Solved

Recipe to bust through NAT-for a good purpose.

Posted on 2003-11-19
12
271 Views
Last Modified: 2013-12-04
Hello,

For years I've been programming business apps, not hacking.  I can get around a NT but am not super learned on all the network internals.

I'm working at a company where the boss thinks NAT will protect all the internal clients/servers.  A DSL line, DSL modem, Linksys DSL router stand between the clients and the Internet.  DHCP is enabled on the Linksys.  Because he believes so much in NAT, we don't have passwords on any of the clients, and users often logon as administrator! I know, it's bad.

Without knowing anything about the network, besides the IP address of the cable modem, can someone provide a (simple?) recipe to get to a internal client (ex. 192.168.1.105), and leave evidence of the intrusion.  I suspect several external hackers have done so already.

I don't want to do damage, but I want to PROVE that a half-way savy hacker can poke through his "security" model.  Maybe then I can get him to see the wisdom of at least passwords.

The clients range from Win 98 to XP Pro.  All flavors.

I've read many of the posts about security here.  So there isn't a need to repeat NATs ability to protect--I'll just assume it doesn't and wait for the proof.

Thanks
0
Comment
Question by:twgonder
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 2

Expert Comment

by:UnifiedIT
ID: 9781447
Just do a port scan on his public ip, that will show all the vulnerabilities.

I dont know if much more can be discussed as your motive is good, but thats not saying that everyone thats reads this will have the same motive.

A decent free scanner is nmap , this way you can either find the open ports and create a report to show what you discovered. Post the open ports here and we will tell you what could be accessing those. The router does have minimal protection though.

If you go to a command prompt on one of the suspected hacked computers and type "netstat -a" and either reasearch or paste the results, we can probably give you a better feel for what is on your machines.

Good luck, a little googling should provide most the info you need.

Mike
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9785228
you might want to drop a sniffer on you wan segment to look for outward bound evidence of compromise
internal users can become compromised when someone brings their infected laptop in, visits a malicious web page, opens infected email attachments, etc.
Distributed denial of service instalations will often use ICQ to get instructions, worms will do ip scans or start sending mail


Nessus or a demo of ISS will create a report of the vulnerabilities.
0
 

Author Comment

by:twgonder
ID: 9801630
I know packets can get out via various mal ware.  What I'm looking for is a demonstratable way to get to a local address through NAT.

Scanning the DSL router shows port 80 open, and this is for administration.  The default password has been changed on the router and there isn't any evidence that someone has forwarded ports to an internal IP.

As to my "good" intent, most anyone on this site probably isn't looking for hack info, this can be found elsewhere.  If NAT can be defeated, then we are all better served on how to protect against such an intrusion.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9801813
You'd have to investigate vulnerabilites of the device itself. From a strictly protocol standpoint, you can't establish a connection from the outside. My point was that NAT in and of itself does not provide a secure environment. To focus on it is to ignore 90% of the considerations in securing your network.
0
 
LVL 3

Expert Comment

by:nonsence
ID: 9802056
tell the boss that programs like kazaa can easily get past nat devices which basically breaks security because it's a gateway for illegal porn, applications, movies, music and a drain on network bandwidth.

also services like this - https://www.gotomypc.com
make it possible to do port forwarding through nat devices

also there are free dynamic dns programs that when installed on a host system allow access through nat.

but maybe, you never know. his "security model" may work. if nothing else, just leave it be. may not be hacked or attacked by a virus for a while to come. but when it happens, just make sure you say "i told you so".
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9802609
nonsence
>also there are free dynamic dns programs that when installed on a host system allow access through nat.
if you mean that a vulnerability exists, do you have a citation?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 3

Expert Comment

by:nonsence
ID: 9804611
it's not a "vulnerability". it's just how NAT is meant to work.
i don't know exactly how to setup a dynamic dns host behind a nat yet cus i haven't had time to expermiment. but it works in the sense that the dns client program scans and looks for the gateway or nat external ip and sends that as the ip information to the service that the user has. it seems like a new idea and i think the closest thing i can give ya is go2mypc. but i did read in an article (wish i saved a link) that it is possible. i just don't know myself. but look for services that offer it, something might come up.

also, another thing you should bring up is that hardware based firewall or nat systems, when exploits are found it's harder in some cases to patch the system because a firmware upgrade is needed. as opposed to a software product that symantec has, all you do is go to their update servers.

depending on how "ghetto" your nat box is, try using a unix or linux system with some programs that spoof the source ip address. i think netcap, juggaurnut and hping can do it. and basically try to ping something behind the nat. this is a very old nat exploit that usually won't work but it's worth a shot. it's basically a way of connecting directly through the nat.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9805240
Connections can be initiated from the inside, and do offer a vector if infectoin, which I was trying to point out.
Dynamic DNS 'clients' simply monitor the IP address of the router and update the DNS host's zone record, they do not listen on any port.
I've yet to see a nat router with no ports open allow connections to internal targets to   be initiated. How exactly would one address such a packet?

Other than denial of service issues, there's not much you can do from the outside.
0
 

Author Comment

by:twgonder
ID: 9808094
For the purpose of this article, I am focusing on just the NAT issue.  This is not the case for the networks security efforts though.  We have had virus/worm attacks that have exploited the null password on administrator environment.

The boss says, "check their Norton stuff, I can't be bothered with passwords."  We all know that NAV is a dollar and day short on stopping anything.  What I'd like to know, is a private internal network sitting behind a NAT device (DSL router) really safe from pure external attacks?  I know the theory, now how about the reality?
0
 

Author Comment

by:twgonder
ID: 10045778
Please close this topic.  Doesn't seem to have been answered. Thanks.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 500 total points
ID: 10046608
I think your question was"
Are there any known vulnerabilities of NAT?
and I think we've answered that,
as far as addressing the public (nat) address to gain entry:
 no, unless you're port forwarding to a machine with a vulnerability on that port
though there are numerous other avenues of attack.
 
0
 

Expert Comment

by:corbit
ID: 13232893
It is NOT TRUE that computers behind a device using NAT are unaccessable. Any hacker who uses source routing can gain access to the internal network. The risk of such attack is though minimal because the hacker must know your weakness. Hackers normaly just scan public adresses to find open ports and as your NAT device is not using port forwarding, the hacker won't find the vulnerbility of your network.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now