twgonder
asked on
Recipe to bust through NAT-for a good purpose.
Hello,
For years I've been programming business apps, not hacking. I can get around a NT but am not super learned on all the network internals.
I'm working at a company where the boss thinks NAT will protect all the internal clients/servers. A DSL line, DSL modem, Linksys DSL router stand between the clients and the Internet. DHCP is enabled on the Linksys. Because he believes so much in NAT, we don't have passwords on any of the clients, and users often logon as administrator! I know, it's bad.
Without knowing anything about the network, besides the IP address of the cable modem, can someone provide a (simple?) recipe to get to a internal client (ex. 192.168.1.105), and leave evidence of the intrusion. I suspect several external hackers have done so already.
I don't want to do damage, but I want to PROVE that a half-way savy hacker can poke through his "security" model. Maybe then I can get him to see the wisdom of at least passwords.
The clients range from Win 98 to XP Pro. All flavors.
I've read many of the posts about security here. So there isn't a need to repeat NATs ability to protect--I'll just assume it doesn't and wait for the proof.
Thanks
For years I've been programming business apps, not hacking. I can get around a NT but am not super learned on all the network internals.
I'm working at a company where the boss thinks NAT will protect all the internal clients/servers. A DSL line, DSL modem, Linksys DSL router stand between the clients and the Internet. DHCP is enabled on the Linksys. Because he believes so much in NAT, we don't have passwords on any of the clients, and users often logon as administrator! I know, it's bad.
Without knowing anything about the network, besides the IP address of the cable modem, can someone provide a (simple?) recipe to get to a internal client (ex. 192.168.1.105), and leave evidence of the intrusion. I suspect several external hackers have done so already.
I don't want to do damage, but I want to PROVE that a half-way savy hacker can poke through his "security" model. Maybe then I can get him to see the wisdom of at least passwords.
The clients range from Win 98 to XP Pro. All flavors.
I've read many of the posts about security here. So there isn't a need to repeat NATs ability to protect--I'll just assume it doesn't and wait for the proof.
Thanks
you might want to drop a sniffer on you wan segment to look for outward bound evidence of compromise
internal users can become compromised when someone brings their infected laptop in, visits a malicious web page, opens infected email attachments, etc.
Distributed denial of service instalations will often use ICQ to get instructions, worms will do ip scans or start sending mail
Nessus or a demo of ISS will create a report of the vulnerabilities.
internal users can become compromised when someone brings their infected laptop in, visits a malicious web page, opens infected email attachments, etc.
Distributed denial of service instalations will often use ICQ to get instructions, worms will do ip scans or start sending mail
Nessus or a demo of ISS will create a report of the vulnerabilities.
ASKER
I know packets can get out via various mal ware. What I'm looking for is a demonstratable way to get to a local address through NAT.
Scanning the DSL router shows port 80 open, and this is for administration. The default password has been changed on the router and there isn't any evidence that someone has forwarded ports to an internal IP.
As to my "good" intent, most anyone on this site probably isn't looking for hack info, this can be found elsewhere. If NAT can be defeated, then we are all better served on how to protect against such an intrusion.
Scanning the DSL router shows port 80 open, and this is for administration. The default password has been changed on the router and there isn't any evidence that someone has forwarded ports to an internal IP.
As to my "good" intent, most anyone on this site probably isn't looking for hack info, this can be found elsewhere. If NAT can be defeated, then we are all better served on how to protect against such an intrusion.
You'd have to investigate vulnerabilites of the device itself. From a strictly protocol standpoint, you can't establish a connection from the outside. My point was that NAT in and of itself does not provide a secure environment. To focus on it is to ignore 90% of the considerations in securing your network.
tell the boss that programs like kazaa can easily get past nat devices which basically breaks security because it's a gateway for illegal porn, applications, movies, music and a drain on network bandwidth.
also services like this - https://www.gotomypc.com
make it possible to do port forwarding through nat devices
also there are free dynamic dns programs that when installed on a host system allow access through nat.
but maybe, you never know. his "security model" may work. if nothing else, just leave it be. may not be hacked or attacked by a virus for a while to come. but when it happens, just make sure you say "i told you so".
also services like this - https://www.gotomypc.com
make it possible to do port forwarding through nat devices
also there are free dynamic dns programs that when installed on a host system allow access through nat.
but maybe, you never know. his "security model" may work. if nothing else, just leave it be. may not be hacked or attacked by a virus for a while to come. but when it happens, just make sure you say "i told you so".
nonsence
>also there are free dynamic dns programs that when installed on a host system allow access through nat.
if you mean that a vulnerability exists, do you have a citation?
>also there are free dynamic dns programs that when installed on a host system allow access through nat.
if you mean that a vulnerability exists, do you have a citation?
it's not a "vulnerability". it's just how NAT is meant to work.
i don't know exactly how to setup a dynamic dns host behind a nat yet cus i haven't had time to expermiment. but it works in the sense that the dns client program scans and looks for the gateway or nat external ip and sends that as the ip information to the service that the user has. it seems like a new idea and i think the closest thing i can give ya is go2mypc. but i did read in an article (wish i saved a link) that it is possible. i just don't know myself. but look for services that offer it, something might come up.
also, another thing you should bring up is that hardware based firewall or nat systems, when exploits are found it's harder in some cases to patch the system because a firmware upgrade is needed. as opposed to a software product that symantec has, all you do is go to their update servers.
depending on how "ghetto" your nat box is, try using a unix or linux system with some programs that spoof the source ip address. i think netcap, juggaurnut and hping can do it. and basically try to ping something behind the nat. this is a very old nat exploit that usually won't work but it's worth a shot. it's basically a way of connecting directly through the nat.
i don't know exactly how to setup a dynamic dns host behind a nat yet cus i haven't had time to expermiment. but it works in the sense that the dns client program scans and looks for the gateway or nat external ip and sends that as the ip information to the service that the user has. it seems like a new idea and i think the closest thing i can give ya is go2mypc. but i did read in an article (wish i saved a link) that it is possible. i just don't know myself. but look for services that offer it, something might come up.
also, another thing you should bring up is that hardware based firewall or nat systems, when exploits are found it's harder in some cases to patch the system because a firmware upgrade is needed. as opposed to a software product that symantec has, all you do is go to their update servers.
depending on how "ghetto" your nat box is, try using a unix or linux system with some programs that spoof the source ip address. i think netcap, juggaurnut and hping can do it. and basically try to ping something behind the nat. this is a very old nat exploit that usually won't work but it's worth a shot. it's basically a way of connecting directly through the nat.
Connections can be initiated from the inside, and do offer a vector if infectoin, which I was trying to point out.
Dynamic DNS 'clients' simply monitor the IP address of the router and update the DNS host's zone record, they do not listen on any port.
I've yet to see a nat router with no ports open allow connections to internal targets to be initiated. How exactly would one address such a packet?
Other than denial of service issues, there's not much you can do from the outside.
Dynamic DNS 'clients' simply monitor the IP address of the router and update the DNS host's zone record, they do not listen on any port.
I've yet to see a nat router with no ports open allow connections to internal targets to be initiated. How exactly would one address such a packet?
Other than denial of service issues, there's not much you can do from the outside.
ASKER
For the purpose of this article, I am focusing on just the NAT issue. This is not the case for the networks security efforts though. We have had virus/worm attacks that have exploited the null password on administrator environment.
The boss says, "check their Norton stuff, I can't be bothered with passwords." We all know that NAV is a dollar and day short on stopping anything. What I'd like to know, is a private internal network sitting behind a NAT device (DSL router) really safe from pure external attacks? I know the theory, now how about the reality?
The boss says, "check their Norton stuff, I can't be bothered with passwords." We all know that NAV is a dollar and day short on stopping anything. What I'd like to know, is a private internal network sitting behind a NAT device (DSL router) really safe from pure external attacks? I know the theory, now how about the reality?
ASKER
Please close this topic. Doesn't seem to have been answered. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It is NOT TRUE that computers behind a device using NAT are unaccessable. Any hacker who uses source routing can gain access to the internal network. The risk of such attack is though minimal because the hacker must know your weakness. Hackers normaly just scan public adresses to find open ports and as your NAT device is not using port forwarding, the hacker won't find the vulnerbility of your network.
I dont know if much more can be discussed as your motive is good, but thats not saying that everyone thats reads this will have the same motive.
A decent free scanner is nmap , this way you can either find the open ports and create a report to show what you discovered. Post the open ports here and we will tell you what could be accessing those. The router does have minimal protection though.
If you go to a command prompt on one of the suspected hacked computers and type "netstat -a" and either reasearch or paste the results, we can probably give you a better feel for what is on your machines.
Good luck, a little googling should provide most the info you need.
Mike