Scanning for Microsoft Secure Socket Tunneling Protocol

Published: 2021-07-10
Last Updated: 2021-07-10 21:56:51 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Over the past month I noticed a resurgence of probe by Digitalocean looking for the Microsoft (MS) Secure Socket Tunneling Protocol (SSTP). This MS proprietary VPN protocol is used to establish a secure connection via the Transport Layer Security (TLS) between a client and a VPN gateway. Additional information on this protocol available here.

Sample Log

20210710-062306: 192.168.25.9:443-138.68.249.116:50742 data
SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1
SSTPCORRELATIONID: {19730D60-90A0-4623-8C44-688D762AAA16}
Content-Length: 18446744073709551615
Host: XX.XX.28.221

Indicators
138.68.249.116
157.245.176.143

[1] http://msdn.microsoft.com/en-us/library/cc247364.aspx
[2] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/70adc1df-c4fe-4b02-8872-f1d8b9ad806a
[3] https://nmap.org/nsedoc/scripts/sstp-discover.html
[4] https://otx.alienvault.com/indicator/ip/138.68.249.116
[5] https://otx.alienvault.com/indicator/ip/157.245.176.143

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: Scanning SSL VPN SSTP
0 comment(s)

Comments


Diary Archives