Besides the well-known transport protocols of TCP and UDP, there is also one called SCTP. It's been included in Windows, Linux, Mac OS X for 10 years. Almost nobody uses it. I know little more about this protocol than you do.
But I can now scan for it in masscan. Scanning the entire Internet for an SCTP service would look something like this:
masscan 0.0.0.0/0 -pS:36422,36412 --rate 100000
Like nmap, you can prefix ports with the letter of the transport protocol, where T: is for TCP, U: is for UDP, and S: is for SCTP.
The ports above are for protocols in the LTE/4G protocol suite. Running this scan, I got the following results:
Discovered open port 36412/sctp on 31.204.128.247
Discovered open port 36412/sctp on 41.213.0.147
Discovered open port 36412/sctp on 41.213.0.163
Discovered open port 36412/sctp on 61.252.41.113
Discovered open port 36412/sctp on 64.71.135.220
Discovered open port 36412/sctp on 115.12.152.194
Discovered open port 36422/sctp on 115.12.152.194
Discovered open port 36412/sctp on 119.194.139.93
Discovered open port 36412/sctp on 119.39.227.186
Discovered open port 36422/sctp on 120.199.33.154
Discovered open port 36422/sctp on 120.199.63.234
Discovered open port 36412/sctp on 173.228.61.6
Discovered open port 36412/sctp on 182.98.163.217
Discovered open port 36422/sctp on 183.247.170.18
Discovered open port 36422/sctp on 197.243.0.89
Discovered open port 36422/sctp on 197.243.0.90
Discovered open port 36422/sctp on 197.243.0.91
Discovered open port 36422/sctp on 197.243.0.92
Discovered open port 36422/sctp on 197.243.0.93
Discovered open port 36422/sctp on 197.243.0.94
Discovered open port 36422/sctp on 211.72.48.37
Discovered open port 36422/sctp on 221.112.39.246
I don't know how to interpret these results. I suspect that some of these machines are just test/development machines running in labs. But, I also suspect that some of these are infrastructure machines improperly exposed to the public Internet, and that somebody with more knowledge about LTE/4G would find something interesting to do with them.
The reason I added SCTP this weekend is the Shmoocon hacking/cybersec conference. Somebody gave a talk on LTE/4G. Somebody in the audience, noticing the SCTP usage in LTE asked me if masscan supported the protocol. It didn't -- but a few hours later it did. I'd already put some of the code in back when I created the tool, I just had to finish it up and test it. It still needs more testing, so please play with it.
SCTP is used heavily in SIGTRAN (SS7 over IP) for telephony networks, primarily because it allows multiple non-blocking streams between 2 nodes on the network....meaning that congestion/delay on one stream won't disrupt/delay the data flows in the other streams, as the SS7 protocol requires in-order delivery of the packets.
ReplyDeletehttp://en.wikipedia.org/wiki/SIGTRAN
SCTP also gets used in other telephony networks, such as when moving various GSM EDGE (GERAN), UMTS (UTRAN), or LTE (E-UTRAN) network links over IP, particularly for signaling. (Signaling tends to go over SCTP; data often over RDP over UDP.)
ReplyDelete