Skip to content
/ stuncheck Public

Set of tools to audit and exploit STUN/TURN servers

14 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Pepelux/stuncheck

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

36 Commits
lib
lib
Β 
Β 
modules
modules
Β 
Β 
README.md
README.md
Β 
Β 
requirements.txt
requirements.txt
Β 
Β 
stuninfo.py
stuninfo.py
Β 
Β 
stunipscan.py
stunipscan.py
Β 
Β 
stunlogin.py
stunlogin.py
Β 
Β 
stunpcapdump.py
stunpcapdump.py
Β 
Β 
stunportscan.py
stunportscan.py
Β 
Β 
stunscan.py
stunscan.py
Β 
Β 
stunsniff.py
stunsniff.py
Β 
Β 
stunsocks.py
stunsocks.py
Β 
Β 
stuntransports.py
stuntransports.py
Β 
Β 

Repository files navigation

StunCheck is a set of tools for scanning, testing and exploiting STUN and TURN servers.

Some of the implemented utilities are based on the fantastic Stunner application (https://github.com/firefart/stunner)

StunScan

Multithread STUN/TURN server scanner. It can scan large ranges of networks.

 -= STUN scan =-

options:
  -h, --help                                 show this help message and exit
  -i IPADDR, --ip IPADDR                     Host/IP address/network (ex: mystunserver.com | 192.168.0.10 | 192.168.0.0/24)
  -r REMOTE_PORT, --remote_port REMOTE_PORT  Ports to scan. Ex: 3478 | 3478,5349 | 3400-3500 | 3470,5000,5300-5400 | ALL for 1-65536 (default: 3478/udp or 5349/tcp)
  -proto PROTO                               Protocol to connect TURN server: udp|tcp|tls|all (default: udp)
  -th THREADS, --threads THREADS             Number of threads (default: 200)
  -v, --verbose                              Increase verbosity
  -vv, --more_verbose                        Increase more verbosity
  -nocolor                                   Show result without colors
  -f FILE, --file FILE                       File with several IPs or network ranges
  -o OFILE, --output_file OFILE              Save data into a log file
  -random                                    Randomize target hosts

StunInfo

Gets info about the stun or turn server like used software, listening interface and supported protocols.

 -= STUN info =-

options:
  -h, --help                                 show this help message and exit
  -i IPADDR, --ip IPADDR                     Target IP address
  -r REMOTE_PORT, --remote_port REMOTE_PORT  Remote port (default: 3478)
  -proto PROTO                               Protocol to connect TURN server: udp|tcp|tls (default: udp)
  -v, --verbose                              Increase verbosity
  -vv, --more_verbose                        Increase more verbosity

Example:

$ ./stuninfo.py -i 185.X.X.11

☎️  STUNCHECK BY πŸ…Ώ πŸ…΄ πŸ…Ώ πŸ…΄ πŸ…» πŸ†„ πŸ†‡

β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ”€β–„β–„β–„β–„β–ˆβ”€β–„β”€β–„β”€β–ˆβ–„β”€β–ˆβ–ˆβ”€β–„β–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆβ–„β”€β–„β–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆβ–„β”€β–„β–„β”€β–ˆβ”€β–„β–„β”€β–ˆ
β–ˆβ–„β–„β–„β–„β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆβ–ˆβ”€β–„β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ”€β–ˆ
β–€β–„β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–„β–„β–€β–„β–„β–„β–€β–„β–„β–„β–€β–€β–„β–„β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–€

πŸ’Ύ https://github.com/Pepelux/stuncheck
🐦 https://twitter.com/pepeluxx

[βœ“] IP/Network: 185.X.X.11
[βœ“] Port: 3478
[βœ“] Protocol: UDP

[+] Headers:
  [-]  Message Type: Binding Response
  [-]  Message Cookie: 482112a4
  [-]  Transaction ID: 422cb0fa30c04c71f3dd3264e4
[+] Attributes:
  [-]  XOR-MAPPED-ADDRESS: 193.X.X.9:55878
  [-]  MAPPED-ADDRESS: 193.X.X.9:55878
  [-]  RESPONSE-ORIGIN: 185.X.X.11:3478
  [-]  SOFTWARE: Coturn-4.5.2 'dan Eider'
  [-]  FINGERPRINT: 848d1fa8

Transport ... UDP
[+] Headers:
  [-]  Message Type: Allocate Error Response
  [-]  Message Cookie: 682112a4
  [-]  Transaction ID: 42ffd9da6b9f98f06077f2ca56
[+] Attributes:
  [-]  ERROR-CODE: 401 Unauthorized
  [-]  NONCE: 7eb2371b7c103283
  [-]  REALM: mydomain.com
  [-]  SOFTWARE: Coturn-4.5.2 'dan Eider'
  [-]  FINGERPRINT: 27227d9d

Transport ... TCP
[+] Headers:
  [-]  Message Type: Allocate Error Response
  [-]  Message Cookie: 682112a4
  [-]  Transaction ID: 423ef44c68a1e7ec22f3b1d076
[+] Attributes:
  [-]  ERROR-CODE: 34303120 401 Unauthorized
  [-]  NONCE: 7b2d5efff9a9f2b5
  [-]  REALM: mydomain.com
  [-]  SOFTWARE: Coturn-4.5.2 'dan Eider'
  [-]  FINGERPRINT: dd4a9f0e

StunSniff

Sniffer for the STUN protocol. When starting a conference it will show all IP addresses involved in the conversation. It verifies the attributes of the messages received from the STUN/TURN server and also the communication using the RTP protocol.

 -= STUN Network sniffing =-

options:
  -h, --help                                 show this help message and exit
  -d DEV, --dev DEV                          Set Device (by default try to get it)
  -r REMOTE_PORT, --remote_port REMOTE_PORT  Remote port (default: 3478 for udp/tcp and 5349 for tls). ALL for all ports
  -o OFILE, --output_file OFILE              Save output into a PCAP file
  -f FILE, --_file FILE                      Save output into a TXT file
  -proto PROTO                               Protocol to sniff to connect TURN server: udp|tcp|tls|all
  -rtp                                       Filter only RTP traffic
  -v, --verbose                              Increase verbosity (no data displayed by default)
  -vv, --more_verbose                        Increase more verbosity
  -w, --whois                                Do a whois

StunLogin

Using the TURN protocol verifies the authentication of a given username and password.

 -= STUN login =-

options:
  -h, --help                                 show this help message and exit
  -i IPADDR, --ip IPADDR                     Target IP address
  -r REMOTE_PORT, --remote_port REMOTE_PORT  Remote port (default: 3478)
  -proto PROTO                               Protocol to connect TURN server: udp|tcp|tls (default: udp)
  -v, --verbose                              Increase verbosity
  -vv, --more_verbose                        Increase more verbosity
  -u USER, --user USER                       Username
  -p PWD, --pass PWD                         Password

Example:

You can obtain TURN_USER and TURN_PASS, for example, using Burp.

$ ./stunlogin.py -i 185.X.X.11 -user TURN_USER -pass TURN_PASS

☎️  STUNCHECK BY πŸ…Ώ πŸ…΄ πŸ…Ώ πŸ…΄ πŸ…» πŸ†„ πŸ†‡

β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–€β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ”€β–„β–„β–„β–„β–ˆβ”€β–„β”€β–„β”€β–ˆβ–„β”€β–ˆβ–ˆβ”€β–„β–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆβ–„β”€β–„β–ˆβ–ˆβ–ˆβ”€β–„β–„β”€β–ˆβ”€β–„β–„β–„β–„β–ˆβ–„β”€β–„β–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆ
β–ˆβ–„β–„β–„β–„β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–€β–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ”€β–ˆβ–ˆβ–„β”€β–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆ
β–€β–„β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–„β–„β–€β–„β–„β–„β–„β–„β–€β–„β–„β–„β–„β–€β–„β–„β–„β–„β–„β–€β–„β–„β–„β–€β–„β–„β–„β–€β–€β–„β–„β–€

πŸ’Ύ https://github.com/Pepelux/stuncheck
🐦 https://twitter.com/pepeluxx

[βœ“] IP/Network: 185.X.X.11
[βœ“] Remote port: 3478
[βœ“] Protocol: UDP

[+] Allocate Request
[-] Allocate Error Response
[-] 401 Unauthorized
[+] Allocate Request
[-] Allocate Success Response
[βœ“] Connection successful

StunTransports

Bruteforce transports of a TURN server.

  -= STUN transports =-

options:
  -h, --help                                 show this help message and exit
  -i IPADDR, --ip IPADDR                     Target IP address
  -r REMOTE_PORT, --remote_port REMOTE_PORT  Remote port (default: 3478)
  -proto PROTO                               Protocol to connect TURN server: udp|tcp|tls (default: udp)
  -v, --verbose                              Increase verbosity
  -vv, --more_verbose                        Increase more verbosity
  -u USER, --user USER                       Username
  -p PWD, --pass PWD                         Password

Example:

$ ./stuntransports.py -i 185.X.X.11 -user TURN_USER -pass TURN_PASS

☎️  STUNCHECK BY πŸ…Ώ πŸ…΄ πŸ…Ώ πŸ…΄ πŸ…» πŸ†„ πŸ†‡

β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ”€β–„β–„β–„β–„β–ˆβ”€β–„β”€β–„β”€β–ˆβ–„β”€β–ˆβ–ˆβ”€β–„β–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆβ”€β–„β”€β–„β”€β–ˆβ–„β”€β–„β–„β–€β–ˆβ–ˆβ–€β–„β”€β–ˆβ–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆβ”€β–„β–„β–„β–„β–ˆβ–„β”€β–„β–„β”€β–ˆβ”€β–„β–„β”€β–ˆβ–„β”€β–„β–„β–€β–ˆβ”€β–„β”€β–„β”€β–ˆβ”€β–„β–„β–„β–„β–ˆ
β–ˆβ–„β–„β–„β–„β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ–ˆβ”€β–„β”€β–„β–ˆβ–ˆβ”€β–€β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆβ–„β–„β–„β–„β”€β–ˆβ–ˆβ”€β–„β–„β–„β–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ–ˆβ”€β–„β”€β–„β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ–„β–„β–„β–„β”€β–ˆ
β–€β–„β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–„β–„β–€β–€β–„β–„β–„β–€β–€β–„β–„β–€β–„β–„β–€β–„β–„β–€β–„β–„β–€β–„β–„β–„β–€β–€β–„β–„β–€β–„β–„β–„β–„β–„β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–€β–„β–„β–€β–„β–„β–€β–€β–„β–„β–„β–€β–€β–„β–„β–„β–„β–„β–€

πŸ’Ύ https://github.com/Pepelux/stuncheck
🐦 https://twitter.com/pepeluxx

[βœ“] IP/Network: 185.X.X.11
[βœ“] Port range: 3478
[βœ“] Protocol: UDP

[βœ“] Proto 06 (TCP) Connection successful
[βœ“] Proto 11 (UDP) Connection successful

StunIpScan

Tries to access to several pre-established IP addresses (or a specific IP address) over TURN connection.

 -= STUN IP scan =-

options:
  -h, --help                                 show this help message and exit
  -i IPADDR, --ip IPADDR                     Target IP address
  -r REMOTE_PORT, --remote_port REMOTE_PORT  Remote port (default: 3478)
  -proto PROTO                               Protocol to connect TURN server: tcp|tls (default: tcp)
  -v, --verbose                              Increase verbosity
  -u USER, --user USER                       Username
  -p PWD, --pass PWD                         Password
  -ipdst IPDST                               IP address to check connection

Example:

$ ./stunipscan.py -i 185.X.X.11 -user TURN_USER -pass TURN_PASS

☎️  STUNCHECK BY πŸ…Ώ πŸ…΄ πŸ…Ώ πŸ…΄ πŸ…» πŸ†„ πŸ†‡


β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ”€β–„β–„β–„β–„β–ˆβ”€β–„β”€β–„β”€β–ˆβ–„β”€β–ˆβ–ˆβ”€β–„β–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆβ–„β”€β–„β–ˆβ–„β”€β–„β–„β”€β–ˆβ”€β–„β–„β–„β–„β–ˆβ”€β–„β–„β–„β”€β–ˆβ–ˆβ–€β–„β”€β–ˆβ–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆ
β–ˆβ–„β–„β–„β–„β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ”€β–„β–„β–„β–ˆβ–„β–„β–„β–„β”€β–ˆβ”€β–ˆβ–ˆβ–ˆβ–€β–ˆβ–ˆβ”€β–€β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆ
β–€β–„β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–„β–„β–€β–„β–„β–„β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–„β–€β–„β–„β–„β–„β–„β–€β–„β–„β–€β–„β–„β–€β–„β–„β–„β–€β–€β–„β–„β–€

πŸ’Ύ https://github.com/Pepelux/stuncheck
🐦 https://twitter.com/pepeluxx

[βœ“] IP/Network: 185.X.X.11
[βœ“] Port range: 3478
[βœ“] Protocol: TCP

[βœ“] 192.168.0.1/UDP: Successfully connected
[βœ“] 192.88.99.0/UDP: Successfully connected
[βœ“] 198.18.0.1/UDP: Successfully connected
[βœ“] 192.0.2.254/UDP: Successfully connected
[βœ“] 198.19.255.254/UDP: Successfully connected
[x] 224.0.0.1/UDP: Create Perm Error Response (Forbidden IP)
[x] 255.255.255.255/UDP: Create Perm Error Response (Forbidden IP)
[βœ“] 100.127.255.254/UDP: Successfully connected
[βœ“] 192.0.0.254/UDP: Successfully connected
[βœ“] 169.254.254.255/UDP: Successfully connected
[x] 240.0.0.1/UDP: Create Perm Error Response (Forbidden IP)
[βœ“] 203.0.113.254/UDP: Successfully connected
[βœ“] 203.0.113.1/UDP: Successfully connected
[x] 239.255.255.254/UDP: Create Perm Error Response (Forbidden IP)
[x] ::/UDP: Create Perm Error Response (Forbidden IP)
[βœ“] 10.255.255.254/UDP: Successfully connected
[βœ“] 127.0.0.1/UDP: Successfully connected
[βœ“] 169.254.0.1/UDP: Successfully connected
[βœ“] 169.254.169.254/UDP: Successfully connected
[x] ::1/UDP: Create Perm Error Response (Forbidden IP)
[βœ“] 172.31.255.254/UDP: Successfully connected
[βœ“] 192.0.2.1/UDP: Successfully connected
[βœ“] 10.0.0.1/UDP: Successfully connected
[βœ“] 198.51.100.1/UDP: Successfully connected
[βœ“] 192.168.255.254/UDP: Successfully connected
[βœ“] 172.16.0.1/UDP: Successfully connected
[βœ“] 198.51.100.254/UDP: Successfully connected
[x] 0.0.0.0/UDP: Create Perm Error Response (Forbidden IP)
[βœ“] 127.0.0.8/UDP: Successfully connected
[βœ“] 100.64.0.0/UDP: Successfully connected
[βœ“] 192.0.0.1/UDP: Successfully connected
[βœ“] 127.255.255.254/UDP: Successfully connected
[βœ“] 192.168.0.1/TCP: Successfully connected
[βœ“] 192.88.99.0/TCP: Successfully connected
[βœ“] 198.18.0.1/TCP: Successfully connected
[βœ“] 192.0.2.254/TCP: Successfully connected
[βœ“] 198.19.255.254/TCP: Successfully connected
[x] 224.0.0.1/TCP: Create Perm Error Response (Forbidden IP)
[x] 255.255.255.255/TCP: Create Perm Error Response (Forbidden IP)
[βœ“] 100.127.255.254/TCP: Successfully connected
[βœ“] 192.0.0.254/TCP: Successfully connected
[βœ“] 169.254.254.255/TCP: Successfully connected
[x] 240.0.0.1/TCP: Create Perm Error Response (Forbidden IP)
[βœ“] 203.0.113.254/TCP: Successfully connected
[βœ“] 203.0.113.1/TCP: Successfully connected
[x] 239.255.255.254/TCP: Create Perm Error Response (Forbidden IP)
[x] ::/TCP: Create Perm Error Response (Forbidden IP)
[βœ“] 10.255.255.254/TCP: Successfully connected
[βœ“] 127.0.0.1/TCP: Successfully connected
[βœ“] 169.254.0.1/TCP: Successfully connected
[βœ“] 169.254.169.254/TCP: Successfully connected
[x] ::1/TCP: Create Perm Error Response (Forbidden IP)
[βœ“] 172.31.255.254/TCP: Successfully connected
[βœ“] 192.0.2.1/TCP: Successfully connected
[βœ“] 10.0.0.1/TCP: Successfully connected
[βœ“] 198.51.100.1/TCP: Successfully connected
[βœ“] 192.168.255.254/TCP: Successfully connected
[βœ“] 172.16.0.1/TCP: Successfully connected
[βœ“] 198.51.100.254/TCP: Successfully connected
[x] 0.0.0.0/TCP: Create Perm Error Response (Forbidden IP)
[βœ“] 127.0.0.8/TCP: Successfully connected
[βœ“] 100.64.0.0/TCP: Successfully connected
[βœ“] 192.0.0.1/TCP: Successfully connected
[βœ“] 127.255.255.254/TCP: Successfully connected

StunPortScan

TCP Port scanner via TURN connection. It is possible to scan remote computers, from the internal network or the machine itself if it allows localhost connections.

 -= STUN portscan =-

options:
  -h, --help                                 show this help message and exit
  -i IPADDR, --ip IPADDR                     Target IP address
  -r REMOTE_PORT, --remote_port REMOTE_PORT  Remote port (default: 3478)
  -proto PROTO                               Protocol to connect TURN server: tcp|tls (default: tcp)
  -v, --verbose                              Increase verbosity
  -vv, --more_verbose                        Increase more verbosity
  -vvv, --much_more_verbose                  Increase much more verbosity
  -u USER, --user USER                       Username
  -p PWD, --pass PWD                         Password
  -ipdst IPDST                               IP to scan (default: 127.0.0.1)
  -ports PORTS                               Ports to scan. Ex: 80 | 80,8080 | 1-1000 | 21,22,80,1000-2000 | ALL for 1-65536 (default: ALL)
  -fp, --fingerprinting                      Fingerprinting

Example:

$ ./stunportscan.py -i 185.X.X.11 -user TURN_USER -pass TURN_PASS -ports 80,22,443,3306 -v

☎️  STUNCHECK BY πŸ…Ώ πŸ…΄ πŸ…Ώ πŸ…΄ πŸ…» πŸ†„ πŸ†‡

β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ”€β–„β–„β–„β–„β–ˆβ”€β–„β”€β–„β”€β–ˆβ–„β”€β–ˆβ–ˆβ”€β–„β–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆβ–„β”€β–„β–„β”€β–ˆβ”€β–„β–„β”€β–ˆβ–„β”€β–„β–„β–€β–ˆβ”€β–„β”€β–„β”€β–ˆβ”€β–„β–„β–„β–„β–ˆβ”€β–„β–„β–„β”€β–ˆβ–ˆβ–€β–„β”€β–ˆβ–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆ
β–ˆβ–„β–„β–„β–„β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆβ–ˆβ”€β–„β–„β–„β–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ–ˆβ”€β–„β”€β–„β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ–„β–„β–„β–„β”€β–ˆβ”€β–ˆβ–ˆβ–ˆβ–€β–ˆβ–ˆβ”€β–€β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆ
β–€β–„β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–„β–„β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–€β–„β–„β–€β–„β–„β–€β–€β–„β–„β–„β–€β–€β–„β–„β–„β–„β–„β–€β–„β–„β–„β–„β–„β–€β–„β–„β–€β–„β–„β–€β–„β–„β–„β–€β–€β–„β–„β–€

πŸ’Ύ https://github.com/Pepelux/stuncheck
🐦 https://twitter.com/pepeluxx

[βœ“] IP/Network: 185.X.X.11
[βœ“] Remote port: 3478
[βœ“] Port range: 80,22,443,3306
[βœ“] Protocol: TCP

[βœ“] Port : 22 open
[βœ“] Port : 3306 open
[x] Port : 443 closed
[βœ“] Port : 80 open

The port scan is executed from the TURN server itself. If we scan from outside and there is a firewall, we see that some ports are not accessible.

$ nmap 185.X.X.11 -p80,22,443,3306 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-08 18:01 CET
Nmap scan report for webrtc (185.X.X.11)
Host is up (0.020s latency).
rDNS record for 185.99.186.211: webrtc.seguridadvoip.com

PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   filtered http
443/tcp  filtered https
3306/tcp filtered mysql

Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds

StunSocks

Relay traffic over TURN server using a Socks5 TCP proxy.

 -= STUN socks =-

options:
  -h, --help                                 show this help message and exit
  -i IPADDR, --ip IPADDR                     Target IP address
  -r REMOTE_PORT, --remote_port REMOTE_PORT  Remote port (default: 3478)
  -proto PROTO                               Protocol to connect TURN server: tcp|tls (default: tcp)
  -v, --verbose                              Increase verbosity
  -vv, --more_verbose                        Increase more verbosity
  -u USER, --user USER                       Username
  -p PWD, --pass PWD                         Password
  -serverip SERVERIP                         Local SOCK5 server IP address (default: 127.0.0.1)
  -serverport SERVERPORT                     Local SOCK5 server port (default: 1080)

Example:

$ ./stunsocks.py -i 185.X.X.11 -user TURN_USER -pass TURN_PASS

☎️  STUNCHECK BY πŸ…Ώ πŸ…΄ πŸ…Ώ πŸ…΄ πŸ…» πŸ†„ πŸ†‡


β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ”€β–„β–„β–„β–„β–ˆβ”€β–„β”€β–„β”€β–ˆβ–„β”€β–ˆβ–ˆβ”€β–„β–ˆβ–„β”€β–€β–ˆβ–„β”€β–„β–ˆβ”€β–„β–„β–„β–„β–ˆβ”€β–„β–„β”€β–ˆβ”€β–„β–„β–„β”€β–ˆβ–„β”€β–ˆβ”€β–„β–ˆβ”€β–„β–„β–„β–„β–ˆ
β–ˆβ–„β–„β–„β–„β”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ–ˆβ–ˆβ”€β–ˆβ–„β–€β”€β–ˆβ–ˆβ–„β–„β–„β–„β”€β–ˆβ”€β–ˆβ–ˆβ”€β–ˆβ”€β–ˆβ–ˆβ–ˆβ–€β–ˆβ–ˆβ”€β–„β–€β–ˆβ–ˆβ–„β–„β–„β–„β”€β–ˆ
β–€β–„β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–€β–„β–„β–„β–„β–€β–€β–„β–„β–„β–€β–€β–„β–„β–€β–„β–„β–„β–„β–„β–€β–„β–„β–„β–„β–€β–„β–„β–„β–„β–„β–€β–„β–„β–€β–„β–„β–€β–„β–„β–„β–„β–„β–€

πŸ’Ύ https://github.com/Pepelux/stuncheck
🐦 https://twitter.com/pepeluxx

[βœ“] IP/Network: 185.X.X.11
[βœ“] Port range: 3478
[βœ“] Protocol: TCP

Sock5 server started on 127.0.0.1:1080

[βœ“] Destination: 34.117.118.44:80
[βœ“] Connection established to: webrtc:3478
[βœ“] Connect Request: 34.117.118.44:80
[βœ“] Destination accepted
[βœ“] Connection successfully linked

On another console:

$ curl -x socks5://127.0.0.1:1080 http://ifconfig.me
185.X.X.11

$ proxychains4 curl http://ifconfig.me
[proxychains] config file found: /usr/local/etc/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.16/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  ifconfig.me:80  ...  OK
185.X.X.11

To access the local web of the TURN server:

$ curl -x socks5://127.0.0.1:1080 http://localhost

$ proxychains4 curl http://localhost

Requirements

  • Python 3

Instalation

$ git clone https://github.com/Pepelux/stuncheck.git
$ cd stuncheck
$ pip3 install -r requirements.txt

About

Set of tools to audit and exploit STUN/TURN servers

Topics

security security-audit stun turn hacking penetration-testing pentesting security-tools

Resources

Readme
Activity

Stars

14 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages