Nmap 6:Network exploration and security auditing Cookbook
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Detecting NAT with Nping

Nping was designed for packet crafting and traffic analysis and is perfect for a variety of networking tasks.

The following recipe will introduce Nping by showing how to perform NAT detection with some help of the Nping Echo protocol.

How to do it...

Open a terminal and enter the following command:

# nping --ec "public" -c 1 echo.nmap.org

This will result in an output stream similar to the following example:

Nping will return the packet traffic between the client and the Nping echo server echo.nmap.org:

Starting Nping 0.5.59BETA1 ( http://nmap.org/nping ) at 2011-10-27 16:59 PDT 
SENT (1.1453s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=64 id=47754 iplen=28 
CAPT (1.1929s) ICMP 187.136.56.27 > 74.207.244.221 Echo request (type=8/code=0) ttl=57 id=47754 iplen=28 
RCVD (1.2361s) ICMP 74.207.244.221 > 192.168.1.102 Echo reply (type=0/code=0) ttl=53 id=37482 iplen=28 

Max rtt: 90.751ms | Min rtt: 90.751ms | Avg rtt: 90.751ms 
Raw packets sent: 1 (28B) | Rcvd: 1 (46B) | Lost: 0 (0.00%)| Echoed: 1 (28B) 
Tx time: 0.00120s | Tx bytes/s: 23236.51 | Tx pkts/s: 829.88 
Rx time: 1.00130s | Rx bytes/s: 45.94 | Rx pkts/s: 1.00 
Nping done: 1 IP address pinged in 2.23 seconds

Take note of the source address 192.168.1.102 in the first packet marked as SENT.

 SENT (1.1453s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=64 id=47754 iplen=28

Compare this address to the source address in the second packet marked as CAPT.

CAPT (1.1929s) ICMP 187.136.56.27 > 74.207.244.221 Echo request (type=8/code=0) ttl=57 id=47754 iplen=28

The addresses are different, indicating the presence of NAT.

How it works...

Nping's echo mode was designed to help troubleshoot firewall and routing problems. Basically, it returns a copy of the received packet back to the client.

The command is:

# nping --ec "public" -c 1 echo.nmap.org

It uses Nping's echo mode (--ec or --echo-client) to help us analyze the traffic between Nmap's Nping echo server, to determine if there is a NAT device on the network. The argument after –ec corresponds to a secret passphrase known by the server to encrypt and authenticate the session.

The flag -c is used to specify how many iterations of packets must be sent.

There's more...

With Nping it is really simple to generate custom TCP packets. For example, to send a TCP SYN packet to port 80, use the following command:

# nping --tcp -flags syn -p80 -c 1 192.168.1.254

This will result in the following output:

SENT (0.0615s) TCP 192.168.1.102:33599 > 192.168.1.254:80 S ttl=64 id=21546 iplen=40 seq=2463610684 win=1480 
RCVD (0.0638s) TCP 192.168.1.254:80 > 192.168.1.102:33599 SA ttl=254 id=30048 iplen=44 seq=457728000 win=1536 <mss 768> 

Max rtt: 2.342ms | Min rtt: 2.342ms | Avg rtt: 2.342ms 
Raw packets sent: 1 (40B) | Rcvd: 1 (46B) | Lost: 0 (0.00%) 
Tx time: 0.00122s | Tx bytes/s: 32894.74 | Tx pkts/s: 822.37 
Rx time: 1.00169s | Rx bytes/s: 45.92 | Rx pkts/s: 1.00 
Nping done: 1 IP address pinged in 1.14 seconds

Nping is a very powerful tool for traffic analysis and packet crafting. Take a moment to go through all of its options by using the following command:

$ nping -h

Nping Echo Protocol

To learn more about the Nping Echo Protocol visit http://nmap.org/svn/nping/docs/EchoProtoRFC.txt.

See also

  • The Finding live hosts in your network recipe
  • The Comparing scan results with Ndiff recipe
  • The Managing multiple scanning profiles with Zenmap recipe
  • The Monitoring servers remotely with Nmap and Ndiff recipe
  • The Gathering network information with broadcast scripts recipe Chapter 2, Network Exploration
  • The Brute forcing DNS records recipe Chapter 3, Gathering Additional Host Information
  • The Spoofing the origin IP of a port scan recipe Chapter 3, Gathering Additional Host Information
  • The Generating a network topology graph with Zenmap recipe Chapter 8, Generating Scan Reports
上一章目录下一章