Nmap Development mailing list archives
Re: SCTP scanme system at scanme.csnc.ch
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 12 Jun 2009 23:16:08 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 12 Jun 2009 22:11:28 +0200 Daniel Roethlisberger <daniel () roe ch> wrote:
David Fifield <david () bamsoftware com> 2009-06-12:On Fri, Jun 12, 2009 at 09:08:21PM +0200, Daniel Roethlisberger wrote:I've deployed an SCTP `scanme' system at scanme.csnc.ch in order to provide a test scan target for the SCTP port scanning functionality. It's a dedicated embedded FreeBSD system running a few dummy SCTP services. TCP and UDP are firewalled. When testing SCTP port scans, please use ``scanme.csnc.ch'' as target instead of real public SCTP services.This is cool! Here's what I get: # nmap -sY scanme.csnc.ch --reason Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-06-12 13:22 MDT Interesting ports on fury.ustdmz.roe.ch (213.144.141.30): Not shown: 40 closed ports Reason: 40 aborts PORT STATE SERVICE REASON 7/sctp open echo init-ack 9/sctp open discard init-ackActually, there are two more SCTP services to discover now: HTTP and SMTP. And they even talk the respective protocols (or rather, a very minimal subset thereof). Note that 25/sctp is currently not in the list of SCTP ports scanned by default, which is intended.
My results are coming back filtered: $ sudo nmap -sY -PN -T5 --reason -p 7,9 -v -n scanme.csnc.ch Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-06-12 23:06 UTC NSE: Loaded 0 scripts for scanning. Initiating SCTP INIT Scan at 23:06 Scanning 213.144.141.30 [2 ports] Completed SCTP INIT Scan at 23:06, 1.51s elapsed (2 total ports) Host 213.144.141.30 is up, received user-set. Interesting ports on 213.144.141.30: PORT STATE SERVICE REASON 7/sctp filtered echo no-response 9/sctp filtered discard no-response Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds Raw packets sent: 4 (208B) | Rcvd: 0 (0B) I can't figure out what is filtering the packets though. I manually did a SCTP traceroute by using Nmap's --ttl feature and found that this hop is dropping all ICMP TTL exceeded messages (traceroute dead end): 13 adsl-130-143.dsl.init7.net (213.144.130.143) 177.548 ms 175.733 ms 176.90 All the hops leading up to this one encapsulate my SCTP packets properly so I know my scan is at least getting 13 hops out. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkoy4bgACgkQqaGPzAsl94LZrACgsHWSPWxx1I8Emj2W/y0pVYWG v9wAnR/YMwh9I1jQSgYaqiCekJBhVBdB =phTJ -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SCTP scanme system at scanme.csnc.ch Daniel Roethlisberger (Jun 12)
- Re: SCTP scanme system at scanme.csnc.ch David Fifield (Jun 12)
- Re: SCTP scanme system at scanme.csnc.ch Daniel Roethlisberger (Jun 12)
- Re: SCTP scanme system at scanme.csnc.ch Brandon Enright (Jun 12)
- Re: SCTP scanme system at scanme.csnc.ch Daniel Roethlisberger (Jun 13)
- Re: SCTP scanme system at scanme.csnc.ch Fyodor (Jun 13)
- Re: SCTP scanme system at scanme.csnc.ch Daniel Roethlisberger (Jun 14)
- Re: SCTP scanme system at scanme.csnc.ch Daniel Roethlisberger (Jun 12)
- Re: SCTP scanme system at scanme.csnc.ch David Fifield (Jun 12)