RE: scanning NATed network question

["Amin Tora" <atora () EPLUS com>]

Interesting... Would be nice to see this tool as I find this hard to
believe   :-D

If the device is performing one-to-one NAT and allows inbound traffic
per its policies, then yes it would seem that you would be able to scan
a NAT'ed network.  Otherwise, if the device is performing hide nat on
the network {i.e. NAT + PAT} it would be extremely difficult to perform
this form of reconnaissance attack - especially if we assume that the
NAT device is also enforcing security policies:

A. You would have to guess the exact communication state of the internal
device that is communicating through the NAT'ed device {i.e. as if you
are trying to hijack a session, but in actuality you are only scanning}

        1. For ICMP packets you would have to guess the exact message
request type and the NAT'ed device's expected response - or allowed ICMP
error responses

        2. For TCP/UDP traffic you would have to guess the exact
source/destination IP addresses and you also have to know the exact
source/destination ports.  In addition, you would have to be spoofing
the source IP of your crafted packets since the device only NAT's from
the expected remote end node.  Also, you would need to be guessing the
exact TCP sequence number or be within the allowed TCP window offset
(for TCP).

B. Since you are spoofing packets, you would need to be doing this type
of attack from a system that has access to sniffing packets off the wire
so you can actually see the responses, unless you are using an indirect
method via counting of IP ID's of the system's IP you are spoofing...
Which is statistically based and very difficult...  :-D


All this becomes very very difficult if the NAT device is enforcing
security policies as well as performing intrusion prevention measures
{i.e. TCP sequence spoofing, IP ID spoofing, TTL spoofing, etc...}.


Good luck...


Amin Tora, CISSP, CHSP
Security Consultant
ePlus Technology Inc.
13595 Dulles Technology Drive
Herndon, VA 20171
office: 703-793-1330
cell: 703-675-0738
web: http://www.eplustechnology.com
email: atora-at-eplus.com

**NOTICE**
------------------------------------------
THE INFORMATION CONTAINED IN THIS ELECTRONIC TRANSMISSION AND ANY
ATTACHMENTS HERETO IS CONSIDERED PROPRIETARY AND CONFIDENTIAL.
DISTRIBUTION OF THIS MATERIAL TO ANYONE OTHER THAN THE ADDRESSED IS
PROHIBITED. ANY DISCLOSURE, COPYING, DISTRIBUTION OR USE OF THE CONTENTS
OF THIS TRANSMISSION OR ANY ATTACHMENTS HERETO FOR ANY REASON OTHER THAN
THEIR INTENDED PURPOSE IS PROHIBITED. IF YOU HAVE RECEIVED THIS
TRANSMISSION IN ERROR, PLEASE CONTACT THE SENDER.
------------------------------------------




-----Original Message-----
From: Bob Radvanovsky [mailto:rsradvan () unixworks net] 
Sent: Monday, May 17, 2004 1:12 PM
To: lepka () ukr net; security-basics () securityfocus com
Subject: Re: scanning NATed network question

Yesh, there is, but is difficult to find.  Look for a patched version of
NMAP called "Cronos", which will enable you to traverse a NAT'ed
firewall.
;)

Cheers.

Bob Radvanovsky [/unixworks]
"knowledge squared is information shared."
rsradvan(at)unixworks(dot)net

----- Original Message -----
From: <lepka () ukr net>
To: <security-basics () securityfocus com>
Sent: Saturday, May 15, 2004 12:55 AM
Subject: scanning NATed network question


> Is it posible to scan a NATed network using nmap or other tool?
>
> Thanks, Scyth
------------------------------------------------------------------------
--
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert
instructors.
> Attend a course taught by an expert instructor with years of
in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your
organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
--
--


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------