Recipe to bust through NAT-for a good purpose.


For years I've been programming business apps, not hacking.  I can get around a NT but am not super learned on all the network internals.

I'm working at a company where the boss thinks NAT will protect all the internal clients/servers.  A DSL line, DSL modem, Linksys DSL router stand between the clients and the Internet.  DHCP is enabled on the Linksys.  Because he believes so much in NAT, we don't have passwords on any of the clients, and users often logon as administrator! I know, it's bad.

Without knowing anything about the network, besides the IP address of the cable modem, can someone provide a (simple?) recipe to get to a internal client (ex., and leave evidence of the intrusion.  I suspect several external hackers have done so already.

I don't want to do damage, but I want to PROVE that a half-way savy hacker can poke through his "security" model.  Maybe then I can get him to see the wisdom of at least passwords.

The clients range from Win 98 to XP Pro.  All flavors.

I've read many of the posts about security here.  So there isn't a need to repeat NATs ability to protect--I'll just assume it doesn't and wait for the proof.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Just do a port scan on his public ip, that will show all the vulnerabilities.

I dont know if much more can be discussed as your motive is good, but thats not saying that everyone thats reads this will have the same motive.

A decent free scanner is nmap , this way you can either find the open ports and create a report to show what you discovered. Post the open ports here and we will tell you what could be accessing those. The router does have minimal protection though.

If you go to a command prompt on one of the suspected hacked computers and type "netstat -a" and either reasearch or paste the results, we can probably give you a better feel for what is on your machines.

Good luck, a little googling should provide most the info you need.

you might want to drop a sniffer on you wan segment to look for outward bound evidence of compromise
internal users can become compromised when someone brings their infected laptop in, visits a malicious web page, opens infected email attachments, etc.
Distributed denial of service instalations will often use ICQ to get instructions, worms will do ip scans or start sending mail

Nessus or a demo of ISS will create a report of the vulnerabilities.
twgonderAuthor Commented:
I know packets can get out via various mal ware.  What I'm looking for is a demonstratable way to get to a local address through NAT.

Scanning the DSL router shows port 80 open, and this is for administration.  The default password has been changed on the router and there isn't any evidence that someone has forwarded ports to an internal IP.

As to my "good" intent, most anyone on this site probably isn't looking for hack info, this can be found elsewhere.  If NAT can be defeated, then we are all better served on how to protect against such an intrusion.
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

You'd have to investigate vulnerabilites of the device itself. From a strictly protocol standpoint, you can't establish a connection from the outside. My point was that NAT in and of itself does not provide a secure environment. To focus on it is to ignore 90% of the considerations in securing your network.
tell the boss that programs like kazaa can easily get past nat devices which basically breaks security because it's a gateway for illegal porn, applications, movies, music and a drain on network bandwidth.

also services like this -
make it possible to do port forwarding through nat devices

also there are free dynamic dns programs that when installed on a host system allow access through nat.

but maybe, you never know. his "security model" may work. if nothing else, just leave it be. may not be hacked or attacked by a virus for a while to come. but when it happens, just make sure you say "i told you so".
>also there are free dynamic dns programs that when installed on a host system allow access through nat.
if you mean that a vulnerability exists, do you have a citation?
it's not a "vulnerability". it's just how NAT is meant to work.
i don't know exactly how to setup a dynamic dns host behind a nat yet cus i haven't had time to expermiment. but it works in the sense that the dns client program scans and looks for the gateway or nat external ip and sends that as the ip information to the service that the user has. it seems like a new idea and i think the closest thing i can give ya is go2mypc. but i did read in an article (wish i saved a link) that it is possible. i just don't know myself. but look for services that offer it, something might come up.

also, another thing you should bring up is that hardware based firewall or nat systems, when exploits are found it's harder in some cases to patch the system because a firmware upgrade is needed. as opposed to a software product that symantec has, all you do is go to their update servers.

depending on how "ghetto" your nat box is, try using a unix or linux system with some programs that spoof the source ip address. i think netcap, juggaurnut and hping can do it. and basically try to ping something behind the nat. this is a very old nat exploit that usually won't work but it's worth a shot. it's basically a way of connecting directly through the nat.
Connections can be initiated from the inside, and do offer a vector if infectoin, which I was trying to point out.
Dynamic DNS 'clients' simply monitor the IP address of the router and update the DNS host's zone record, they do not listen on any port.
I've yet to see a nat router with no ports open allow connections to internal targets to   be initiated. How exactly would one address such a packet?

Other than denial of service issues, there's not much you can do from the outside.
twgonderAuthor Commented:
For the purpose of this article, I am focusing on just the NAT issue.  This is not the case for the networks security efforts though.  We have had virus/worm attacks that have exploited the null password on administrator environment.

The boss says, "check their Norton stuff, I can't be bothered with passwords."  We all know that NAV is a dollar and day short on stopping anything.  What I'd like to know, is a private internal network sitting behind a NAT device (DSL router) really safe from pure external attacks?  I know the theory, now how about the reality?
twgonderAuthor Commented:
Please close this topic.  Doesn't seem to have been answered. Thanks.
I think your question was"
Are there any known vulnerabilities of NAT?
and I think we've answered that,
as far as addressing the public (nat) address to gain entry:
 no, unless you're port forwarding to a machine with a vulnerability on that port
though there are numerous other avenues of attack.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It is NOT TRUE that computers behind a device using NAT are unaccessable. Any hacker who uses source routing can gain access to the internal network. The risk of such attack is though minimal because the hacker must know your weakness. Hackers normaly just scan public adresses to find open ports and as your NAT device is not using port forwarding, the hacker won't find the vulnerbility of your network.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.