Re: SCTP scanme system at scanme.csnc.ch

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 12 Jun 2009 22:11:28 +0200
Daniel Roethlisberger <daniel () roe ch> wrote:

> David Fifield <david () bamsoftware com> 2009-06-12:
> > On Fri, Jun 12, 2009 at 09:08:21PM +0200, Daniel Roethlisberger
> > wrote:
> > > I've deployed an SCTP `scanme' system at scanme.csnc.ch in order
> > > to provide a test scan target for the SCTP port scanning
> > > functionality.  It's a dedicated embedded FreeBSD system running
> > > a few dummy SCTP services.  TCP and UDP are firewalled.
> > >
> > > When testing SCTP port scans, please use ``scanme.csnc.ch'' as
> > > target instead of real public SCTP services.
> >
> > This is cool! Here's what I get:
> >
> > # nmap -sY scanme.csnc.ch --reason
> > Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-06-12 13:22 MDT
> > Interesting ports on fury.ustdmz.roe.ch (213.144.141.30):
> > Not shown: 40 closed ports
> > Reason: 40 aborts
> > PORT   STATE SERVICE REASON
> > 7/sctp open  echo    init-ack
> > 9/sctp open  discard init-ack
>
> Actually, there are two more SCTP services to discover now:
> HTTP and SMTP.  And they even talk the respective protocols (or
> rather, a very minimal subset thereof).  Note that 25/sctp is
> currently not in the list of SCTP ports scanned by default, which
> is intended.


My results are coming back filtered:

$  sudo nmap -sY -PN -T5 --reason -p 7,9 -v -n scanme.csnc.ch

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-06-12 23:06 UTC
NSE: Loaded 0 scripts for scanning.
Initiating SCTP INIT Scan at 23:06
Scanning 213.144.141.30 [2 ports]
Completed SCTP INIT Scan at 23:06, 1.51s elapsed (2 total ports)
Host 213.144.141.30 is up, received user-set.
Interesting ports on 213.144.141.30:
PORT   STATE    SERVICE REASON
7/sctp filtered echo    no-response
9/sctp filtered discard no-response

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
           Raw packets sent: 4 (208B) | Rcvd: 0 (0B)


I can't figure out what is filtering the packets though.  I manually
did a SCTP traceroute by using Nmap's --ttl feature and found that this
hop is dropping all ICMP TTL exceeded messages (traceroute dead end):

13  adsl-130-143.dsl.init7.net (213.144.130.143)  177.548 ms  175.733 ms  176.90

All the hops leading up to this one encapsulate my SCTP packets
properly so I know my scan is at least getting 13 hops out.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkoy4bgACgkQqaGPzAsl94LZrACgsHWSPWxx1I8Emj2W/y0pVYWG
v9wAnR/YMwh9I1jQSgYaqiCekJBhVBdB
=phTJ
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org