Detecting NAT with Nping
Nping was designed for packet crafting and traffic analysis and is perfect for a variety of networking tasks.
The following recipe will introduce Nping by showing how to perform NAT detection with some help of the Nping Echo protocol.
How to do it...
Open a terminal and enter the following command:
# nping --ec "public" -c 1 echo.nmap.org
This will result in an output stream similar to the following example:
Nping will return the packet traffic between the client and the Nping echo server echo.nmap.org:
Starting Nping 0.5.59BETA1 ( http://nmap.org/nping ) at 2011-10-27 16:59 PDT SENT (1.1453s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=64 id=47754 iplen=28 CAPT (1.1929s) ICMP 187.136.56.27 > 74.207.244.221 Echo request (type=8/code=0) ttl=57 id=47754 iplen=28 RCVD (1.2361s) ICMP 74.207.244.221 > 192.168.1.102 Echo reply (type=0/code=0) ttl=53 id=37482 iplen=28 Max rtt: 90.751ms | Min rtt: 90.751ms | Avg rtt: 90.751ms Raw packets sent: 1 (28B) | Rcvd: 1 (46B) | Lost: 0 (0.00%)| Echoed: 1 (28B) Tx time: 0.00120s | Tx bytes/s: 23236.51 | Tx pkts/s: 829.88 Rx time: 1.00130s | Rx bytes/s: 45.94 | Rx pkts/s: 1.00 Nping done: 1 IP address pinged in 2.23 seconds
Take note of the source address 192.168.1.102 in the first packet marked as SENT.
SENT (1.1453s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=64 id=47754 iplen=28
Compare this address to the source address in the second packet marked as CAPT.
CAPT (1.1929s) ICMP 187.136.56.27 > 74.207.244.221 Echo request (type=8/code=0) ttl=57 id=47754 iplen=28
The addresses are different, indicating the presence of NAT.
How it works...
Nping's echo mode was designed to help troubleshoot firewall and routing problems. Basically, it returns a copy of the received packet back to the client.
The command is:
# nping --ec "public" -c 1 echo.nmap.org
It uses Nping's echo mode (--ec or --echo-client) to help us analyze the traffic between Nmap's Nping echo server, to determine if there is a NAT device on the network. The argument after –ec corresponds to a secret passphrase known by the server to encrypt and authenticate the session.
The flag -c is used to specify how many iterations of packets must be sent.
There's more...
With Nping it is really simple to generate custom TCP packets. For example, to send a TCP SYN packet to port 80, use the following command:
# nping --tcp -flags syn -p80 -c 1 192.168.1.254
This will result in the following output:
SENT (0.0615s) TCP 192.168.1.102:33599 > 192.168.1.254:80 S ttl=64 id=21546 iplen=40 seq=2463610684 win=1480 RCVD (0.0638s) TCP 192.168.1.254:80 > 192.168.1.102:33599 SA ttl=254 id=30048 iplen=44 seq=457728000 win=1536 <mss 768> Max rtt: 2.342ms | Min rtt: 2.342ms | Avg rtt: 2.342ms Raw packets sent: 1 (40B) | Rcvd: 1 (46B) | Lost: 0 (0.00%) Tx time: 0.00122s | Tx bytes/s: 32894.74 | Tx pkts/s: 822.37 Rx time: 1.00169s | Rx bytes/s: 45.92 | Rx pkts/s: 1.00 Nping done: 1 IP address pinged in 1.14 seconds
Nping is a very powerful tool for traffic analysis and packet crafting. Take a moment to go through all of its options by using the following command:
$ nping -h
Nping Echo Protocol
To learn more about the Nping Echo Protocol visit http://nmap.org/svn/nping/docs/EchoProtoRFC.txt.
See also
The Finding live hosts in your network recipe
The Comparing scan results with Ndiff recipe
The Managing multiple scanning profiles with Zenmap recipe
The Monitoring servers remotely with Nmap and Ndiff recipe
The Gathering network information with broadcast scripts recipe Chapter 2, Network Exploration
The Brute forcing DNS records recipe Chapter 3, Gathering Additional Host Information
The Spoofing the origin IP of a port scan recipe Chapter 3, Gathering Additional Host Information
The Generating a network topology graph with Zenmap recipe Chapter 8, Generating Scan Reports
