Re: [NSE] nat-pmp-info

[Patrik Karlsson <patrik () cqure net>]

On 28 sep 2010, at 18.30, Daniel Miller wrote:

> On 09/26/2010 03:26 AM, Patrik Karlsson wrote:
> > On 16 sep 2010, at 18.57, Patrik Karlsson wrote:
> >
> >   
> > > Hi,
> > >
> > > I noticed my router was running the nat-pmp protocol the other day and I quickly looked it up, wrote a script and 
> > > disabled it ;)
> > > The protocol is used to map a port on the external interface to a port on the internal LAN.
> > > The communication is performed over udp 5351 and there's no authentication.
> > > So pretty much anyone on the internal LAN can request a port to be forwarded.
> > > I haven't implemented the mapping part but a request that retrieves the external IP of the router.
> > >
> > > This request consist of two bytes both being zero and I noticed the response is triggered by several of the version 
> > > scan probes.
> > > However I failed to extract the IP as information in the matchline as the ip is not returned as text but rather as 
> > > 4 bytes.
> > >
> > > I'm attaching the script and if you find it useful and something we should add to Nmap let me know and I'll commit 
> > > it.
> > >
> > > The specs are here:
> > > http://files.dns-sd.org/draft-cheshire-nat-pmp.txt
> > >
> > > <nat-pmp-info.nse>
> > >
> > > //Patrik
> > > --
> > > Patrik Karlsson
> > > http://www.cqure.net
> > > http://www.twitter.com/nevdull77
> > >
> > >
> > >     
> > Did anyone have a chance to test this script?
> > According to Wikipedia [1] most Apple routers, OpenWRT and Linksys should support the protocol.
> > There's also a natpmp daemon that I've tested it against available over here [2]
> >
> > The easiest way of testing is to copy the script from my previous post [3] into the scripts directory of Nmap and 
> > the run:
> > sudo ./nmap -sU -p 5351<router_ip>  --script nat-pmp-info
> >
> > If successful, the script should return the external IP of your router.
> >
> > //Patrik
> >
> > [1] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol
> > [2] http://savannah.nongnu.org/projects/natpmp/
> > [3] http://seclists.org/nmap-dev/2010/q3/738
> > --
> > Patrik Karlsson
> > http://www.cqure.net
> > http://www.twitter.com/nevdull77
> >
> >
> >
> >
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
> >
> >   
> Hey, Patrick
>
> I ran the script on my router with Tomato. NAT-PMP is not on by default, but with it on, it worked great. Here's my 
> output:
>
> > sudo nmap -sU -p 5351 router --script nat-pmp-info.nse -v
> > [sudo] password for miller:
> >
> > Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-09-28 11:25 CDT
> > NSE: Loaded 1 scripts for scanning.
> > NSE: Script Pre-scanning.
> > Initiating ARP Ping Scan at 11:25
> > Scanning router (192.168.1.1) [1 port]
> > Completed ARP Ping Scan at 11:25, 0.01s elapsed (1 total hosts)
> > Initiating Parallel DNS resolution of 1 host. at 11:25
> > Completed Parallel DNS resolution of 1 host. at 11:25, 0.00s elapsed
> > Initiating UDP Scan at 11:25
> > Scanning router (192.168.1.1) [1 port]
> > Completed UDP Scan at 11:25, 0.21s elapsed (1 total ports)
> > NSE: Script scanning 192.168.1.1.
> > NSE: Starting runlevel 1 (of 1) scan.
> > Initiating NSE at 11:25
> > Completed NSE at 11:25, 0.03s elapsed
> > Nmap scan report for router (192.168.1.1)
> > Host is up (0.00036s latency).
> > rDNS record for 192.168.1.1: unknown
> > PORT     STATE         SERVICE
> > 5351/udp open|filtered unknown
> > | nat-pmp-info:
> > |_  External ip: XX.XXX.XXX.XXX
> > MAC Address: 00:16:B6:XX:XX:XX (Cisco-Linksys)
> >
> > NSE: Script Post-scanning.
> > Read data files from: /usr/local/share/nmap
> > Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
> >           Raw packets sent: 3 (84B) | Rcvd: 1 (28B)
>
>
> I've sanitized it, but all info was correct.

Thanks a lot for testing! Much appreciated.

> Dan
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/