Re: SCTP scanme system at scanme.csnc.ch

[Daniel Roethlisberger <daniel () roe ch>]

Fyodor <fyodor () insecure org> 2009-06-13:
> On Fri, Jun 12, 2009 at 11:16:08PM +0000, Brandon Enright wrote:
> > My results are coming back filtered:
>
> I get the same for SCTP (tried from my home DSL line and from a
> colocated machine), though I can ICMP ping the host.
[...]
> I did a manual traceroute with nmap --ttl --packet-trace as
> Brandon suggested, and my SCTP packets also make it all the way
> to adsl-130-143.dsl.init7.net (213.144.130.143) before being
> apparently dropped.  That (ttl 9) is last hop before I can
> reach them machine with ping packets using ttl 10.

adsl-130-143.dsl.init7.net is the last hop before the scanme box.
So with TTL 10 in your example, you should get an SCTP ABORT or
INIT-ACK packet back, not an ICMP TTL Exceeded.  My guess would
be that the SCTP responses don't make it back to your scanning
systems.  Are you absolutely, positively sure that there is no
network address translator or stateful/stateless firewall on your
path out which allows SCTP packets out, but not responses back
in?

Have you also tried connecting to SCTP services normally, e.g.
using sctp-client from the developer's area or better Ncat from
/nmap-exp/daniel/nmap-sctp?

And are your results the same for connecting to or scanning
www.sctp.org port 80?

If all fails, let me know the IP address(es) you are scanning
from off-list, so I can set up tcpdump on my end to give us an
idea of what's happening.

-- 
Daniel Roethlisberger
http://daniel.roe.ch/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org