Nmap Development mailing list archives
Re: Feature request : Nmap host and service mapping through a NAPT router
From: Chris Reining <creining () packetfu org>
Date: Mon, 11 Nov 2002 13:08:37 -0600
Hi Mark, You may wish to look into a patch sent to this list back in April: From: Phil <biondi () cartel-securite fr> To: nmap-hackers () insecure org Subject: [PATCH] improvements and a new(?) type of scan Date: Tue, 2 Apr 2002 16:54:49 +0200 (CEST) The patch will report DNATs. -Chris On Sat, Nov 09, 2002 at 03:54:11PM +1100, Mark Smith wrote:
Hi, At the request of a fellow ADSL user, I was invited to test the security of his ADSL router, using Network Address Port Translation. After performing a NMAP UDP scan against his public address, a number of services were shown to be available. Obviously most of them were being port forwarded to internal hosts. What was interesting was that in my iptables logs, in addition to the IP headers of returned ICMP messages, the ICMP contents was also shown, listing the UDP packet that had caused the ICMP message. The IP header in the ICMP payload had not had "reverse" NAT performed on it as it left the internal device. This disclosed the internal IP address of the host. I would like to suggest an option in NMAP to detect when the payload IP header and outer IP headers don't match in the returned ICMP message, and then display the payload IP address in addition to the outer IP address. This would allow the NMAP user to have a partial map of the IP addresses of the hosts behind the NAPT device, and a map of which UDP port is being fowarded to which internal host. The discussion thread, showing the output I saw, is here : http://forums.whirlpool.net.au/forum-replies.cfm?t=45645 Btw, fyodor, and everyone else that has contributed to nmap - thanks. nmap is a marvelous tool. Regards, Mark. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Feature request : Nmap host and service mapping through a NAPT router Mark Smith (Nov 08)
- Re: Feature request : Nmap host and service mapping through a NAT router R Anderson (Nov 09)
- Re: Feature request : Nmap host and service mapping through a NAPT router Chris Reining (Nov 11)