_host <rem_host>   (default: 127.0.0.2)
 rem_host specifies the remote (sendto) address for the SCTP
 stream with optional remote port number
 -s  --scan -r aaa[.bbb[.ccc]]
 scan all machines within network
 -m  --map
 map all SCTP ports from 0 to 65535 (portscan)
 -F  --Frequent
 Portscans the frequently used SCTP ports
 Frequent SCTP ports: 1, 7, 9, 20, 21, 22, 80, 100, 128, 179, 260, 250, 443, 1167, 1812, 2097, 2000, 2001, 2010, 2011, 2020, 2021, 2100, 2110, 2120, 2225, 2427, 2477, 2577, 2904, 2905, 2906, 2907, 2908, 2909, 2944, 2945, 3000, 3097, 3565, 3740, 3863, 3864, 3868, 4000, 4739, 4740, 5000, 5001, 5060, 5061, 5090, 5091, 5672, 5675, 6000, 6100, 6110, 6120, 6130, 6140, 6150, 6160, 6170, 6180, 6190, 6529, 6700, 6701, 6702, 6789, 6790, 7000, 7001, 7102, 7103, 7105, 7551, 7626, 7701, 7800, 8000, 8001, 8471, 8787, 9006, 9084, 9899, 9911, 9900, 9901, 9902, 10000, 10001, 11146, 11997, 11998, 11999, 12205, 12235, 13000, 13001, 14000, 14001, 20049, 29118, 29168, 30000, 32905, 32931, 32768
 -a  --autoportscan
 Portscans automatically any host with SCTP aware TCP/IP stack
 -i  --linein
 Receive IP to scan from stdin
 -f  --fuzz
 Fuzz test all the remote protocol stack
 -B  --bothpackets
 Send packets with INIT chunk for one, and SHUTDOWN_ACK for the other
 -b  --both_checksum
 Send both checksum: new crc32 and old legacy-driven adler32
 -C  --crc32
 Calculate checksums with the new crc32
 -A  --adler32
 Calculate checksums with the old adler32
 -Z  --zombie
 Does not collaborate to the SCTP Collaboration platform. No reporting.
 -d  --dummyserver
 Starts a dummy SCTP server on port 10000. You can then try to scan it from another machine.
 -E  --exec <script_name>
 Executes <script_name> each time an open SCTP port is found.
 Execution arguments: <script_name> host_ip sctp_port
 -t  --tcpbridge <listen TCP port>
 Bridges all connection from <listen TCP port> to remote designated SCTP port.
 -S  --streams <number of streams>
 Tries to establish SCTP association with the specified <number of streams> to remote designated SCTP destination.

Scan port 9999 on 192.168.1.24
./sctpscan -l 192.168.1.2 -r 192.168.1.24 -p 9999

Scans for availability of SCTP on 172.17.8.* and portscan any host with SCTP stack
./sctpscan -s -l 172.22.1.96 -r 172.17.8

Scans frequently used ports on 172.17.8.*
./sctpscan -s -F -l 172.22.1.96 -r 172.17.8

Scans all class-B network for frequent port
./sctpscan -s -F -r 172.22 -l `ifconfig eth0 | grep 'inet addr:' |  cut -d: -f2 | cut -d ' ' -f 1 `

Simple verification end to end on the local machine:
./sctpscan -d &
./sctpscan -s -l 192.168.1.24 -r 192.168.1 -p 10000

Examples

Scan every hosts on the network 192.168.0.* on SCTP port 10000.

./sctpscan -s -r 192.168.0 -p 10000