Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Detecting NAT devices!!!

  1. #1
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901

    Exclamation Detecting NAT devices!!!

    Hello everyone,

    once again i was in a chat room with a couple of buddies, and one of em mentioned something that i really would like to share with you people here.


    Unauthorized NAT (Network Address Translation) devices can be a significant security problem. Typically the NAT device will appear to the network administrator as an end host and it will authenticate itself onto the network. However, the NAT device provides unrestricted access to any number of hosts connecting to it directly, or more troublingly via wireless (Wi-Fi 802.11). Wi-Fi is a particular problem since it allows access to the network from a considerable distance, allowing unauthorized access without even entering the building.
    I really recomend that you take a look at the full source which can be found HERE!

    There is also a possible work around mentioned on the site.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I know, its crazy, isn't it?

    Check out this paper too.

    http://www.research.att.com/~smb/papers/fnat.pdf
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Typically the NAT device will appear to the network administrator as an end host
    Yes, this is correct, however, a skilled admin/security professional can spot these pests by examining open ports on the device and on occasion, the hostname that it reports. Typically, they look to be routers or print servers that have the standard ports 21,80 and 23 open. This method isn't fool proof but it is effective none the less.

    Also, Nessus can find Wifi access points pretty easily. It basically tries to do an OS fingerprint which as you know can be problematic at times.

    Isn't networking fun?


    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Junior Member
    Join Date
    May 2003
    Posts
    2
    yaaaaaaaaaaa.....fun
    [pong]eViL....Is CoMiNg[/pong]

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Horse: I'm pretty sure that a sophisticated user would be able to use the functions of the device to MAC spoof and provide a valid FQDN. Then by carefully forwarding the appropriate ports to an internal machine and blocking others they could make it very difficult indeed to determine that anything other than a PC is sat there. Certainly, an admin with a substantial amount of PC's on a network would not have time to check his network in that way.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Tiger,

    Yep, welcome to my nightmare

    We have a few methods to ferret out devices like this but like I always say, network security is like a sun roof on a Yugo, eventually there's gonna be a leak!
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Horse:

    Intimidation is the key my friend..... There isn't a user in the 650 on my network that would dare to try to pop a wireless or other device on my network...... See, they are quite confident I _will_ find it and they are even more confident that we will be discussing it - well, ok.... discussion may not be the right word...... It's more of a monologue and they don't get to say much.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Well the word is out at our place too. We have 10k users and every once in a while one of them will get sneaky and try to throw a wifi device up but we *always* catch them

    Remember scooby doo? "We would have gotten away with it if it wasn't for those damn kids."

    LOL!!!

    Anyway, that's usually the reaction we get.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    This paper is quite interesting.

    I would just suggest that a traceroute achieves the NAT device detection as well(provided NAT device decrements the TTL).
    Windows default TTL = 128
    LINUX & BSD = 64 & so on.
    But the technique would not work if hosts TTL default value were changed.

    An another point, what if hosts are behind a multi proxy server (FTP, HTTP, ...)?
    On AO site, in thread profiles on left precise if a proxy had been detected or not! Does anyone knows?
    [shadow] SHARING KNOWLEDGE[/shadow]

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Networker: Using the TTL doesn't work I'm afraid. At least it doesn't work against a linksys 'cos i tried it a week or so ago. It seems that the linksys rebuilds the packet ans provides a new TTL itself. Thus the linksys seems to be the originating machine.

    OTOH there is a way that just jumped into my head but I haven't had, nor will I have for a few days, the time to set up the details. It assumes that the nasty has not used MAC address spoofing. Place a Snort box in each collision domain with rules to alert on the MAC address octals pointing to the manufacturer's Linksys, Netgear etc. Then, when the little bugger throws up his WAP he gets a "WHAP" upside the head from you because the Snort box will send you a nice little email..... .

    It would work with semi-literate "ab"users and you could never tell them what triggers the "WHAP".......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •