Nmap Development mailing list archives
Re: [NSE] Detecting IP forwarding
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 1 May 2012 21:10:39 +0200
On Tue, May 1, 2012 at 8:30 PM, Daniel Miller <bonsaiviking () gmail com>wrote:
On 04/22/2012 01:55 PM, Patrik Karlsson wrote: Hi all, I had a discussion about ip forwarding and "internet connection sharing" with a friend the other day. The discussion was about detecting multi homed laptops having both the wireless and wired network interfaces active and ip forwarding enabled. I came up with the attached script which essentially tries to use each scanned host as a gateway and sends a ping packet to a given target (either on the same LAN or routed). It then sees whether it gets a ICMP echo reply or redirect back and determines whether the packet was forwarded or not. I've tried it against Windows 7 connection sharing, my home router and a OS X server with ip forwarding activated and it works as intended. If there's another more efficient way to discover this, let me know, otherwise I will commit the script within the next few days. The script relies on some recent changes to packet.lua, so it needs this to be updated library as well. Cheers, Patrik _______________________________________________ Sent through the nmap-dev mailing listhttp://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ Patrik, Just tried this out, and I'm coming up with lots of false positives. Basically, because of parallelism, the pcap_receive() calls all succeed on the same packet, meaning all hosts in the same hostgroup as a machine with forwarding on will show positive. I've attached a patch that modifies the BPF to match the source mac against the target's mac, which seems to solve the problem. I had to borrow the format_mac function from targets-ipv6-multicast-echo, since the packet library doesn't have an equivalent (that I can find). Dan
Thanks, much appreciated! I've applied the patch as r28525. //Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Detecting IP forwarding Patrik Karlsson (Apr 22)
- Re: [NSE] Detecting IP forwarding Daniel Miller (May 01)
- Re: [NSE] Detecting IP forwarding Patrik Karlsson (May 01)
- Re: [NSE] Detecting IP forwarding Daniel Miller (May 01)