Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Detecting IP forwarding

From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 1 May 2012 21:10:39 +0200
On Tue, May 1, 2012 at 8:30 PM, Daniel Miller <bonsaiviking () gmail com>wrote:


 On 04/22/2012 01:55 PM, Patrik Karlsson wrote:

Hi all,

I had a discussion about ip forwarding and "internet connection sharing"
with a friend the other day.
The discussion was about detecting multi homed laptops having both the
wireless and wired network interfaces active and ip forwarding enabled.
I came up with the attached script which essentially tries to use each
scanned host as a gateway and sends a ping packet to a given target (either
on the same LAN or routed).
It then sees whether it gets a ICMP echo reply or redirect back and
determines whether the packet was forwarded or not.

I've tried it against Windows 7 connection sharing, my home router and a OS
X server with ip forwarding activated and it works as intended.
If there's another more efficient way to discover this, let me know,
otherwise I will commit the script within the next few days.

The script relies on some recent changes to packet.lua, so it needs this to
be updated library as well.

Cheers,
Patrik



_______________________________________________
Sent through the nmap-dev mailing listhttp://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

 Patrik,

Just tried this out, and I'm coming up with lots of false positives.
Basically, because of parallelism, the pcap_receive() calls all succeed on
the same packet, meaning all hosts in the same hostgroup as a machine with
forwarding on will show positive. I've attached a patch that modifies the
BPF to match the source mac against the target's mac, which seems to solve
the problem. I had to borrow the format_mac function from
targets-ipv6-multicast-echo, since the packet library doesn't have an
equivalent (that I can find).

Dan



Thanks, much appreciated! I've applied the patch as r28525.

//Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: