Penetration Testing mailing list archives
Re: [PEN-TEST] Non-routable IP weaknesses?
From: batz <batsy () VAPOUR NET>
Date: Wed, 20 Dec 2000 07:13:03 -0500
On Wed, 20 Dec 2000, Thomas Reinke wrote: :Anyone know of anything "interesting" that one could do once :one had determined that a customer, protected by a NAT based device, :had specific non-routable IPs active (e.g. 10.x.x.x, 172.16-31.x.x :and 192.168.x.x addresses) Compromise their router and set up a tunnel from it to you using a small netblock carved out of their space so that you seem local. See if you can source route packets into their network. (probably not, but try it) Also depending on how many hops you are away, you might be able to get some of their address space routed outside their NAT device using rip or ospf so that you can start scanning the hosts directly. Otherwise, your options are pretty much limited to blind spoofing (have fun) and blind snmp-sets on devices you have no idea if they are running snmp. I've often come across peoples internal addresses due to misconfigured proxies, weird NAT'isms that respond to icmp from the internal addresses (proxy arp on ketamine or something) and particularly IIS giving the Content-Location: in the http server header. Also, getting an arp table from an snmp agent in the targets DMZ often yeilds internal addressing. However, this information is mostly useless unless you are on a host within a couple (8 actually) of hops of the NAT device, or sitting in front of it on the DMZ. This one often ends up listed under "Further recommendations" which generally means that it's not a prudent configuration, not critical, or would require such time/skill that I couldn't possibly exploit it within the confines of the rules of engagement, but if someone was truely elite, they could. Think Crouching Tiger, Hidden Dragon. -- batz Reluctant Ninja Defective Technologies
Current thread:
- [PEN-TEST] Non-routable IP weaknesses? Thomas Reinke (Dec 20)
- Re: [PEN-TEST] Non-routable IP weaknesses? M Schubert (Dec 20)
- Re: [PEN-TEST] Non-routable IP weaknesses? batz (Dec 20)
- <Possible follow-ups>
- Re: [PEN-TEST] Non-routable IP weaknesses? Frank Darden (Dec 20)
- Re: [PEN-TEST] Non-routable IP weaknesses? Philipp Buehler (Dec 21)