Nmap Development mailing list archives

Re: nmap nat-pmp-info script not working with Fritz!Box

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 7 Mar 2016 10:28:18 -0600

Arne,

I can't find a reference to the -X option of dns-sd, even in my OS X 10.11
man page. What does this do? I watched a packet trace and it does look like
it's sending traffic to 5351/udp, but it's also sending out SSDP discovery
messages. Can you do a packet capture and confirm that it is NAT-PMP that
is being used to retrieve the external address and not some other UPnP
protocol?

You can also run the nat-pmp-info script with the -d --script-trace options
to see all traffic and many debug messages. This might give a clue as to
what is going wrong with the script.

Dan

On Tue, Feb 23, 2016 at 11:00 AM, Arne Eickenberg <
eickenberg () verklangwelt de> wrote:

Hello,

I'm trying to run nmap to discover the WAN IP from the router. The router
itself is a Fritz!Box 7490 (latest OS), NAT-PMP compatible, UPnP activated.

The command I'm running is the following:

$ sudo nmap -sU -p 5351 --script=nat-pmp-info 192.168.178.1 -v

This is the standard command from the nmap documentation, only with the
added -v option. However, the WAN IP is not mentioned in the nmap output
(see below), even though the router is NAT-PMP compatible.

###
$ sudo nmap -sU -p 5351 --script=nat-pmp-info 192.168.178.1 -v
Password:

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-23 17:52 CET
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
Initiating ARP Ping Scan at 17:52
Scanning 192.168.178.1 [1 port]
Completed ARP Ping Scan at 17:52, 0.01s elapsed (1 total hosts)
Initiating UDP Scan at 17:52
Scanning fritz.box (192.168.178.1) [1 port]
Discovered open port 5351/udp on 192.168.178.1
Completed UDP Scan at 17:52, 0.01s elapsed (1 total ports)
NSE: Script scanning 192.168.178.1.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
Nmap scan report for fritz.box (192.168.178.1)
Host is up (0.0031s latency).
PORT     STATE SERVICE
5351/udp open  nat-pmp
MAC Address: 34:xx:xx:xx:xx:xx (AVM GmbH)

NSE: Script Post-scanning.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
           Raw packets sent: 2 (58B) | Rcvd: 2 (58B)
###

The command dns-sd -X does print the WAN IP, so imho the router can't be
the problem. (?)

###
$ dns-sd -X
DATE: ---Tue 23 Feb 2016---
17:54:29.842  ...STARTING...
Timestamp     if   External Address     Protocol        Internal Port
 External Port   TTL
17:54:29.843  0    77.xxx.xxx.xxx       0               0               0
             0
###

Best wishes,
Arne Eickenberg
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

nmap nat-pmp-info script not working with Fritz!Box Arne Eickenberg (Feb 25)
- Re: nmap nat-pmp-info script not working with Fritz!Box Arne Eickenberg (Feb 25)
- Re: nmap nat-pmp-info script not working with Fritz!Box Gisle Vanem (Feb 25)
- Re: nmap nat-pmp-info script not working with Fritz!Box Daniel Miller (Mar 07)