Solved

NAT and port scanning

Posted on 2012-04-02
18
811 Views
Last Modified: 2012-04-10
Can you still scan a server (portscan) remotely if NAT seems to be in operation. For example we were given a list of 8 external IP addresses, when you ping them you get a response from another IP (not the one we tried to ping). Would that prevent us being able to port scan these systems? Or would it just affect the ping response? How can you port scan these systems if NAT is in use?
0
Comment
Question by:pma111
  • 7
  • 4
  • 3
  • +3
18 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 100 total points
Comment Utility
if the 8 external Ip's are behind the NAT you cannot scan them as you will be scanning the NAT gateway. you cannot scan these machine but scan the port for NAT gateway.
0
 
LVL 2

Assisted Solution

by:4drahil
4drahil earned 100 total points
Comment Utility
It all depends on the type of NAT in use.

Basic NAT that does 1-Many the results may be skewed as there may be ports open that are forwarded to different remote hosts.

Static 1-1 NAT would most likely result in a true approximation of the open ports on the system.

NAPT or Many - 1 would most likely result in a true approximation of the open ports on the system depending on how it is implemented.

IP Masquerading will probably result in a true approximation also but the response may come from a different host.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
So theres no way to port scan the systems from the outside? How would you do a remote vulnerability assessment of the systems under the context of an outsider if you cant portscan them? Could this still be done?
0
 
LVL 2

Expert Comment

by:4drahil
Comment Utility
See my comment above it is most likely that the system has some kind of IP Masquerading going on where all 8 addresses resolve to 1 physical machine.

If you ping each address do the responses all come from the same address? If so try using something like nmap on all 8 addresses if they all resolve on the same machine you should get the same result 8 times.

To judge correctly you really need to know what kind of NATing is going on.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
Comment Utility
If NAT is in use, and then let us say, the NAT range is 192.168.1.x, then that range is in use all over the world. So the short answer is, No, you cannot directly ping an internal NAT address.

You can do it if you have a VPN tunnel set up. I do this all the time.

.... Thinkpads_User
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
>>If you ping each address do the responses all come from the same address?

Interestingly no not all do.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
they can have multiple NAT ip's also.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
I am struggling to see how remote security guys can run vulnerability scanners against their public IP range with this kind of thing in place. Its often a requirement a security team run a vuln scanner/tool against the public IP simulating the rights an ousider has, but if they cant query the systems, how can they do this/
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
it depends upon the type of scanning and agreement done. If their network is not reachable you can scan from outer network to see what all ports are open and what all you can do to detect other stuff. Company can provide you access to their network by premise or VPN connection or they want to get it checked if their are vulnerable from Outside world.
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 100 total points
Comment Utility
Make one of the hosts, behind the NAT, a DMZ host. In that context, it operates as if it were in front of the NAT.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
>>scan from outer network

Whats the definition of an outer network?
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
by outer network i mean scanning the network accessible through Internet for vulnerability.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 100 total points
Comment Utility
The position of NAT/no NAT is not relevant. The port scan is run against the public ip/ip's and each of the ports. If a port is found to be open or listening then it is reported as such. If nothing is found then it is shown as clean.

From an external checking perspective, that is the main reason for running a scan. The results are then compared against your security policy. If they match - great.... if they don't then corrective measures are put forward.

If you have eight IP addresses only a portion of these will be useable once you have assigned a broadcast address and an ip for the router/firewall itself. There is only a couple of ways these addresses can be used -

1-1 NAT directly to an internal device, multiple ip's on the router/firewall external interface which reply to ARP requests and so on.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks Keith makes a little more sense.

Can I ask though (you'll have to speak to me in laymans management terms) when you say if you have a list of 8 public IP addresses, that "only a portion of these will be useable once you have assigned a broadcast address and an ip for the router/firewall itself" - how can you then scan the other 6 systems? Or cant you? Or how do you know what you are scanning?

Say you have 8 systems, all with their own IP, how can you scan all 8, if say you only have 2 left after "you have assigned a broadcast address and an ip for the router/firewall itself", and what will those 2 represent?

 Excuse my ignorance :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Nothing to do with ignorance - we have all been where you are now.

This depends on the tool tou have used to 'front those addresses. For example, using an ISA Server or Forefront TMG, these devices allow a single IP address to front up multiple web sites because it can read the web host header in the packet but this digresses from the question - and the point.

Each IP address - whether it be a real IP address assigned to a nic or it is a 'virtual' ip that the router/firewall holds and just ARPs responses back is still a tangible entity. To take this up a level, let say you have a block from 217.155.82.112 - 217.155.82.119. the .119 is your broadcast address and the .112 is the network ID - neither of which can be assigned so this leaves you with 6 ip addresses.

I assign the .116 to the external interface of my external firewall along with the .117 and the .118 giving three addresses. I also create a 1:1 NAT to one of my DMZ boxes and use the .115 address. I don't bother assigning the .113 and the .114 address to anything - I just ignore them for the moment.

I tell my firewall to listen for smtp traffic on port 25 on the .116 address and then to forward any interesting traffic that matches this scenario to my internal mail server. I tell it to listen for http & https traffic on .117 and to forward this to my internal web server, rdp on port 3389 using the .118 address etc. I also tell it to 'pass through' any vpn traffic directly to the 115 address.

Running a port scan externally against each of the ip addresses - individually - will only return the open ports that my config has permitted (not necessarily the same as my security policy intended......). A scan against the .113 and .114 would return a completely clean report because they have not been assigned to anything.

As I mentioned above, whether an address is natted or just forwarded does not come into the equation at all.

Probably rambled a bit here but I am also on the phone.......
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Ok thanks, think I have some reading to do!
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
can you just confirm what a clean report means  

"A scan against the .113 and .114 would return a completely clean report because they have not been assigned to anything."
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
It would mean that nothing would be found against those addresses. As they will not have been assigned to an interface (NAT or not) there will be nothing to respond to. Picture it as being your telephone number - the telephone number is yours but until you plug a telephone handset into the socket, nothing can ring should anyone ever try to dial it i.e. NO RESPONSE. The same is the case with assigned IP addresses - they are yours to use but are not really in physical existence until you apply them to interfaces.

As above, we have all been where you are so don't worry about asking what may sound silly/naive questions. The only difference between us is that I was asking these questions 30+ years ago when I started with IBM :)
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now