mailing list archives
Re: [NSE] nat-pmp-info
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 26 Sep 2010 10:26:33 +0200
On 16 sep 2010, at 18.57, Patrik Karlsson wrote:
I noticed my router was running the nat-pmp protocol the other day and I quickly looked it up, wrote a script and
disabled it ;)
The protocol is used to map a port on the external interface to a port on the internal LAN.
The communication is performed over udp 5351 and there's no authentication.
So pretty much anyone on the internal LAN can request a port to be forwarded.
I haven't implemented the mapping part but a request that retrieves the external IP of the router.
This request consist of two bytes both being zero and I noticed the response is triggered by several of the version
However I failed to extract the IP as information in the matchline as the ip is not returned as text but rather as 4
I'm attaching the script and if you find it useful and something we should add to Nmap let me know and I'll commit it.
The specs are here:
Did anyone have a chance to test this script?
According to Wikipedia  most Apple routers, OpenWRT and Linksys should support the protocol.
There's also a natpmp daemon that I've tested it against available over here 
The easiest way of testing is to copy the script from my previous post  into the scripts directory of Nmap and the
sudo ./nmap -sU -p 5351 <router_ip> --script nat-pmp-info
If successful, the script should return the external IP of your router.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/