Nmap Development mailing list archives

Re: [PATCH] Experimental SCTP scan support

From: Daniel Roethlisberger <daniel () roe ch>
Date: Sat, 3 Jan 2009 13:43:59 +0100

Daniel Roethlisberger <daniel () roe ch> 2009-01-03:

pUm <hijacka () googlemail com> 2009-01-03:

thx. exactly what I was looking for in december last year :-D great.
Actually I am scanning a customers ip range (who has enabled sctp)
with the latest svn updates and your patch applied.
Last Changed Author: david
Last Changed Rev: 11605
Last Changed Date: 2009-01-03 08:06:13 +0100 (Sat, 03 Jan 2009)

doing a protocol scan nmap fails by connection to protocol port 132 ...


I haven't teached the IP protocol scan to talk proper SCTP yet.
Empty IP packets with proto 132 have proven to be inadequate for
finding SCTP speaking stacks.  That being said, the failed
assertion is a bug that I will definately look into, thanks.

Unfortunately, I cannot reproduce the failed assertion here.
What kind of system and compiler are you using?


Sorry for the noise, I can reproduce it; I should remember to
wake up and drink my coffee before trying to fix bugs...

/nmap# nmap --debug -sO -p 132 127.0.0.1

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-03 12:27 CET
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 127.0.0.1
Initiating IPProto Scan at 12:27
Scanning localhost (127.0.0.1) [1 port]
Packet capture filter (device lo): dst host 127.0.0.1 and (icmp or
(src host 127.0.0.1))
nmap: scan_engine.cc:826: void UltraProbe::setIP(u8*, u32, const
probespec*): Assertion `iplen >= (unsigned) ipv4->ip_hl * 4 + 12'
failed.
Aborted

other protocols just works fine:
/nmap# nmap -sO -p 1 127.0.0.1

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-03 12:29 CET
Interesting protocols on localhost (127.0.0.1):
PROTOCOL STATE SERVICE
1        open  icmp

thanks

sven

2009/1/3 Daniel Roethlisberger <daniel () roe ch>:

I've hacked together experimental SCTP support for nmap.  Please
give it a whirl and let me know how it goes.  I'm especially
interested in tests against real-world, proprietary SCTP stacks,
whether it also builds on systems other than FreeBSD, and
anything else I might have missed.

http://daniel.roe.ch/code/nmap/nmap+sctp-20090103-r11604-initscan.diff

SCTP is a layer 4+ protocol like TCP or UDP and also has 16 bit
port numbers.  One reason why SCTP might be of interest is it's
use by telco stuff migrated to the IP world, such as SS7/SIGTRAN.

What works / has been done:
-   SCTP INIT scans (stealth scans, much like SYN scans in the TCP
   world) seem to work.  A SCTP packet is sent with an INIT
   chunk; the response is a INIT_ACK chunk if the port is open
   or an ABORT chunk if closed.
-   Patched libdnet-stripped with rather minimal SCTP support.
-   Added a list of 36 well-known SCTP ports to nmap-services.

Not done yet:
-   SCTP based ping probes.
-   SCTP support for IP proto scan.
-   Use itag/itsn to store scan state.
-   Support the deprecated Adler32 checksum as an option.
-   More advanced scan types using different chunk combinations.

Note that SCTP scans usually do not work through network address
translators.  This is because today's NAT boxes typically do not
know how to translate SCTP packets.

--
Daniel Roethlisberger
http://daniel.roe.ch/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


-- 
Daniel Roethlisberger
http://daniel.roe.ch/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: [PATCH] Experimental SCTP scan support, (continued)
- - Re: [PATCH] Experimental SCTP scan support doug (Jan 03)
    - Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)
    - Re: [PATCH] Experimental SCTP scan support Fyodor (Jan 04)
    - Re: [PATCH] Experimental SCTP scan support doug (Jan 04)
    - _FORTIFY_SOURCE=2 David Fifield (Jan 22)
    - Re: _FORTIFY_SOURCE=2 David Fifield (Feb 14)
  - Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)
    - Re: [PATCH] Experimental SCTP scan support Kris Katterjohn (Jan 03)
- Re: [PATCH] Experimental SCTP scan support pUm (Jan 03)
  - Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)
    - Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)
    - Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)
    - Re: [PATCH] Experimental SCTP scan support pUm (Jan 04)
    - Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 04)
    - Re: [PATCH] Experimental SCTP scan support pUm (Jan 04)