Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Recipe to bust through NAT-for a good purpose.

Posted on 2003-11-19
Medium Priority
Last Modified: 2013-12-04

For years I've been programming business apps, not hacking.  I can get around a NT but am not super learned on all the network internals.

I'm working at a company where the boss thinks NAT will protect all the internal clients/servers.  A DSL line, DSL modem, Linksys DSL router stand between the clients and the Internet.  DHCP is enabled on the Linksys.  Because he believes so much in NAT, we don't have passwords on any of the clients, and users often logon as administrator! I know, it's bad.

Without knowing anything about the network, besides the IP address of the cable modem, can someone provide a (simple?) recipe to get to a internal client (ex., and leave evidence of the intrusion.  I suspect several external hackers have done so already.

I don't want to do damage, but I want to PROVE that a half-way savy hacker can poke through his "security" model.  Maybe then I can get him to see the wisdom of at least passwords.

The clients range from Win 98 to XP Pro.  All flavors.

I've read many of the posts about security here.  So there isn't a need to repeat NATs ability to protect--I'll just assume it doesn't and wait for the proof.

Question by:twgonder
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2

Expert Comment

ID: 9781447
Just do a port scan on his public ip, that will show all the vulnerabilities.

I dont know if much more can be discussed as your motive is good, but thats not saying that everyone thats reads this will have the same motive.

A decent free scanner is nmap , this way you can either find the open ports and create a report to show what you discovered. Post the open ports here and we will tell you what could be accessing those. The router does have minimal protection though.

If you go to a command prompt on one of the suspected hacked computers and type "netstat -a" and either reasearch or paste the results, we can probably give you a better feel for what is on your machines.

Good luck, a little googling should provide most the info you need.

LVL 18

Expert Comment

ID: 9785228
you might want to drop a sniffer on you wan segment to look for outward bound evidence of compromise
internal users can become compromised when someone brings their infected laptop in, visits a malicious web page, opens infected email attachments, etc.
Distributed denial of service instalations will often use ICQ to get instructions, worms will do ip scans or start sending mail

Nessus or a demo of ISS will create a report of the vulnerabilities.

Author Comment

ID: 9801630
I know packets can get out via various mal ware.  What I'm looking for is a demonstratable way to get to a local address through NAT.

Scanning the DSL router shows port 80 open, and this is for administration.  The default password has been changed on the router and there isn't any evidence that someone has forwarded ports to an internal IP.

As to my "good" intent, most anyone on this site probably isn't looking for hack info, this can be found elsewhere.  If NAT can be defeated, then we are all better served on how to protect against such an intrusion.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 18

Expert Comment

ID: 9801813
You'd have to investigate vulnerabilites of the device itself. From a strictly protocol standpoint, you can't establish a connection from the outside. My point was that NAT in and of itself does not provide a secure environment. To focus on it is to ignore 90% of the considerations in securing your network.

Expert Comment

ID: 9802056
tell the boss that programs like kazaa can easily get past nat devices which basically breaks security because it's a gateway for illegal porn, applications, movies, music and a drain on network bandwidth.

also services like this - https://www.gotomypc.com
make it possible to do port forwarding through nat devices

also there are free dynamic dns programs that when installed on a host system allow access through nat.

but maybe, you never know. his "security model" may work. if nothing else, just leave it be. may not be hacked or attacked by a virus for a while to come. but when it happens, just make sure you say "i told you so".
LVL 18

Expert Comment

ID: 9802609
>also there are free dynamic dns programs that when installed on a host system allow access through nat.
if you mean that a vulnerability exists, do you have a citation?

Expert Comment

ID: 9804611
it's not a "vulnerability". it's just how NAT is meant to work.
i don't know exactly how to setup a dynamic dns host behind a nat yet cus i haven't had time to expermiment. but it works in the sense that the dns client program scans and looks for the gateway or nat external ip and sends that as the ip information to the service that the user has. it seems like a new idea and i think the closest thing i can give ya is go2mypc. but i did read in an article (wish i saved a link) that it is possible. i just don't know myself. but look for services that offer it, something might come up.

also, another thing you should bring up is that hardware based firewall or nat systems, when exploits are found it's harder in some cases to patch the system because a firmware upgrade is needed. as opposed to a software product that symantec has, all you do is go to their update servers.

depending on how "ghetto" your nat box is, try using a unix or linux system with some programs that spoof the source ip address. i think netcap, juggaurnut and hping can do it. and basically try to ping something behind the nat. this is a very old nat exploit that usually won't work but it's worth a shot. it's basically a way of connecting directly through the nat.
LVL 18

Expert Comment

ID: 9805240
Connections can be initiated from the inside, and do offer a vector if infectoin, which I was trying to point out.
Dynamic DNS 'clients' simply monitor the IP address of the router and update the DNS host's zone record, they do not listen on any port.
I've yet to see a nat router with no ports open allow connections to internal targets to   be initiated. How exactly would one address such a packet?

Other than denial of service issues, there's not much you can do from the outside.

Author Comment

ID: 9808094
For the purpose of this article, I am focusing on just the NAT issue.  This is not the case for the networks security efforts though.  We have had virus/worm attacks that have exploited the null password on administrator environment.

The boss says, "check their Norton stuff, I can't be bothered with passwords."  We all know that NAV is a dollar and day short on stopping anything.  What I'd like to know, is a private internal network sitting behind a NAT device (DSL router) really safe from pure external attacks?  I know the theory, now how about the reality?

Author Comment

ID: 10045778
Please close this topic.  Doesn't seem to have been answered. Thanks.
LVL 18

Accepted Solution

chicagoan earned 2000 total points
ID: 10046608
I think your question was"
Are there any known vulnerabilities of NAT?
and I think we've answered that,
as far as addressing the public (nat) address to gain entry:
 no, unless you're port forwarding to a machine with a vulnerability on that port
though there are numerous other avenues of attack.

Expert Comment

ID: 13232893
It is NOT TRUE that computers behind a device using NAT are unaccessable. Any hacker who uses source routing can gain access to the internal network. The risk of such attack is though minimal because the hacker must know your weakness. Hackers normaly just scan public adresses to find open ports and as your NAT device is not using port forwarding, the hacker won't find the vulnerbility of your network.

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question