Monday, January 20, 2014

Masscan supports SCTP

Besides the well-known transport protocols of TCP and UDP, there is also one called SCTP. It's been included in Windows, Linux, Mac OS X for 10 years. Almost nobody uses it. I know little more about this protocol than you do.

But I can now scan for it in masscan. Scanning the entire Internet for an SCTP service would look something like this:

masscan 0.0.0.0/0 -pS:36422,36412 --rate 100000


Like nmap, you can prefix ports with the letter of the transport protocol, where T: is for TCP, U: is for UDP, and S: is for SCTP.

The ports above are for protocols in the LTE/4G protocol suite. Running this scan, I got the following results:

Discovered open port 36412/sctp on 31.204.128.247
Discovered open port 36412/sctp on 41.213.0.147
Discovered open port 36412/sctp on 41.213.0.163
Discovered open port 36412/sctp on 61.252.41.113
Discovered open port 36412/sctp on 64.71.135.220
Discovered open port 36412/sctp on 115.12.152.194
Discovered open port 36422/sctp on 115.12.152.194
Discovered open port 36412/sctp on 119.194.139.93
Discovered open port 36412/sctp on 119.39.227.186
Discovered open port 36422/sctp on 120.199.33.154
Discovered open port 36422/sctp on 120.199.63.234
Discovered open port 36412/sctp on 173.228.61.6
Discovered open port 36412/sctp on 182.98.163.217
Discovered open port 36422/sctp on 183.247.170.18
Discovered open port 36422/sctp on 197.243.0.89
Discovered open port 36422/sctp on 197.243.0.90
Discovered open port 36422/sctp on 197.243.0.91
Discovered open port 36422/sctp on 197.243.0.92
Discovered open port 36422/sctp on 197.243.0.93
Discovered open port 36422/sctp on 197.243.0.94
Discovered open port 36422/sctp on 211.72.48.37
Discovered open port 36422/sctp on 221.112.39.246                            

I don't know how to interpret these results. I suspect that some of these machines are just test/development machines running in labs. But, I also suspect that some of these are infrastructure machines improperly exposed to the public Internet, and that somebody with more knowledge about LTE/4G would find something interesting to do with them.

The reason I added SCTP this weekend is the Shmoocon hacking/cybersec conference. Somebody gave a talk on LTE/4G. Somebody in the audience, noticing the SCTP usage in LTE asked me if masscan supported the protocol. It didn't -- but a few hours later it did. I'd already put some of the code in back when I created the tool, I just had to finish it up and test it. It still needs more testing, so please play with it.




2 comments:

Unknown said...

SCTP is used heavily in SIGTRAN (SS7 over IP) for telephony networks, primarily because it allows multiple non-blocking streams between 2 nodes on the network....meaning that congestion/delay on one stream won't disrupt/delay the data flows in the other streams, as the SS7 protocol requires in-order delivery of the packets.

http://en.wikipedia.org/wiki/SIGTRAN

John Thacker said...

SCTP also gets used in other telephony networks, such as when moving various GSM EDGE (GERAN), UMTS (UTRAN), or LTE (E-UTRAN) network links over IP, particularly for signaling. (Signaling tends to go over SCTP; data often over RDP over UDP.)