Nmap Development mailing list archives
Re: [NSE] script idea: identify ports behind a NAT
From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Mar 2010 11:39:15 -0600
On Wed, Mar 17, 2010 at 03:56:16PM +0000, jah wrote:
On 17/03/2010 14:31, Ron wrote:I just had an idea for a useful script that I don't really have time to write. Maybe somebody else does? Basically, identify and group which ports on a NAT point at the same computer. So, if I have port 22, 80, and 443 forwarded to computer A, and 21, 445 forwarded to computer B, I'd like to be able to tell that. There are probably a few different ways, and it really comes down to the same techniques used for OS fingerprinting (and some limited intelligence), but I think the easiest way initially would be to look at the IPIDs, especially for incremental systems. Any other ideas?Doug Hoyte created a patch for Nmap which introduced a scan type he named Qscan. It did detection based on timing (grouping ports by similar round-trip times) and worked well. The patch was never integrated and Marek Majkowski suggested it might be a job for NSE back in '07: http://seclists.org/nmap-dev/2007/q3/63 It's definitely a good idea. Someone's just got to write it...
Doug's patch and documentation are here. http://hcsw.org/nmap/QSCAN http://hcsw.org/nmap/nmap-4.52-qscan.patch The output looks like this. Here port 8080 is being port forwarded. Qscan parameters: round trips: 10, avg delay = 200ms, confidence = 0.95 Target:Port Fam uRTT +/- Stddev Loss% 192.168.1.254:23 A 3.1 +/- 0.1 0 192.168.1.254:25 A 3.1 +/- 0.2 0 192.168.1.254:80 A 3.2 +/- 0.1 0 192.168.1.254:8080 B 4.6 +/- 0.3 0 192.168.1.254:9876 A 3.1 +/- 0.2 0 I agree it would be a good NSE script. We have the mechanism now, with nmap.ip_send to send packets and nmap.get_ports to enumerate all open ports. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] script idea: identify ports behind a NAT Ron (Mar 17)
- Re: [NSE] script idea: identify ports behind a NAT jah (Mar 17)
- Re: [NSE] script idea: identify ports behind a NAT DePriest, Jason R. (Mar 17)
- Re: [NSE] script idea: identify ports behind a NAT David Fifield (Mar 17)
- Re: [NSE] script idea: identify ports behind a NAT Kris Katterjohn (Mar 17)
- Qscan in NSE: qscan.nse Kris Katterjohn (Mar 17)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 17)
- Re: Qscan in NSE: qscan.nse Ron (Mar 17)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 17)
- Re: Qscan in NSE: qscan.nse Ron (Mar 18)
- Re: Qscan in NSE: qscan.nse Fyodor (Mar 20)
- Re: Qscan in NSE: qscan.nse Ron (Mar 19)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 19)
- Re: Qscan in NSE: qscan.nse David Fifield (Mar 20)
- Re: [NSE] script idea: identify ports behind a NAT jah (Mar 17)