sctpscan 介绍

SCTPscan是一个用来扫描SCTP功能的设备。通常,电信面向设备在IP上携带SS7和SIGTRAN,使用SCTPscan,你可以找到切入点电信网络。这对在电信核心网络基础设施做穿透测试时特别有用。 SCTP也可用于高性能网络(Internet2)。

资料来源:http://www.p1sec.com/corp/research/tool​​s/sctpscan/
sctpscan 首页
sctpscan 源代码版本库

包含在sctpscan里的工具

sctpscan - 用于SCTP网络扫描发现和安全

root@kali:~# sctpscan
SCTPscan - Copyright (C) 2002 - 2009 Philippe Langlois.
SCTPscan comes with ABSOLUTELY NO WARRANTY; for details read the LICENSE or COPYING file.
Usage:  sctpscan [options]
Options:
  -p, --port <port>           (default: 10000)
      port specifies the remote port number
  -P, --loc_port <port>       (default: 10000)
      port specifies the local port number
  -l, --loc_host <loc_host>   (default: 127.0.0.1)
      loc_host specifies the local  (bind) host for the SCTP
      stream with optional local port number
  -r, --rem_host <rem_host>   (default: 127.0.0.2)
      rem_host specifies the remote (sendto) address for the SCTP
      stream with optional remote port number
  -s  --scan -r aaa[.bbb[.ccc]]
      scan all machines within network
  -m  --map
      map all SCTP ports from 0 to 65535 (portscan)
  -F  --Frequent
      Portscans the frequently used SCTP ports
      Frequent SCTP ports: 1, 7, 9, 20, 21, 22, 80, 100, 128, 179, 260, 250, 443, 1167, 1812, 2097, 2000, 2001, 2010, 2011, 2020, 2021, 2100, 2110, 2120, 2225, 2427, 2477, 2577, 2904, 2905, 2906, 2907, 2908, 2909, 2944, 2945, 3000, 3097, 3565, 3740, 3863, 3864, 3868, 4000, 4739, 4740, 5000, 5001, 5060, 5061, 5090, 5091, 5672, 5675, 6000, 6100, 6110, 6120, 6130, 6140, 6150, 6160, 6170, 6180, 6190, 6529, 6700, 6701, 6702, 6789, 6790, 7000, 7001, 7102, 7103, 7105, 7551, 7626, 7701, 7800, 8000, 8001, 8471, 8787, 9006, 9084, 9899, 9911, 9900, 9901, 9902, 10000, 10001, 11146, 11997, 11998, 11999, 12205, 12235, 13000, 13001, 14000, 14001, 20049, 29118, 29168, 30000, 32905, 32931, 32768
  -a  --autoportscan
      Portscans automatically any host with SCTP aware TCP/IP stack
  -i  --linein
      Receive IP to scan from stdin
  -f  --fuzz
      Fuzz test all the remote protocol stack
  -B  --bothpackets
      Send packets with INIT chunk for one, and SHUTDOWN_ACK for the other
  -b  --both_checksum
      Send both checksum: new crc32 and old legacy-driven adler32
  -C  --crc32
      Calculate checksums with the new crc32
  -A  --adler32
      Calculate checksums with the old adler32
  -Z  --zombie
      Does not collaborate to the SCTP Collaboration platform. No reporting.
  -d  --dummyserver
      Starts a dummy SCTP server on port 10000. You can then try to scan it
      from another machine.
  -E  --exec <script_name>
      Executes <script_name> each time an open SCTP port is found.
      Execution arguments: <script_name> host_ip sctp_port
  -t  --tcpbridge <listen TCP port>
      Bridges all connection from <listen TCP port> to remote designated SCTP port.
  -S  --streams <number of streams>
      Tries to establish SCTP association with the specified <number of streams> to
      remote designated SCTP destination.

Scan port 9999 on 192.168.1.24
./sctpscan -l 192.168.1.2 -r 192.168.1.24 -p 9999

Scans for availability of SCTP on 172.17.8.* and portscan any host with SCTP stack
./sctpscan -s -l 172.22.1.96 -r 172.17.8

Scans frequently used ports on 172.17.8.*
./sctpscan -s -F -l 172.22.1.96 -r 172.17.8

Scans all class-B network for frequent port
./sctpscan -s -F -r 172.22 -l `ifconfig eth0
grep 'inet addr:'
 cut -d: -f2
cut -d ' ' -f 1 `

Simple verification end to end on the local machine:
./sctpscan -d &
./sctpscan -s -l 192.168.1.24 -r 192.168.1 -p 10000

This tool does NOT work behind most NAT.
That means that most of the routers / firewall don't know how to NAT SCTP packets.
You _need_ to use this tool from a computer having a public IP address (i.e. non-RFC1918)

sctpscan 用法示例

扫描(-s)在远程网络上经常使用的端口(-F)(-r 192.168.1。*):

root@kali:~# sctpscan -s -F -r 192.168.1.*
SCTPscan - Copyright (C) 2002 - 2009 Philippe Langlois.
Netscanning with Crc32 checksumed packet
Portscanning Frequent Ports on 192.168.1.*.