Re: testing for IP address space leakage in NAT systems

From: Iván Arce (core.lists.pentest@core-sdi.com)
Date: Mon Jan 21 2002 - 15:44:54 PST

Next message: Sacha Faust: "Detecting if SecureIIS from Eeye is installed"

Previous message: Gamble: "Re: testing for IP address space leakage in NAT systems"
In reply to: R P G: "testing for IP address space leakage in NAT systems"
Next in thread: Chris Keladis: "Re: testing for IP address space leakage in NAT systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
 this is just an idea , i havent had time to actually test it, so...

I would try using IP fragmentation or TCP reassembly tricks with protocols
that
require payload rewriting at the NAT device. An example of this would be
FTP control messages.
It proved usefull to open holes thru packet filtering firewalls with
stateful inspection so it might as well work for obtaining internal
adresses.

Pointers to related stuff:
http://www.securityfocus.com/bid/1045

Cool stuff presented by Tomas Lopatic,John MacDonald and Dug Song
at BlackHat Briefings LV 2000:
http://www.blackhat.com/presentations/bh-usa-00/Song-McDonald-Lopatic/Song_M
cDonald_lopatic.ppt

FW-1
http://www.securityfocus.com/bid/1054
PIX
http://www.securityfocus.com/bid/1877
http://www.securityfocus.com/bid/1698

then again a simple email would be equally usefull

-ivan


---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

----- Original Message -----
From: R P G <core.lists.pentest@core-sdi.com>
Newsgroups: core.lists.pentest
To: <pen-testat_private>
Sent: Monday, January 21, 2002 2:02 PM
Subject: testing for IP address space leakage in NAT systems


> I was wondering if anyone knows of a method to test a NAT system for
> address space leakage.
>
> Thanks.
>
> --Bob
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>


--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arceat_private>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Sacha Faust: "Detecting if SecureIIS from Eeye is installed"
Previous message: Gamble: "Re: testing for IP address space leakage in NAT systems"
In reply to: R P G: "testing for IP address space leakage in NAT systems"
Next in thread: Chris Keladis: "Re: testing for IP address space leakage in NAT systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 11:50:31 PST