Penetration Testing mailing list archives
RE: Discovering hosts behind NAT
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Thu, 24 May 2001 07:46:40 +0200
That's a good suggestion. If you can get writable SNMP access (try ADMsnmp as a nice bruteforcer), you may also be able to get it to upload its config to you. Michal Zalewski (IIRC) made a script that would set the appropriate SNMP variables, start a TFTP server, and receive a config file. Having done that, you can modify it to suit (remove ACL's, etc) and upload it again. Rogan -----Original Message----- From: Javier Fernandez-Sanguino Peña [mailto:jfernandez () sgi es] Sent: 23 May 2001 09:29 To: Franklin DeMatto Cc: pen-test () securityfocus com Subject: Re: Discovering hosts behind NAT
There are two known network devices: a cisco, which seems totally silent,
and a wellfleet router.
Have you tried SNMP access? First try to check if the SNMP ports (udp) are open (nmap -sU) and then do a dictionary attack against the router. A common misconfiguration is to have SNMP open to the outside world and with well-known communities. If so, you could probably get the information the router holds in its internal tables and (maybe) configure it to allow you access to the "hidden" network. Javi
Current thread:
- Discovering hosts behind NAT Franklin DeMatto (May 22)
- Re: Discovering hosts behind NAT Javier Fernandez-Sanguino Peña (May 23)
- Re: Discovering hosts behind NAT Alex Butcher (May 23)
- Re: Discovering hosts behind NAT Wolfgang Zenker (May 25)
- <Possible follow-ups>
- Re: Discovering hosts behind NAT Test Working (May 24)
- RE: Discovering hosts behind NAT Dawes, Rogan (ZA - Johannesburg) (May 24)