Recipe to bust through NAT-for a good purpose.

Posted on 2003-11-19
Last Modified: 2013-12-04

For years I've been programming business apps, not hacking.  I can get around a NT but am not super learned on all the network internals.

I'm working at a company where the boss thinks NAT will protect all the internal clients/servers.  A DSL line, DSL modem, Linksys DSL router stand between the clients and the Internet.  DHCP is enabled on the Linksys.  Because he believes so much in NAT, we don't have passwords on any of the clients, and users often logon as administrator! I know, it's bad.

Without knowing anything about the network, besides the IP address of the cable modem, can someone provide a (simple?) recipe to get to a internal client (ex., and leave evidence of the intrusion.  I suspect several external hackers have done so already.

I don't want to do damage, but I want to PROVE that a half-way savy hacker can poke through his "security" model.  Maybe then I can get him to see the wisdom of at least passwords.

The clients range from Win 98 to XP Pro.  All flavors.

I've read many of the posts about security here.  So there isn't a need to repeat NATs ability to protect--I'll just assume it doesn't and wait for the proof.

Question by:twgonder
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2

Expert Comment

ID: 9781447
Just do a port scan on his public ip, that will show all the vulnerabilities.

I dont know if much more can be discussed as your motive is good, but thats not saying that everyone thats reads this will have the same motive.

A decent free scanner is nmap , this way you can either find the open ports and create a report to show what you discovered. Post the open ports here and we will tell you what could be accessing those. The router does have minimal protection though.

If you go to a command prompt on one of the suspected hacked computers and type "netstat -a" and either reasearch or paste the results, we can probably give you a better feel for what is on your machines.

Good luck, a little googling should provide most the info you need.

LVL 18

Expert Comment

ID: 9785228
you might want to drop a sniffer on you wan segment to look for outward bound evidence of compromise
internal users can become compromised when someone brings their infected laptop in, visits a malicious web page, opens infected email attachments, etc.
Distributed denial of service instalations will often use ICQ to get instructions, worms will do ip scans or start sending mail

Nessus or a demo of ISS will create a report of the vulnerabilities.

Author Comment

ID: 9801630
I know packets can get out via various mal ware.  What I'm looking for is a demonstratable way to get to a local address through NAT.

Scanning the DSL router shows port 80 open, and this is for administration.  The default password has been changed on the router and there isn't any evidence that someone has forwarded ports to an internal IP.

As to my "good" intent, most anyone on this site probably isn't looking for hack info, this can be found elsewhere.  If NAT can be defeated, then we are all better served on how to protect against such an intrusion.
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

LVL 18

Expert Comment

ID: 9801813
You'd have to investigate vulnerabilites of the device itself. From a strictly protocol standpoint, you can't establish a connection from the outside. My point was that NAT in and of itself does not provide a secure environment. To focus on it is to ignore 90% of the considerations in securing your network.

Expert Comment

ID: 9802056
tell the boss that programs like kazaa can easily get past nat devices which basically breaks security because it's a gateway for illegal porn, applications, movies, music and a drain on network bandwidth.

also services like this -
make it possible to do port forwarding through nat devices

also there are free dynamic dns programs that when installed on a host system allow access through nat.

but maybe, you never know. his "security model" may work. if nothing else, just leave it be. may not be hacked or attacked by a virus for a while to come. but when it happens, just make sure you say "i told you so".
LVL 18

Expert Comment

ID: 9802609
>also there are free dynamic dns programs that when installed on a host system allow access through nat.
if you mean that a vulnerability exists, do you have a citation?

Expert Comment

ID: 9804611
it's not a "vulnerability". it's just how NAT is meant to work.
i don't know exactly how to setup a dynamic dns host behind a nat yet cus i haven't had time to expermiment. but it works in the sense that the dns client program scans and looks for the gateway or nat external ip and sends that as the ip information to the service that the user has. it seems like a new idea and i think the closest thing i can give ya is go2mypc. but i did read in an article (wish i saved a link) that it is possible. i just don't know myself. but look for services that offer it, something might come up.

also, another thing you should bring up is that hardware based firewall or nat systems, when exploits are found it's harder in some cases to patch the system because a firmware upgrade is needed. as opposed to a software product that symantec has, all you do is go to their update servers.

depending on how "ghetto" your nat box is, try using a unix or linux system with some programs that spoof the source ip address. i think netcap, juggaurnut and hping can do it. and basically try to ping something behind the nat. this is a very old nat exploit that usually won't work but it's worth a shot. it's basically a way of connecting directly through the nat.
LVL 18

Expert Comment

ID: 9805240
Connections can be initiated from the inside, and do offer a vector if infectoin, which I was trying to point out.
Dynamic DNS 'clients' simply monitor the IP address of the router and update the DNS host's zone record, they do not listen on any port.
I've yet to see a nat router with no ports open allow connections to internal targets to   be initiated. How exactly would one address such a packet?

Other than denial of service issues, there's not much you can do from the outside.

Author Comment

ID: 9808094
For the purpose of this article, I am focusing on just the NAT issue.  This is not the case for the networks security efforts though.  We have had virus/worm attacks that have exploited the null password on administrator environment.

The boss says, "check their Norton stuff, I can't be bothered with passwords."  We all know that NAV is a dollar and day short on stopping anything.  What I'd like to know, is a private internal network sitting behind a NAT device (DSL router) really safe from pure external attacks?  I know the theory, now how about the reality?

Author Comment

ID: 10045778
Please close this topic.  Doesn't seem to have been answered. Thanks.
LVL 18

Accepted Solution

chicagoan earned 500 total points
ID: 10046608
I think your question was"
Are there any known vulnerabilities of NAT?
and I think we've answered that,
as far as addressing the public (nat) address to gain entry:
 no, unless you're port forwarding to a machine with a vulnerability on that port
though there are numerous other avenues of attack.

Expert Comment

ID: 13232893
It is NOT TRUE that computers behind a device using NAT are unaccessable. Any hacker who uses source routing can gain access to the internal network. The risk of such attack is though minimal because the hacker must know your weakness. Hackers normaly just scan public adresses to find open ports and as your NAT device is not using port forwarding, the hacker won't find the vulnerbility of your network.

Featured Post

Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question