blob: 55bf0426596505961fc40481708f9a3b1168f622 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
TODO.sctp $Id$ -*-text-*-
o Further investigate SCTP functionality, as some people reported
problems (see this thread:
http://seclists.org/nmap-dev/2009/q2/0669.html)
o Add support for UDP encapsulated SCTP (9899/udp).
Basically just wrap the SCTP packets into a UDP packet.
Think about how to add support for this to libdnet first.
See this Internet Draft by Michael Tuexen for the specs:
http://tools.ietf.org/html/draft-tuexen-sctp-udp-encaps
This is actually quite a challenging task due to the
current architecture of the scan engine. How to best
differentiate a UDP packet related to a UDP scan from a
UDP wrapped SCTP packet? How to unpack the UDP wrapped
SCTP packet in order not to duplicate a lot of code?
A good solution will be non-trivial.
o Verify ICMP response handling for SCTP. Make sure all
ICMP types are handled in an optimal way (esp. destination
unreachable: protocol unreachable).
o Consider removing 9899/sctp from the default port list.
9899/udp is used for UDP encapsulated SCTP. One reason
to keep 9899/sctp is likely misconfigurations.
o Investigate whether it makes sense to store scan state in
the itag/itsn fields for INIT scans.
o Investigate the suitability of other SCTP chunks for port
scanning and implement more scan types if they turn out to
be worthwhile. One unverified idea is to experiment with
undefined chunk types and their first two magic bits to
provoke ERROR responses.
o Add SCTP based service probing.
o [Ncat] Consider implementing SCTP broker mode.
o [NSE] Add SCTP support to NSE.
o Investigate on differences between SCTP stacks and
implement SCTP based OS detection probes based on the
results. For example, BSD systems send the ASCII string
KAME-BSD in INIT-ACK chunks.
o SCTP-enable scanme.nmap.org in order to make scanme.roe.ch
obsolete.
|