Penetration Testing mailing list archives

Re: Discovering hosts behind NAT

From: Alex Butcher <alex () s3 integralis co uk>
Date: Wed, 23 May 2001 11:51:15 +0100

Franklin DeMatto wrote:

How can hosts which are using RFC 1918 non-routed ip's be discovered and 
contacted?


Unless you have control of all intermediate routing devices (i.e. ISP
routers etc.) then the simple answer is "they can't".

However...

Scenario:

A DNS Zone transfer, as well as usenet searches, indicate usage of RFC 1918 
addresses for a certain domain name (let's call it internal.company.com).

Traceroute shows that all known hosts in company.com's net block go directly 
from the isp's router to the host (ie w/o any intermediate gateways or 
firewalls).

The basic function and OS of each host in the net block is known.  It does 
not appear that there are any "secret" hosts, as when any address in the 
subnet that is not accounted for is pinged, the ISP's router responds with 
ICMP Host Unreachable.

There are two known network devices: a cisco, which seems totally silent, 
and a wellfleet router.

One would conlude that one of these is being used for NAT for 
internal.company.com - but where do I go from here.


...using this information, strategies I would suggest would include:

- compromising the cisco or the wellfleet and, if they provide common
utilities (telnet, tftp, ftp etc) using them as a springboard into the
RFC1918-addressed portion of the target's network. Of course, if they
aren't answering to internet-sourced connection requests you're out of
luck. If you knew that they accepted telnet connections from, say,
192.168.1.1 then you could try a blind spoofing attack on telnet...

- compromising a non-RFC1918-addressed host on the target's network and
exploring to see if routing is configured to allow /this/ to be a
springboard. I would currently suggest a UNIX box or a Win2K/IIS5
SP0/SP1 host (vulnerable  to the ISAPI .printer exploit) as being
valuable target hosts.

(In general, how would I find more about the function of these devices?)


It sounds as though you've done as much as you can so far (by your
"footprinting" work); if properly configured, it should be hard to
determine what addressing scheme is in use internally; you've already
done that. :)

Thanks in advance,
Franklin DeMatto


Best Regards,
Alex.
-- 
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alex@s3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher@ 885BA6CE

Current thread:

Discovering hosts behind NAT Franklin DeMatto (May 22)
- Re: Discovering hosts behind NAT Javier Fernandez-Sanguino Peña (May 23)
- Re: Discovering hosts behind NAT Alex Butcher (May 23)
- Re: Discovering hosts behind NAT Wolfgang Zenker (May 25)
- <Possible follow-ups>
- Re: Discovering hosts behind NAT Test Working (May 24)
- RE: Discovering hosts behind NAT Dawes, Rogan (ZA - Johannesburg) (May 24)