Re: [NSE] nat-pmp-info

[David Fifield <david () bamsoftware com>]

On Thu, Sep 16, 2010 at 06:57:03PM +0200, Patrik Karlsson wrote:
> I noticed my router was running the nat-pmp protocol the other day and I quickly looked it up, wrote a script and 
> disabled it ;)
> The protocol is used to map a port on the external interface to a port on the internal LAN.
> The communication is performed over udp 5351 and there's no authentication.
> So pretty much anyone on the internal LAN can request a port to be forwarded.
> I haven't implemented the mapping part but a request that retrieves the external IP of the router.

Daniel Miller tested it and it worked, so please commit it. I think you
can add a call to set_port_version to mark the port as open and the
service as "nat-pmp".

> This request consist of two bytes both being zero and I noticed the response is triggered by several of the version 
> scan probes.
> However I failed to extract the IP as information in the matchline as the ip is not returned as text but rather as 4 
> bytes.

This is good. Did you submit the service fingerprint? I think it's good
to add a match line in the same release as the new script. So please
send the fingerprint to the list, or if you want to you can add the
match line yourself. Just add it to the first probe that gets a
response. I think this should be made into a UDP payload too, but I can
do that after seeing the version probe.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/