PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-08 13:41:29 +00:00
Code Issues Projects Releases Wiki Activity

o [NSE] Added the script ip-forwarding that detects devices that have IP

Browse Source 
forwarding enabled (acting as routers). [Patrik Karlsson]
This commit is contained in:
patrik
2012-05-01 14:21:00 +00:00
parent ac3773a0e4
commit b4079e90ff
3 changed files with 102 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG
View File

@@ -1,5 +1,8 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE] Added the script ip-forwarding that detects devices that have IP
forwarding enabled (acting as routers). [Patrik Karlsson]
o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the SAMBA CVE o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the SAMBA CVE
2012-1182 vulnerability. [Aleksandar Nikolic] 2012-1182 vulnerability. [Aleksandar Nikolic]

98
scripts/ip-forwarding.nse Normal file
View File

@@ -0,0 +1,98 @@
description = [[
Detects whether the remote device has ip forwarding or "Internet connection
sharing" enabled, by sending an ICMP echo request to a given target using
the scanned host as default gateway.
The given target can be a routed or a LAN host and needs to be able to respond
to ICMP requests (ping) in order for the test to be successful. In addition,
if the given target is a routed host, the scanned host needs to have the proper
routing to reach it.
In order to use the scanned host as default gateway Nmap needs to discover
the MAC address. This requires Nmap to be run in privileged mode and the host
to be on the LAN.
]]
---
-- @usage
-- sudo nmap -sn <target> --script ip-forwarding --script-args='target=www.example.com'
--
-- @output
-- | ip-forwarding:
-- |_ The host has ip forwarding enabled, tried ping against (www.example.com)
--
-- @param ip-forwarding.target a LAN or routed target responding to ICMP echo
-- requests (ping).
--
author = "Patrik Karlsson"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
local arg_target = stdnse.get_script_args(SCRIPT_NAME .. ".target")
hostrule = function(host)
if ( not(host.mac_addr) ) then
stdnse.print_debug( "%s: Failed to determine hosts remote MAC address", SCRIPT_NAME )
end
return (arg_target ~= nil and host.mac_addr ~= nil)
end
local dns = require('dns')
local ipops = require('ipOps')
local tab = require('tab')
local packet = require('packet')
icmpEchoRequest = function(ifname, host, addr)
local iface = nmap.get_interface_info(ifname)
local dnet, pcap = nmap.new_dnet(), nmap.new_socket()
pcap:set_timeout(5000)
pcap:pcap_open(iface.device, 128, false, ("icmp and ( icmp[0] = 0 or icmp[0] = 5 ) and dst %s"):format(iface.address))
dnet:ethernet_open(iface.device)
local probe = packet.Frame:new()
probe.mac_src = iface.mac
probe.mac_dst = host.mac_addr
probe.ip_bin_src = packet.iptobin(iface.address)
probe.ip_bin_dst = packet.iptobin(addr)
probe.echo_id = 0x1234
probe.echo_seq = 6
probe.echo_data = "Nmap host discovery."
probe:build_icmp_echo_request()
probe:build_icmp_header()
probe:build_ip_packet()
probe:build_ether_frame()
dnet:ethernet_send(probe.frame_buf)
local status = pcap:pcap_receive()
dnet:ethernet_close()
return status
end
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host)
local ifname = nmap.get_interface() or host.interface
if ( not(ifname) ) then
return fail("Failed to determine the network interface name")
end
local target = ipops.ip_to_bin(arg_target)
if ( not(target) ) then
local status
status, target = dns.query(arg_target, { dtype='A' })
if ( not(status) ) then
return fail(("Failed to lookup hostname: %s"):format(arg_target))
end
else
target = arg_target
end
if (icmpEchoRequest(ifname, host, target)) then
return ("\n The host has ip forwarding enabled, tried ping against (%s)"):format(arg_target)
end
end

1
scripts/script.db
View File

@@ -175,6 +175,7 @@ Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", }
Entry { filename = "informix-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "informix-brute.nse", categories = { "brute", "intrusive", } }
Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } } Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } }
Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } } Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } }
Entry { filename = "ip-forwarding.nse", categories = { "discovery", "safe", } }
Entry { filename = "ip-geolocation-geobytes.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "ip-geolocation-geobytes.nse", categories = { "discovery", "external", "safe", } }
Entry { filename = "ip-geolocation-geoplugin.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "ip-geolocation-geoplugin.nse", categories = { "discovery", "external", "safe", } }
Entry { filename = "ip-geolocation-ipinfodb.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "ip-geolocation-ipinfodb.nse", categories = { "discovery", "external", "safe", } }