Penetration Testing mailing list archives

Re: Discovering hosts behind NAT

From: Test Working <test198 () usa net>
Date: 23 May 2001 22:34:54 MDT

One would conlude that one of these is being used for NAT for 
internal.company.com - but where do I go from here.


...using this information, strategies I would suggest would include:

- compromising the cisco or the wellfleet and, if they provide common
utilities (telnet, tftp, ftp etc) using them as a springboard into the
RFC1918-addressed portion of the target's network. Of course, if they
aren't answering to internet-sourced connection requests you're out of
luck. If you knew that they accepted telnet connections from, say,
192.168.1.1 then you could try a blind spoofing attack on telnet...

- compromising a non-RFC1918-addressed host on the target's network and
exploring to see if routing is configured to allow /this/ to be a
springboard. I would currently suggest a UNIX box or a Win2K/IIS5
SP0/SP1 host (vulnerable  to the ISAPI .printer exploit) as being
valuable target hosts. 

if the network is protected by a Raptor firewall v6.5 unpatched, you could
try

http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2517

and using the outside interface of the firewall as a proxy, scan the internal
RFC-1918 hosts behind it. as an example, one time i found a www server at
address 255.255.255.130 (IP addresses changed to protect the innocent - domain
name changed to customer.com) that when banner-grabbed replied with:

  + 255.255.255.130
        |___    80  World Wide Web HTTP
                |___ HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..Content-Location:
http://10.0.0.6/index.htm..

after that, i scanned the rest of the network and found:

* - 255.255.255.127
* - 255.255.255.128
* + 255.255.255.129
        |___     7  Echo
        |___  2001  Cisco router management
                |___ ............
        |___  9001  Cisco xremote
                |___ ............
  - 255.255.255.125
  - 255.255.255.126
  + 255.255.255.130
        |___    80  World Wide Web HTTP
                |___ HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..Content-Location:
http://10.0.0.6/index.htm..
  - 255.255.255.131
  + 255.255.255.132
        |___    21  File Transfer Protocol [Control]
                |___ 500 proxy access denied..
        |___    22  SSH Remote Login Protocol
        |___    25  Simple Mail Transfer
                |___ 220 cusfw01 NT smtp-gw is ready...
        |___    53  Domain Name Server
        |___    80  World Wide Web HTTP
                |___ HTTP/1.0 404 Error..Content-type: text/html....<h1>Error -
404</h1><HR><PRE>Cannot resolve destination<br></PRE><br><HR>Http Proxy</br>
        |___   110  Post Office Protocol - Version 3
                |___ +OK customer.com POP MDaemon 3.5.3 ready
<MDAEMON-XXXXXXXXXXXXX.XXXXXXXXXXXXXX () customer com>..


the .129 is their border router. the Raptor is sitting at .132. the web server
is NATTED at .130 and MS is happy telling us the internal addressing scheme.
after that, it was easy to scan the internal net using the raptor as a proxy
and we found out some interesting servers at the other side of the fw . . . .
;)



                                                                                hope this helps!




____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

Current thread:

Discovering hosts behind NAT Franklin DeMatto (May 22)
- Re: Discovering hosts behind NAT Javier Fernandez-Sanguino Peña (May 23)
- Re: Discovering hosts behind NAT Alex Butcher (May 23)
- Re: Discovering hosts behind NAT Wolfgang Zenker (May 25)
- <Possible follow-ups>
- Re: Discovering hosts behind NAT Test Working (May 24)
- RE: Discovering hosts behind NAT Dawes, Rogan (ZA - Johannesburg) (May 24)