o [NSE] Added nat-pmp-info script that uses the nat-pmp service to

discover the external IP address of a router. [Patrik]
2025-12-18 13:39:02 +00:00 · 2010-09-28 19:43:06 +00:00
parent 31389d88ce
commit 0ef84cf443
4 changed files with 110 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added nat-pmp-info script that uses the nat-pmp service to
+  discover the external IP address of a router. [Patrik]
+
 o [NSE] Added prerule support to snmp-interfaces and the ability to
  add the host's interface addresses to the scanning queue.  The new
  script arguments used for this functionality are "host" (required)
--- a/3
+++ b/3
@@ -7094,6 +7094,9 @@ softmatch quake3 m|^\xff\xff\xff\xffdisconnect$| p/Quake 3 game server/

 match apple-sasl m|How was your weekend\?;[0-9A-F]*\0| p/Mac OS X Server Password Server/

+match nat-pmp m|^\0\xfe\0\x01\0\0..$|s p/natpmp daemon/ d/router/
+match nat-pmp m|^\0\0\0\x01...\0$|s p/Apple Time Capsule/ d/router/
+
 ##############################NEXT PROBE##############################
 Probe UDP DNSVersionBindReq q|\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03|
 rarity 1
--- a/scripts/nat-pmp-info.nse
+++ b/scripts/nat-pmp-info.nse
@@ -0,0 +1,103 @@
+description = [[
+Queries the NAT-PMP service for the external address
+]]
+
+---
+-- @usage
+-- nmap -sU --script nat-pmp-info -p 5351 <host>
+--
+-- @output
+-- PORT     STATE SERVICE REASON
+-- 5351/udp open  unknown udp-response
+-- | nat-pmp-info:   
+-- |_  External ip: 1.2.3.4
+--
+--
+-- The implementation is based on the following documentation:
+-- http://files.dns-sd.org/draft-cheshire-nat-pmp.txt
+--
+
+--
+-- Version 0.1
+-- Created 09/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"safe", "discovery"}
+
+require "stdnse"
+require "shortport"
+
+portrule = shortport.portnumber(5351, "udp", {"open", "open|filtered"})
+
+process_response = function( data )
+
+	--
+	-- Make sure we received exactly 12 bytes:
+	--
+	--     0                   1                   2                   3
+	--     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+	--    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	--    | Vers = 0      | OP = 128 + 0  | Result Code                   |
+	--    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	--    | Seconds Since Start of Epoch                                  |
+	--    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	--    | External IP Address (a.b.c.d)                                 |
+	--    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	--
+	
+	if ( #data ~= 12 ) then return false, "Invalid length" end
+	local pos, version, op, result, time = bin.unpack("CCSI", data )
+
+	-- Make sure the result code is zero (OK)
+	if ( result ~= 0 ) then 
+		return false, ("Non-zero (%d) result code returned"):format(result)
+	end
+	
+	local _, o1, o2, o3, o4 = bin.unpack("CCCC", data, pos )	
+	return true, ("%d.%d.%d.%d"):format(o1,o2,o3,o4)
+
+end
+
+action = function( host, port )
+
+	local socket = nmap.new_socket()
+	local status = socket:connect( host, port, "udp" )
+
+	socket:set_timeout(5000)
+	
+	--     0                   1
+	--     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+	--    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	--    | Vers = 0      | OP = 0        |
+	--    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	--
+	-- Layout of the query for external IP packet
+	--
+    local packet = string.char( 0, 0 )
+	
+	status = socket:send( packet )
+	if( not(status) ) then 
+		stdnse.print_debug(3, "ERROR: Failed to send data")
+		return
+	end
+	
+	local data
+	status, data = socket:receive_bytes(12)
+	if( not(status) ) then 
+		stdnse.print_debug(3, "ERROR: Failed to receive data")
+		return
+	end
+	
+	local external_ip
+	status, external_ip = process_response( data )
+	if ( not(status) ) then	stdnse.print_debug(3, external_ip) end
+	
+	-- set port to open
+    nmap.set_port_state(host, port, "open")
+	nmap.set_port_version(host, port, "hardmatched")
+	
+	return ("  \n  External ip: %s"):format( external_ip )
+
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -83,6 +83,7 @@ Entry { filename = "mysql-empty-password.nse", categories = { "auth", "intrusive
 Entry { filename = "mysql-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "mysql-users.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "mysql-variables.nse", categories = { "discovery", "intrusive", } }
+Entry { filename = "nat-pmp-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "nbstat.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "nfs-ls.nse", categories = { "discovery", "safe", } }
 Entry { filename = "nfs-showmount.nse", categories = { "discovery", "safe", } }