Nmap Development mailing list archives
Re: [NSE] nat-pmp-info
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 28 Sep 2010 20:50:55 +0200
On 28 sep 2010, at 18.30, Daniel Miller wrote:
On 09/26/2010 03:26 AM, Patrik Karlsson wrote:On 16 sep 2010, at 18.57, Patrik Karlsson wrote:Hi, I noticed my router was running the nat-pmp protocol the other day and I quickly looked it up, wrote a script and disabled it ;) The protocol is used to map a port on the external interface to a port on the internal LAN. The communication is performed over udp 5351 and there's no authentication. So pretty much anyone on the internal LAN can request a port to be forwarded. I haven't implemented the mapping part but a request that retrieves the external IP of the router. This request consist of two bytes both being zero and I noticed the response is triggered by several of the version scan probes. However I failed to extract the IP as information in the matchline as the ip is not returned as text but rather as 4 bytes. I'm attaching the script and if you find it useful and something we should add to Nmap let me know and I'll commit it. The specs are here: http://files.dns-sd.org/draft-cheshire-nat-pmp.txt <nat-pmp-info.nse> //Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77Did anyone have a chance to test this script? According to Wikipedia [1] most Apple routers, OpenWRT and Linksys should support the protocol. There's also a natpmp daemon that I've tested it against available over here [2] The easiest way of testing is to copy the script from my previous post [3] into the scripts directory of Nmap and the run: sudo ./nmap -sU -p 5351<router_ip> --script nat-pmp-info If successful, the script should return the external IP of your router. //Patrik [1] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol [2] http://savannah.nongnu.org/projects/natpmp/ [3] http://seclists.org/nmap-dev/2010/q3/738 -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/Hey, Patrick I ran the script on my router with Tomato. NAT-PMP is not on by default, but with it on, it worked great. Here's my output:sudo nmap -sU -p 5351 router --script nat-pmp-info.nse -v [sudo] password for miller: Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-09-28 11:25 CDT NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating ARP Ping Scan at 11:25 Scanning router (192.168.1.1) [1 port] Completed ARP Ping Scan at 11:25, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:25 Completed Parallel DNS resolution of 1 host. at 11:25, 0.00s elapsed Initiating UDP Scan at 11:25 Scanning router (192.168.1.1) [1 port] Completed UDP Scan at 11:25, 0.21s elapsed (1 total ports) NSE: Script scanning 192.168.1.1. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 11:25 Completed NSE at 11:25, 0.03s elapsed Nmap scan report for router (192.168.1.1) Host is up (0.00036s latency). rDNS record for 192.168.1.1: unknown PORT STATE SERVICE 5351/udp open|filtered unknown | nat-pmp-info: |_ External ip: XX.XXX.XXX.XXX MAC Address: 00:16:B6:XX:XX:XX (Cisco-Linksys) NSE: Script Post-scanning. Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds Raw packets sent: 3 (84B) | Rcvd: 1 (28B)I've sanitized it, but all info was correct.
Thanks a lot for testing! Much appreciated.
Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] nat-pmp-info Patrik Karlsson (Sep 16)
- Re: [NSE] nat-pmp-info Patrik Karlsson (Sep 26)
- Re: [NSE] nat-pmp-info Tom Sellers (Sep 26)
- Re: [NSE] nat-pmp-info Patrik Karlsson (Sep 27)
- Re: [NSE] nat-pmp-info Fyodor (Sep 27)
- Re: [NSE] nat-pmp-info Daniel Miller (Sep 28)
- Re: [NSE] nat-pmp-info Patrik Karlsson (Sep 28)
- Re: [NSE] nat-pmp-info Tom Sellers (Sep 26)
- Re: [NSE] nat-pmp-info David Fifield (Sep 28)
- Re: [NSE] nat-pmp-info Patrik Karlsson (Sep 28)
- Re: [NSE] nat-pmp-info David Fifield (Sep 28)
- Re: [NSE] nat-pmp-info Patrik Karlsson (Sep 28)
- Re: [NSE] nat-pmp-info Patrik Karlsson (Sep 28)
- Re: [NSE] nat-pmp-info Patrik Karlsson (Sep 26)