TODO.sctp $Id$ -*-text-*- o Further investigate SCTP functionality, as some people reported problems (see this thread: http://seclists.org/nmap-dev/2009/q2/0669.html) o Add support for UDP encapsulated SCTP (9899/udp). Basically just wrap the SCTP packets into a UDP packet. Think about how to add support for this to libdnet first. See this Internet Draft by Michael Tuexen for the specs: http://tools.ietf.org/html/draft-tuexen-sctp-udp-encaps This is actually quite a challenging task due to the current architecture of the scan engine. How to best differentiate a UDP packet related to a UDP scan from a UDP wrapped SCTP packet? How to unpack the UDP wrapped SCTP packet in order not to duplicate a lot of code? A good solution will be non-trivial. o Verify ICMP response handling for SCTP. Make sure all ICMP types are handled in an optimal way (esp. destination unreachable: protocol unreachable). o Consider removing 9899/sctp from the default port list. 9899/udp is used for UDP encapsulated SCTP. One reason to keep 9899/sctp is likely misconfigurations. o Investigate whether it makes sense to store scan state in the itag/itsn fields for INIT scans. o Investigate the suitability of other SCTP chunks for port scanning and implement more scan types if they turn out to be worthwhile. One unverified idea is to experiment with undefined chunk types and their first two magic bits to provoke ERROR responses. o Add SCTP based service probing. o [Ncat] Consider implementing SCTP broker mode. o [NSE] Add SCTP support to NSE. o Investigate on differences between SCTP stacks and implement SCTP based OS detection probes based on the results. For example, BSD systems send the ASCII string KAME-BSD in INIT-ACK chunks. o SCTP-enable scanme.nmap.org in order to make scanme.roe.ch obsolete.