Nmap Development mailing list archives

Re: [NSE] script idea: identify ports behind a NAT

From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Mar 2010 11:39:15 -0600

On Wed, Mar 17, 2010 at 03:56:16PM +0000, jah wrote:

On 17/03/2010 14:31, Ron wrote:

I just had an idea for a useful script that I don't really have time to write. Maybe somebody else does?

Basically, identify and group which ports on a NAT point at the same computer. So, if I have port 22, 80, and 443 
forwarded to computer A, and 21, 445 forwarded to computer B, I'd like to be able to tell that. 

There are probably a few different ways, and it really comes down to the same techniques used for OS fingerprinting 
(and some limited intelligence), but I think the easiest way initially would be to look at the IPIDs, especially 
for incremental systems. 

Any other ideas?

Doug Hoyte created a patch for Nmap which introduced a scan type he
named Qscan. It did detection based on timing (grouping ports by similar
round-trip times) and worked well.  The patch was never integrated and
Marek Majkowski suggested it might be a job for NSE back in '07:
http://seclists.org/nmap-dev/2007/q3/63

It's definitely a good idea.  Someone's just got to write it...


Doug's patch and documentation are here.

http://hcsw.org/nmap/QSCAN
http://hcsw.org/nmap/nmap-4.52-qscan.patch

The output looks like this. Here port 8080 is being port forwarded.

Qscan parameters: round trips: 10, avg delay = 200ms, confidence = 0.95
         Target:Port  Fam  uRTT  +/- Stddev  Loss%
  192.168.1.254:23    A     3.1  +/-   0.1     0
  192.168.1.254:25    A     3.1  +/-   0.2     0
  192.168.1.254:80    A     3.2  +/-   0.1     0
  192.168.1.254:8080  B     4.6  +/-   0.3     0
  192.168.1.254:9876  A     3.1  +/-   0.2     0

I agree it would be a good NSE script. We have the mechanism now, with
nmap.ip_send to send packets and nmap.get_ports to enumerate all open
ports.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] script idea: identify ports behind a NAT Ron (Mar 17)
- Re: [NSE] script idea: identify ports behind a NAT jah (Mar 17)
  - Re: [NSE] script idea: identify ports behind a NAT DePriest, Jason R. (Mar 17)
  - Re: [NSE] script idea: identify ports behind a NAT David Fifield (Mar 17)
    - Re: [NSE] script idea: identify ports behind a NAT Kris Katterjohn (Mar 17)
    - Qscan in NSE: qscan.nse Kris Katterjohn (Mar 17)
    - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 17)
    - Re: Qscan in NSE: qscan.nse Ron (Mar 17)
    - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 17)
    - Re: Qscan in NSE: qscan.nse Ron (Mar 18)
    - Re: Qscan in NSE: qscan.nse Fyodor (Mar 20)
    - Re: Qscan in NSE: qscan.nse Ron (Mar 19)
    - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 19)
    - Re: Qscan in NSE: qscan.nse David Fifield (Mar 20)

(Thread continues...)