Nmap Development mailing list archives

Re: Feature request : Nmap host and service mapping through a NAPT router

From: Chris Reining <creining () packetfu org>
Date: Mon, 11 Nov 2002 13:08:37 -0600

Hi Mark,
You may wish to look into a patch sent to this list back in April:

From: Phil <biondi () cartel-securite fr>
To: nmap-hackers () insecure org
Subject: [PATCH] improvements and a new(?) type of scan
Date: Tue, 2 Apr 2002 16:54:49 +0200 (CEST)

The patch will report DNATs.

-Chris

On Sat, Nov 09, 2002 at 03:54:11PM +1100, Mark Smith wrote:

Hi,

At the request of a fellow ADSL user, I was invited to test the security
of his ADSL router, using Network Address Port Translation.

After performing a NMAP UDP scan against his public address, a number of
services were shown to be available. Obviously most of them were being
port forwarded to internal hosts.

What was interesting was that in my iptables logs, in addition to the IP
headers of returned ICMP messages, the ICMP contents was also shown,
listing the UDP packet that had caused the ICMP message. The IP header
in the ICMP payload had not had "reverse" NAT performed on it as it left
the internal device. This disclosed the internal IP address of the host.

I would like to suggest an option in NMAP to detect when the payload IP 
header and outer IP headers don't match in the returned ICMP message,
and then display the payload IP address in addition to the outer IP
address.

This would allow the NMAP user to have a partial map of the IP addresses
of the hosts behind the NAPT device, and a map of which UDP port is
being fowarded to which internal host.

The discussion thread, showing the output I saw, is here :

http://forums.whirlpool.net.au/forum-replies.cfm?t=45645

Btw, fyodor, and everyone else that has contributed to nmap - thanks.
nmap is a marvelous tool. 

Regards,
Mark.



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Feature request : Nmap host and service mapping through a NAPT router Mark Smith (Nov 08)
- Re: Feature request : Nmap host and service mapping through a NAT router R Anderson (Nov 09)
- Re: Feature request : Nmap host and service mapping through a NAPT router Chris Reining (Nov 11)