Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] nat-pmp-info
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 28 Sep 2010 20:50:55 +0200


On 28 sep 2010, at 18.30, Daniel Miller wrote:

On 09/26/2010 03:26 AM, Patrik Karlsson wrote:
On 16 sep 2010, at 18.57, Patrik Karlsson wrote:

  
Hi,

I noticed my router was running the nat-pmp protocol the other day and I quickly looked it up, wrote a script and 
disabled it ;)
The protocol is used to map a port on the external interface to a port on the internal LAN.
The communication is performed over udp 5351 and there's no authentication.
So pretty much anyone on the internal LAN can request a port to be forwarded.
I haven't implemented the mapping part but a request that retrieves the external IP of the router.

This request consist of two bytes both being zero and I noticed the response is triggered by several of the version 
scan probes.
However I failed to extract the IP as information in the matchline as the ip is not returned as text but rather as 
4 bytes.

I'm attaching the script and if you find it useful and something we should add to Nmap let me know and I'll commit 
it.

The specs are here:
http://files.dns-sd.org/draft-cheshire-nat-pmp.txt

<nat-pmp-info.nse>

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77


    
Did anyone have a chance to test this script?
According to Wikipedia [1] most Apple routers, OpenWRT and Linksys should support the protocol.
There's also a natpmp daemon that I've tested it against available over here [2]

The easiest way of testing is to copy the script from my previous post [3] into the scripts directory of Nmap and 
the run:
sudo ./nmap -sU -p 5351<router_ip>  --script nat-pmp-info

If successful, the script should return the external IP of your router.

//Patrik

[1] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol
[2] http://savannah.nongnu.org/projects/natpmp/
[3] http://seclists.org/nmap-dev/2010/q3/738
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  
Hey, Patrick

I ran the script on my router with Tomato. NAT-PMP is not on by default, but with it on, it worked great. Here's my 
output:

sudo nmap -sU -p 5351 router --script nat-pmp-info.nse -v
[sudo] password for miller:

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-09-28 11:25 CDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 11:25
Scanning router (192.168.1.1) [1 port]
Completed ARP Ping Scan at 11:25, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:25
Completed Parallel DNS resolution of 1 host. at 11:25, 0.00s elapsed
Initiating UDP Scan at 11:25
Scanning router (192.168.1.1) [1 port]
Completed UDP Scan at 11:25, 0.21s elapsed (1 total ports)
NSE: Script scanning 192.168.1.1.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.03s elapsed
Nmap scan report for router (192.168.1.1)
Host is up (0.00036s latency).
rDNS record for 192.168.1.1: unknown
PORT     STATE         SERVICE
5351/udp open|filtered unknown
| nat-pmp-info:
|_  External ip: XX.XXX.XXX.XXX
MAC Address: 00:16:B6:XX:XX:XX (Cisco-Linksys)

NSE: Script Post-scanning.
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
          Raw packets sent: 3 (84B) | Rcvd: 1 (28B)


I've sanitized it, but all info was correct.

Thanks a lot for testing! Much appreciated.


Dan

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]