Penetration Testing mailing list archives

Re: testing for IP address space leakage in NAT systems

From: Iván Arce <core.lists.pentest () core-sdi com>
Date: Mon, 21 Jan 2002 20:44:54 -0300

Hi,
 this is just an idea , i havent had time to actually test it, so...

I would try using IP fragmentation or TCP reassembly tricks with protocols
that
require payload rewriting at the NAT device. An example of this would be
FTP control messages.
It proved usefull to open holes thru packet filtering firewalls with
stateful inspection so it might as well work for obtaining internal
adresses.

Pointers to related stuff:
http://www.securityfocus.com/bid/1045

Cool stuff presented by Tomas Lopatic,John MacDonald and Dug Song
at BlackHat Briefings LV 2000:
http://www.blackhat.com/presentations/bh-usa-00/Song-McDonald-Lopatic/Song_M
cDonald_lopatic.ppt

FW-1
http://www.securityfocus.com/bid/1054
PIX
http://www.securityfocus.com/bid/1877
http://www.securityfocus.com/bid/1698

then again a simple email would be equally usefull

-ivan


---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

----- Original Message -----
From: R P G <core.lists.pentest () core-sdi com>
Newsgroups: core.lists.pentest
To: <pen-test () securityfocus com>
Sent: Monday, January 21, 2002 2:02 PM
Subject: testing for IP address space leakage in NAT systems

I was wondering if anyone knows of a method to test a NAT system for
address space leakage.

Thanks.

--Bob



--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus Security Intelligence Alert

(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please

see:

https://alerts.securityfocus.com/



--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce () corest com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: Medium Scale Scanning Best Practices, (continued)
- Re: Medium Scale Scanning Best Practices Renaud Deraison (Jan 17)
- Re: Medium Scale Scanning Best Practices miguel . dilaj (Jan 15)
- RE: Medium Scale Scanning Best Practices Aleksander P. Czarnowski (Jan 16)
- Re: Medium Scale Scanning Best Practices John Malconian (Jan 18)
  - Re: Medium Scale Scanning Best Practices Troy Davis (Jan 19)
  - testing for IP address space leakage in NAT systems R P G (Jan 21)
    - Re: testing for IP address space leakage in NAT systems R. DuFresne (Jan 21)
    - Re: testing for IP address space leakage in NAT systems Frank (Jan 21)
    - Re: testing for IP address space leakage in NAT systems Thomas Reinke (Jan 21)
    - Re: testing for IP address space leakage in NAT systems Gamble (Jan 22)
    - Re: testing for IP address space leakage in NAT systems Iván Arce (Jan 22)
  - Message not available
    - Re: testing for IP address space leakage in NAT systems Chris Keladis (Jan 22)