Re: [PEN-TEST] Non-routable IP weaknesses?

[M Schubert <schubert () fsck org>]

On Tuesday 19 December 2000 21:20, you wrote:
> Anyone know of anything "interesting" that one could do once
> one had determined that a customer, protected by a NAT based device,
> had specific non-routable IPs active (e.g. 10.x.x.x, 172.16-31.x.x
> and 192.168.x.x addresses)

Obvious question... are their any remote management services running on
that NAT device? (telnet, ssh, pcAnywhere, IP Magic) Is there a
firewall running in front or alongside of the NAT device? If so, are
there any vulnerabilities that you could use to make the firewall fail
open? (easier said then done I suppose...). You could also see if there
are any trust relationships in place between the NAT device or internal
clients with a box on the service network (assuming there is a service
network) and exploit it.

Oh and there's always the social engineering aspect of the situation...
(emailing a trojan to an employee who resides on the internal client
network).

Usually the security found in having internal clients protected by the
inherent feature of NAT to provide non-routable IPs is defeated by an
improperly secured NAT device or trust relationships with external
hosts (DMZ / service network, co-located servers or even employee's
home machines).

--
-- M. Schubert          - mschuber () uci edu
-- Security Specialist - michaels () lightspeedsystems com
-- Sys Admin            - schubert () fsck org