PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-18 13:39:02 +00:00
Code Issues Projects Releases Wiki Activity

o [NSE] Added nat-pmp-info script that uses the nat-pmp service to

Browse Source 
discover the external IP address of a router. [Patrik]
This commit is contained in:
patrik
2010-09-28 19:43:06 +00:00
parent 31389d88ce
commit 0ef84cf443
4 changed files with 110 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG
View File

@@ -1,5 +1,8 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE] Added nat-pmp-info script that uses the nat-pmp service to
discover the external IP address of a router. [Patrik]
o [NSE] Added prerule support to snmp-interfaces and the ability to o [NSE] Added prerule support to snmp-interfaces and the ability to
add the host's interface addresses to the scanning queue. The new add the host's interface addresses to the scanning queue. The new
script arguments used for this functionality are "host" (required) script arguments used for this functionality are "host" (required)

3
nmap-service-probes
View File

@@ -7094,6 +7094,9 @@ softmatch quake3 m|^\xff\xff\xff\xffdisconnect$| p/Quake 3 game server/
match apple-sasl m|How was your weekend\?;[0-9A-F]*\0| p/Mac OS X Server Password Server/ match apple-sasl m|How was your weekend\?;[0-9A-F]*\0| p/Mac OS X Server Password Server/
match nat-pmp m|^\0\xfe\0\x01\0\0..$|s p/natpmp daemon/ d/router/
match nat-pmp m|^\0\0\0\x01...\0$|s p/Apple Time Capsule/ d/router/
##############################NEXT PROBE############################## ##############################NEXT PROBE##############################
Probe UDP DNSVersionBindReq q|\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03| Probe UDP DNSVersionBindReq q|\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03|
rarity 1 rarity 1

103
scripts/nat-pmp-info.nse Normal file
View File

@@ -0,0 +1,103 @@
description = [[
Queries the NAT-PMP service for the external address
]]
---
-- @usage
-- nmap -sU --script nat-pmp-info -p 5351 <host>
--
-- @output
-- PORT STATE SERVICE REASON
-- 5351/udp open unknown udp-response
-- | nat-pmp-info:
-- |_ External ip: 1.2.3.4
--
--
-- The implementation is based on the following documentation:
-- http://files.dns-sd.org/draft-cheshire-nat-pmp.txt
--
--
-- Version 0.1
-- Created 09/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--
author = "Patrik Karlsson"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
require "stdnse"
require "shortport"
portrule = shortport.portnumber(5351, "udp", {"open", "open|filtered"})
process_response = function( data )
--
-- Make sure we received exactly 12 bytes:
--
-- 0 1 2 3
-- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- | Vers = 0 | OP = 128 + 0 | Result Code |
-- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- | Seconds Since Start of Epoch |
-- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- | External IP Address (a.b.c.d) |
-- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--
if ( #data ~= 12 ) then return false, "Invalid length" end
local pos, version, op, result, time = bin.unpack("CCSI", data )
-- Make sure the result code is zero (OK)
if ( result ~= 0 ) then
return false, ("Non-zero (%d) result code returned"):format(result)
end
local _, o1, o2, o3, o4 = bin.unpack("CCCC", data, pos )
return true, ("%d.%d.%d.%d"):format(o1,o2,o3,o4)
end
action = function( host, port )
local socket = nmap.new_socket()
local status = socket:connect( host, port, "udp" )
socket:set_timeout(5000)
-- 0 1
-- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
-- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- | Vers = 0 | OP = 0 |
-- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--
-- Layout of the query for external IP packet
--
local packet = string.char( 0, 0 )
status = socket:send( packet )
if( not(status) ) then
stdnse.print_debug(3, "ERROR: Failed to send data")
return
end
local data
status, data = socket:receive_bytes(12)
if( not(status) ) then
stdnse.print_debug(3, "ERROR: Failed to receive data")
return
end
local external_ip
status, external_ip = process_response( data )
if ( not(status) ) then stdnse.print_debug(3, external_ip) end
-- set port to open
nmap.set_port_state(host, port, "open")
nmap.set_port_version(host, port, "hardmatched")
return (" \n External ip: %s"):format( external_ip )
end

1
scripts/script.db
View File

@@ -83,6 +83,7 @@ Entry { filename = "mysql-empty-password.nse", categories = { "auth", "intrusive
Entry { filename = "mysql-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "mysql-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "mysql-users.nse", categories = { "discovery", "intrusive", } } Entry { filename = "mysql-users.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "mysql-variables.nse", categories = { "discovery", "intrusive", } } Entry { filename = "mysql-variables.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "nat-pmp-info.nse", categories = { "discovery", "safe", } }
Entry { filename = "nbstat.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "nbstat.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "nfs-ls.nse", categories = { "discovery", "safe", } } Entry { filename = "nfs-ls.nse", categories = { "discovery", "safe", } }
Entry { filename = "nfs-showmount.nse", categories = { "discovery", "safe", } } Entry { filename = "nfs-showmount.nse", categories = { "discovery", "safe", } }