RE: Discovering hosts behind NAT

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

That's a good suggestion.

If you can get writable SNMP access (try ADMsnmp as a nice bruteforcer), you
may also be able to get it to upload its config to you. Michal Zalewski
(IIRC) made a script that would set the appropriate SNMP variables, start a
TFTP server, and receive a config file. Having done that, you can modify it
to suit (remove ACL's, etc) and upload it again.

Rogan

-----Original Message-----
From: Javier Fernandez-Sanguino Peña [mailto:jfernandez () sgi es]
Sent: 23 May 2001 09:29
To: Franklin DeMatto
Cc: pen-test () securityfocus com
Subject: Re: Discovering hosts behind NAT


> There are two known network devices: a cisco, which seems totally silent,
and a wellfleet router.
>


        Have you tried SNMP access? First try to check if the SNMP ports
(udp) are open
(nmap -sU) and then do a dictionary attack against the router. A common
misconfiguration is to have SNMP open to the outside world and with
well-known
communities.
        If so, you could probably get the information the router holds in
its internal
tables and (maybe) configure it to allow you access to the "hidden" network.

        Javi