Re: Enumeration of NAT'ed computer names

[Byron Sonne <blsonne () rogers com>]

> I have a need to enumerate computer names i.e. \\elvis  and \\winbox 
> in a SOHO NAT'ed network.  The basic idea here is that \\elvis was
> used to commit a crime, but in order to tie \\elvis the offender,
> I have to prove that \\elvis exists on the network.
> I have to do it legally, and I can't actively penetrate the network
> to enumerate the names. 
> Any ideas would be greatly appreciated.

Well, you're really kinda hamstrung here if you can't actively penetrate 
the network. Sounds like your best bet is going to be passively sniffing 
the outgoing traffic looking for anything containing those names.

I'm gonna go out on a limb here and guess that you're not law 
enforcement, so good luck getting the target's provider to give you a 
span port or otherwise let you get your mitts on their traffic. If 
'legal' wasn't a requirement, I'd say you might be able to tap their wire.

Since you prepended '\\' to the hosts I'm guessing you're working in the 
windows world, which will complicate matters, as the netbios protocol 
doesn't make it out of the current subnet by design (unless you've 
piggybacked it on TCP/IP or netware or something). So, as you're outside 
the nat'd network, you're probably gonna be stuck looking at just IP 
addresses, which probably doesn't help, since I'm guessing you're after 
hostnames. Of course, it could be a *nix box running Samba...

Those papers and ideas about counting nat'd hosts via timestamps or 
clock skew are neat, but not particularly accurate or useful in the real 
world, even less so since you're not gonna be able to map them to 
hostnames on the target network. Best you'll get is an idea of the 
number of hosts behind the nat.

The only other thing I can think of is to run a wireless sniffer (kismet 
or netstumbler, etc.) near the target's physical location and see if 
they're leaking anything that way. Even if \\elvis isn't wireless, you 
might get lucky and stumble across another computer in the target 
network that *is* wireless and is attempting communications to \\elvis.

Make sure you keep track of MAC addresses whatever you're approach, 
that's a better indicator of unique identities than IP addresses or 
hostnames are for correlation purposes. If you can associate a MAC to 
\\elvis, then just look for that MAC elsewhere; it's probably gonna be 
the same host.

I don't think you're going to have much luck at all, but please let me 
(us?) know if you make any headway. You're in an interesting situation 
that I'd like to hear more about.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------