From b4079e90fff176794f2067e627356c8558d0f76c Mon Sep 17 00:00:00 2001
From: patrik <patrik@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Tue, 1 May 2012 14:21:00 +0000
Subject: [PATCH] o [NSE] Added the script ip-forwarding that detects devices
 that have IP   forwarding enabled (acting as routers). [Patrik Karlsson]

---
 CHANGELOG                 |  3 ++
 scripts/ip-forwarding.nse | 98 +++++++++++++++++++++++++++++++++++++++
 scripts/script.db         |  1 +
 3 files changed, 102 insertions(+)
 create mode 100644 scripts/ip-forwarding.nse

diff --git a/CHANGELOG b/CHANGELOG
index 25cd4e3d3..e870ba7de 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added the script ip-forwarding that detects devices that have IP
+  forwarding enabled (acting as routers). [Patrik Karlsson]
+
 o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the SAMBA CVE
   2012-1182 vulnerability. [Aleksandar Nikolic]
 
diff --git a/scripts/ip-forwarding.nse b/scripts/ip-forwarding.nse
new file mode 100644
index 000000000..5376a2f1d
--- /dev/null
+++ b/scripts/ip-forwarding.nse
@@ -0,0 +1,98 @@
+description = [[
+Detects whether the remote device has ip forwarding or "Internet connection
+sharing" enabled, by sending an ICMP echo request to a given target using
+the scanned host as default gateway.
+
+The given target can be a routed or a LAN host and needs to be able to respond
+to ICMP requests (ping) in order for the test to be successful. In addition,
+if the given target is a routed host, the scanned host needs to have the proper
+routing to reach it.
+
+In order to use the scanned host as default gateway Nmap needs to discover
+the MAC address. This requires Nmap to be run in privileged mode and the host
+to be on the LAN.
+]]
+
+---
+-- @usage
+-- sudo nmap -sn <target> --script ip-forwarding --script-args='target=www.example.com'
+--
+-- @output
+-- | ip-forwarding: 
+-- |_  The host has ip forwarding enabled, tried ping against (www.example.com)
+--
+-- @param ip-forwarding.target a LAN or routed target responding to ICMP echo
+--        requests (ping).
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"safe", "discovery"}
+
+local arg_target = stdnse.get_script_args(SCRIPT_NAME .. ".target")
+
+hostrule = function(host)
+	if ( not(host.mac_addr) ) then
+		stdnse.print_debug( "%s: Failed to determine hosts remote MAC address", SCRIPT_NAME )
+	end
+	return (arg_target ~= nil and host.mac_addr ~= nil)
+end
+
+local dns    = require('dns')
+local ipops  = require('ipOps')
+local tab    = require('tab')
+local packet = require('packet')
+
+icmpEchoRequest = function(ifname, host, addr)
+	local iface = nmap.get_interface_info(ifname)
+	local dnet, pcap = nmap.new_dnet(), nmap.new_socket()
+
+	pcap:set_timeout(5000)
+	pcap:pcap_open(iface.device, 128, false, ("icmp and ( icmp[0] = 0 or icmp[0] = 5 ) and dst %s"):format(iface.address))
+	dnet:ethernet_open(iface.device)
+	
+	local probe = packet.Frame:new()
+	probe.mac_src = iface.mac
+	probe.mac_dst = host.mac_addr
+	probe.ip_bin_src = packet.iptobin(iface.address)
+	probe.ip_bin_dst = packet.iptobin(addr)
+	probe.echo_id = 0x1234
+	probe.echo_seq = 6
+	probe.echo_data = "Nmap host discovery."
+	probe:build_icmp_echo_request()
+	probe:build_icmp_header()
+	probe:build_ip_packet()
+	probe:build_ether_frame()
+	
+	dnet:ethernet_send(probe.frame_buf)
+	local status = pcap:pcap_receive()	
+	dnet:ethernet_close()
+	return status
+end
+
+local function fail(err) return ("\n  ERROR: %s"):format(err or "") end
+
+action = function(host)
+
+	local ifname = nmap.get_interface() or host.interface
+	if ( not(ifname) ) then
+		return fail("Failed to determine the network interface name")
+	end
+
+	local target = ipops.ip_to_bin(arg_target)
+	if ( not(target) ) then
+		local status
+		status, target = dns.query(arg_target, { dtype='A' })
+		if ( not(status) ) then
+			return fail(("Failed to lookup hostname: %s"):format(arg_target))
+		end
+	else
+		target = arg_target
+	end
+	
+	if (icmpEchoRequest(ifname, host, target)) then
+		return ("\n  The host has ip forwarding enabled, tried ping against (%s)"):format(arg_target)
+	end
+
+end
+
diff --git a/scripts/script.db b/scripts/script.db
index 9a06e5888..fb3dd61a4 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -175,6 +175,7 @@ Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", }
 Entry { filename = "informix-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "ip-forwarding.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ip-geolocation-geobytes.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "ip-geolocation-geoplugin.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "ip-geolocation-ipinfodb.nse", categories = { "discovery", "external", "safe", } }