Penetration Testing mailing list archives
Re: Discovering hosts behind NAT
From: Alex Butcher <alex () s3 integralis co uk>
Date: Wed, 23 May 2001 11:51:15 +0100
Franklin DeMatto wrote:
How can hosts which are using RFC 1918 non-routed ip's be discovered and contacted?
Unless you have control of all intermediate routing devices (i.e. ISP routers etc.) then the simple answer is "they can't". However...
Scenario: A DNS Zone transfer, as well as usenet searches, indicate usage of RFC 1918 addresses for a certain domain name (let's call it internal.company.com). Traceroute shows that all known hosts in company.com's net block go directly from the isp's router to the host (ie w/o any intermediate gateways or firewalls). The basic function and OS of each host in the net block is known. It does not appear that there are any "secret" hosts, as when any address in the subnet that is not accounted for is pinged, the ISP's router responds with ICMP Host Unreachable. There are two known network devices: a cisco, which seems totally silent, and a wellfleet router. One would conlude that one of these is being used for NAT for internal.company.com - but where do I go from here.
...using this information, strategies I would suggest would include: - compromising the cisco or the wellfleet and, if they provide common utilities (telnet, tftp, ftp etc) using them as a springboard into the RFC1918-addressed portion of the target's network. Of course, if they aren't answering to internet-sourced connection requests you're out of luck. If you knew that they accepted telnet connections from, say, 192.168.1.1 then you could try a blind spoofing attack on telnet... - compromising a non-RFC1918-addressed host on the target's network and exploring to see if routing is configured to allow /this/ to be a springboard. I would currently suggest a UNIX box or a Win2K/IIS5 SP0/SP1 host (vulnerable to the ISAPI .printer exploit) as being valuable target hosts.
(In general, how would I find more about the function of these devices?)
It sounds as though you've done as much as you can so far (by your "footprinting" work); if properly configured, it should be hard to determine what addressing scheme is in use internally; you've already done that. :)
Thanks in advance, Franklin DeMatto
Best Regards, Alex. -- Alex Butcher PGP/GnuPG Key IDs: Consultant, S3 Systems Security Services alex@s3 B7709088 PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp alex.butcher@ 885BA6CE
Current thread:
- Discovering hosts behind NAT Franklin DeMatto (May 22)
- Re: Discovering hosts behind NAT Javier Fernandez-Sanguino Peña (May 23)
- Re: Discovering hosts behind NAT Alex Butcher (May 23)
- Re: Discovering hosts behind NAT Wolfgang Zenker (May 25)
- <Possible follow-ups>
- Re: Discovering hosts behind NAT Test Working (May 24)
- RE: Discovering hosts behind NAT Dawes, Rogan (ZA - Johannesburg) (May 24)