Feature request : Nmap host and service mapping through a NAPT router

[Mark Smith <nmap () nosense org>]

Hi,

At the request of a fellow ADSL user, I was invited to test the security
of his ADSL router, using Network Address Port Translation.

After performing a NMAP UDP scan against his public address, a number of
services were shown to be available. Obviously most of them were being
port forwarded to internal hosts.

What was interesting was that in my iptables logs, in addition to the IP
headers of returned ICMP messages, the ICMP contents was also shown,
listing the UDP packet that had caused the ICMP message. The IP header
in the ICMP payload had not had "reverse" NAT performed on it as it left
the internal device. This disclosed the internal IP address of the host.

I would like to suggest an option in NMAP to detect when the payload IP 
header and outer IP headers don't match in the returned ICMP message,
and then display the payload IP address in addition to the outer IP
address.

This would allow the NMAP user to have a partial map of the IP addresses
of the hosts behind the NAPT device, and a map of which UDP port is
being fowarded to which internal host.

The discussion thread, showing the output I saw, is here :

http://forums.whirlpool.net.au/forum-replies.cfm?t=45645

Btw, fyodor, and everyone else that has contributed to nmap - thanks.
nmap is a marvelous tool. 

Regards,
Mark.



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).