gunit007,

I had not intended originally to go into detail but rather mention a few possibilities in response to the original question, however since you have brought up some good points I will respond:

YOUR COMMENT:
“also your IP can be found out even if you are using NAT/PAT its just tricky, sometimes the oringinal packet is just "wrapped" in a new packet and payload inspection can reveal internal architecture”

MY RESPONSE:
If you are referring to the internal private IP that is natted or patted is somehow encapsulated in the data field, then your statement is incorrect. There is no such thing. Translation table remains in the router..You might be referring to VPN here where original IP header is encapsulated and tunneled through, not NAT or PAT,,,

- On the contrary the statement is entirely correct. Sometimes a particular protocol is encapsulated in order to function properly with NAT. One example of this is UDP encapsulation for IKE/IPsec, granted this traffic is encrypted but that is not my point, other software has used similar approaches to cope with problems with NAT.
see http://www.ietf.org/internet-drafts/...-encaps-06.txt
You will also note in my statement this information leak can also be in the form of data about the orginating host leaked by the source application and will be in the payload,also the number of hosts is possible to guess by analyzing the traffic.
see http://www.sflow.org/detectNAT/
http://www.research.att.com/~smb/papers/fnat.pdf

YOUR COMMENT
“Because NAT/PAT uses original source IP and Port to create routing tables this can make identifing how many hosts are behind the NAT/PATer if traffic can be sniffed at the router (once again this only applies to protocols with ports, for portless prototcols PAT/NAT can be messy)”

MY RESPONSE:
Routing tables have nothing to do with NAT or PAT and have nothing to do with Port numbers.. Routing tables are created by the router through the process of acknowledging its interfaces are in an up state and through running some type of routing protocol (either static or dynamic).

- Once again the statement is correct although I can possibly see that I misused routing table instead of port mapping table (I will point out you refer to it as a translation table so... I believe we're even on that one. ) but as I said it wasnt meant to be a technical essay but I concede that point. As far as the notion that it does not have to do with port numbers, well I'm not sure how you think NAT works without tables or ports because thats exactly how it works.
see http://www.internet-sharing.com/nat_...perations.html

YOUR COMMENT:
“There is also DNS information to be considered as well as router quality and vulnerabilities.”

- The point is your hosts are not particularly hidden if your DNS server (often located outside a router or firewall) allows me to do a zone transfer or have free reign on the entries, a compromised DNS server will lead to a compromised network. As to the second half improper handling of crafted packets by routers or routers which fail open etc,etc,etc. Owned routers also lead to owned networks.

YOUR COMMENT:
“Also the MAC address is mapped to an IP using ARP and other tables which can be posioned or manipulated to "steal" or obtain an IP on the internal network(man in tha middle attacks use this frequently)”

MY RESPONSE:
I don’t follow you here either,,,Data link connections are established locally…Any MAC on internal LAN stays within internal LAN. MAC of internal user will never be seen behind a router.

-Although it requires a machine with a interface on the LAN, the amount of trouble which can be caused here is immense.Since most 802.11 devices act as MAC bridges I think this is a very real threat, also a compromised DNS machine or anything in a DMZ would do nicely to abuse ARP.
see http://www.watchguard.com/infocenter...ial/135324.asp
see http://www.securityfocus.com/bid/3460/discussion/


and lastly, no I admit MAC cloning is not particularly related only that I saw someone comment on them being unique, I merely stated you cannot rely on that.

-Maestr0