Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Detecting IP forwarding
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 1 May 2012 21:10:39 +0200

On Tue, May 1, 2012 at 8:30 PM, Daniel Miller <bonsaiviking () gmail com>wrote:

 On 04/22/2012 01:55 PM, Patrik Karlsson wrote:

Hi all,

I had a discussion about ip forwarding and "internet connection sharing"
with a friend the other day.
The discussion was about detecting multi homed laptops having both the
wireless and wired network interfaces active and ip forwarding enabled.
I came up with the attached script which essentially tries to use each
scanned host as a gateway and sends a ping packet to a given target (either
on the same LAN or routed).
It then sees whether it gets a ICMP echo reply or redirect back and
determines whether the packet was forwarded or not.

I've tried it against Windows 7 connection sharing, my home router and a OS
X server with ip forwarding activated and it works as intended.
If there's another more efficient way to discover this, let me know,
otherwise I will commit the script within the next few days.

The script relies on some recent changes to packet.lua, so it needs this to
be updated library as well.


Sent through the nmap-dev mailing listhttp://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Just tried this out, and I'm coming up with lots of false positives.
Basically, because of parallelism, the pcap_receive() calls all succeed on
the same packet, meaning all hosts in the same hostgroup as a machine with
forwarding on will show positive. I've attached a patch that modifies the
BPF to match the source mac against the target's mac, which seems to solve
the problem. I had to borrow the format_mac function from
targets-ipv6-multicast-echo, since the packet library doesn't have an
equivalent (that I can find).


Thanks, much appreciated! I've applied the patch as r28525.

Patrik Karlsson
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]