Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Discovering hosts behind NAT

Re: Discovering hosts behind NAT

From: Alex Butcher <alex_at_s3.integralis.co.uk>
Date: Wed, 23 May 2001 11:51:15 +0100

Franklin DeMatto wrote:
> How can hosts which are using RFC 1918 non-routed ip's be discovered and
> contacted?

Unless you have control of all intermediate routing devices (i.e. ISP
routers etc.) then the simple answer is "they can't".

However...

> Scenario:
>
> A DNS Zone transfer, as well as usenet searches, indicate usage of RFC 1918
> addresses for a certain domain name (let's call it internal.company.com).
>
> Traceroute shows that all known hosts in company.com's net block go directly
> from the isp's router to the host (ie w/o any intermediate gateways or
> firewalls).
>
> The basic function and OS of each host in the net block is known. It does
> not appear that there are any "secret" hosts, as when any address in the
> subnet that is not accounted for is pinged, the ISP's router responds with
> ICMP Host Unreachable.
>
> There are two known network devices: a cisco, which seems totally silent,
> and a wellfleet router.
>
> One would conlude that one of these is being used for NAT for
> internal.company.com - but where do I go from here.

...using this information, strategies I would suggest would include:

- compromising the cisco or the wellfleet and, if they provide common
utilities (telnet, tftp, ftp etc) using them as a springboard into the
RFC1918-addressed portion of the target's network. Of course, if they
aren't answering to internet-sourced connection requests you're out of
luck. If you knew that they accepted telnet connections from, say,
192.168.1.1 then you could try a blind spoofing attack on telnet...

- compromising a non-RFC1918-addressed host on the target's network and
exploring to see if routing is configured to allow /this/ to be a
springboard. I would currently suggest a UNIX box or a Win2K/IIS5
SP0/SP1 host (vulnerable to the ISAPI .printer exploit) as being
valuable target hosts.

> (In general, how would I find more about the function of these devices?)

It sounds as though you've done as much as you can so far (by your
"footprinting" work); if properly configured, it should be hard to
determine what addressing scheme is in use internally; you've already
done that. :)

> Thanks in advance,
> Franklin DeMatto

Best Regards,
Alex. 

-- 
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alex_at_s3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher@ 885BA6CE
Received on May 24 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos