Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] nat-pmp-info
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 26 Sep 2010 10:26:33 +0200

On 16 sep 2010, at 18.57, Patrik Karlsson wrote:


I noticed my router was running the nat-pmp protocol the other day and I quickly looked it up, wrote a script and 
disabled it ;)
The protocol is used to map a port on the external interface to a port on the internal LAN.
The communication is performed over udp 5351 and there's no authentication.
So pretty much anyone on the internal LAN can request a port to be forwarded.
I haven't implemented the mapping part but a request that retrieves the external IP of the router.

This request consist of two bytes both being zero and I noticed the response is triggered by several of the version 
scan probes.
However I failed to extract the IP as information in the matchline as the ip is not returned as text but rather as 4 

I'm attaching the script and if you find it useful and something we should add to Nmap let me know and I'll commit it.

The specs are here:


Patrik Karlsson

Did anyone have a chance to test this script?
According to Wikipedia [1] most Apple routers, OpenWRT and Linksys should support the protocol.
There's also a natpmp daemon that I've tested it against available over here [2]

The easiest way of testing is to copy the script from my previous post [3] into the scripts directory of Nmap and the 
sudo ./nmap -sU -p 5351 <router_ip> --script nat-pmp-info

If successful, the script should return the external IP of your router.


[1] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol
[2] http://savannah.nongnu.org/projects/natpmp/
[3] http://seclists.org/nmap-dev/2010/q3/738
Patrik Karlsson

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]