Re: Discovering hosts behind NAT

From: Alex Butcher (alexat_private)
Date: Wed May 23 2001 - 03:51:15 PDT

Next message: Alberto Grazi: "Word lists, again..."

Previous message: Mika Laaksonen: "pentesting IBM DB2"
In reply to: Franklin DeMatto: "Discovering hosts behind NAT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Franklin DeMatto wrote:
> How can hosts which are using RFC 1918 non-routed ip's be discovered and 
> contacted?

Unless you have control of all intermediate routing devices (i.e. ISP
routers etc.) then the simple answer is "they can't".

However...

> Scenario:
> 
> A DNS Zone transfer, as well as usenet searches, indicate usage of RFC 1918 
> addresses for a certain domain name (let's call it internal.company.com).
> 
> Traceroute shows that all known hosts in company.com's net block go directly 
> from the isp's router to the host (ie w/o any intermediate gateways or 
> firewalls).
> 
> The basic function and OS of each host in the net block is known.  It does 
> not appear that there are any "secret" hosts, as when any address in the 
> subnet that is not accounted for is pinged, the ISP's router responds with 
> ICMP Host Unreachable.
> 
> There are two known network devices: a cisco, which seems totally silent, 
> and a wellfleet router.
> 
> One would conlude that one of these is being used for NAT for 
> internal.company.com - but where do I go from here.

...using this information, strategies I would suggest would include:

- compromising the cisco or the wellfleet and, if they provide common
utilities (telnet, tftp, ftp etc) using them as a springboard into the
RFC1918-addressed portion of the target's network. Of course, if they
aren't answering to internet-sourced connection requests you're out of
luck. If you knew that they accepted telnet connections from, say,
192.168.1.1 then you could try a blind spoofing attack on telnet...

- compromising a non-RFC1918-addressed host on the target's network and
exploring to see if routing is configured to allow /this/ to be a
springboard. I would currently suggest a UNIX box or a Win2K/IIS5
SP0/SP1 host (vulnerable  to the ISAPI .printer exploit) as being
valuable target hosts. 

> (In general, how would I find more about the function of these devices?)

It sounds as though you've done as much as you can so far (by your
"footprinting" work); if properly configured, it should be hard to
determine what addressing scheme is in use internally; you've already
done that. :)

> Thanks in advance,
> Franklin DeMatto

Best Regards,
Alex.
-- 
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alex@s3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher@ 885BA6CE

Next message: Alberto Grazi: "Word lists, again..."
Previous message: Mika Laaksonen: "pentesting IBM DB2"
In reply to: Franklin DeMatto: "Discovering hosts behind NAT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 23 2001 - 17:26:31 PDT