Security Basics mailing list archives
RE: scanning NATed network question
From: "Amin Tora" <atora () EPLUS com>
Date: Tue, 18 May 2004 10:56:38 -0400
Interesting... Would be nice to see this tool as I find this hard to believe :-D If the device is performing one-to-one NAT and allows inbound traffic per its policies, then yes it would seem that you would be able to scan a NAT'ed network. Otherwise, if the device is performing hide nat on the network {i.e. NAT + PAT} it would be extremely difficult to perform this form of reconnaissance attack - especially if we assume that the NAT device is also enforcing security policies: A. You would have to guess the exact communication state of the internal device that is communicating through the NAT'ed device {i.e. as if you are trying to hijack a session, but in actuality you are only scanning} 1. For ICMP packets you would have to guess the exact message request type and the NAT'ed device's expected response - or allowed ICMP error responses 2. For TCP/UDP traffic you would have to guess the exact source/destination IP addresses and you also have to know the exact source/destination ports. In addition, you would have to be spoofing the source IP of your crafted packets since the device only NAT's from the expected remote end node. Also, you would need to be guessing the exact TCP sequence number or be within the allowed TCP window offset (for TCP). B. Since you are spoofing packets, you would need to be doing this type of attack from a system that has access to sniffing packets off the wire so you can actually see the responses, unless you are using an indirect method via counting of IP ID's of the system's IP you are spoofing... Which is statistically based and very difficult... :-D All this becomes very very difficult if the NAT device is enforcing security policies as well as performing intrusion prevention measures {i.e. TCP sequence spoofing, IP ID spoofing, TTL spoofing, etc...}. Good luck... Amin Tora, CISSP, CHSP Security Consultant ePlus Technology Inc. 13595 Dulles Technology Drive Herndon, VA 20171 office: 703-793-1330 cell: 703-675-0738 web: http://www.eplustechnology.com email: atora-at-eplus.com **NOTICE** ------------------------------------------ THE INFORMATION CONTAINED IN THIS ELECTRONIC TRANSMISSION AND ANY ATTACHMENTS HERETO IS CONSIDERED PROPRIETARY AND CONFIDENTIAL. DISTRIBUTION OF THIS MATERIAL TO ANYONE OTHER THAN THE ADDRESSED IS PROHIBITED. ANY DISCLOSURE, COPYING, DISTRIBUTION OR USE OF THE CONTENTS OF THIS TRANSMISSION OR ANY ATTACHMENTS HERETO FOR ANY REASON OTHER THAN THEIR INTENDED PURPOSE IS PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE CONTACT THE SENDER. ------------------------------------------ -----Original Message----- From: Bob Radvanovsky [mailto:rsradvan () unixworks net] Sent: Monday, May 17, 2004 1:12 PM To: lepka () ukr net; security-basics () securityfocus com Subject: Re: scanning NATed network question Yesh, there is, but is difficult to find. Look for a patched version of NMAP called "Cronos", which will enable you to traverse a NAT'ed firewall. ;) Cheers. Bob Radvanovsky [/unixworks] "knowledge squared is information shared." rsradvan(at)unixworks(dot)net ----- Original Message ----- From: <lepka () ukr net> To: <security-basics () securityfocus com> Sent: Saturday, May 15, 2004 12:55 AM Subject: scanning NATed network question
Is it posible to scan a NATed network using nmap or other tool? Thanks, Scyth
------------------------------------------------------------------------ -- -
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your
organization.
Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------ -- -- ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- scanning NATed network question lepka (May 17)
- Re: scanning NATed network question Bob Radvanovsky (May 17)
- Re: scanning NATed network question cluster () earthlink net (May 18)
- RE: scanning NATed network question patrick (May 19)
- <Possible follow-ups>
- RE: scanning NATed network question Amin Tora (May 18)
- RE: scanning NATed network question Amin Tora (May 19)
- Re: scanning NATed network question Bob Radvanovsky (May 17)