Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Feature request : Nmap host and service mapping through a NAPT router

Re: Feature request : Nmap host and service mapping through a NAPT router

From: Chris Reining <creining_at_packetfu.org>
Date: Mon, 11 Nov 2002 13:08:37 -0600

Hi Mark,
You may wish to look into a patch sent to this list back in April:

From: Phil <biondi_at_cartel-securite.fr>
To: nmap-hackers_at_insecure.org
Subject: [PATCH] improvements and a new(?) type of scan
Date: Tue, 2 Apr 2002 16:54:49 +0200 (CEST)

The patch will report DNATs.

-Chris

On Sat, Nov 09, 2002 at 03:54:11PM +1100, Mark Smith wrote:
> Hi,
>
> At the request of a fellow ADSL user, I was invited to test the security
> of his ADSL router, using Network Address Port Translation.
>
> After performing a NMAP UDP scan against his public address, a number of
> services were shown to be available. Obviously most of them were being
> port forwarded to internal hosts.
>
> What was interesting was that in my iptables logs, in addition to the IP
> headers of returned ICMP messages, the ICMP contents was also shown,
> listing the UDP packet that had caused the ICMP message. The IP header
> in the ICMP payload had not had "reverse" NAT performed on it as it left
> the internal device. This disclosed the internal IP address of the host.
>
> I would like to suggest an option in NMAP to detect when the payload IP
> header and outer IP headers don't match in the returned ICMP message,
> and then display the payload IP address in addition to the outer IP
> address.
>
> This would allow the NMAP user to have a partial map of the IP addresses
> of the hosts behind the NAPT device, and a map of which UDP port is
> being fowarded to which internal host.
>
> The discussion thread, showing the output I saw, is here :
>
> http://forums.whirlpool.net.au/forum-replies.cfm?t=45645
>
> Btw, fyodor, and everyone else that has contributed to nmap - thanks.
> nmap is a marvelous tool.
>
> Regards,
> Mark.
>
>
>
> ---------------------------------------------------------------------
> For help using this (nmap-dev) mailing list, send a blank email to
> nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
>
>
>

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Nov 11 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]