Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

NAT and port scanning

Posted on 2012-04-02
18
Medium Priority
?
962 Views
Last Modified: 2012-04-10
Can you still scan a server (portscan) remotely if NAT seems to be in operation. For example we were given a list of 8 external IP addresses, when you ping them you get a response from another IP (not the one we tried to ping). Would that prevent us being able to port scan these systems? Or would it just affect the ping response? How can you port scan these systems if NAT is in use?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +3
18 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 400 total points
ID: 37795953
if the 8 external Ip's are behind the NAT you cannot scan them as you will be scanning the NAT gateway. you cannot scan these machine but scan the port for NAT gateway.
0
 
LVL 2

Assisted Solution

by:4drahil
4drahil earned 400 total points
ID: 37795960
It all depends on the type of NAT in use.

Basic NAT that does 1-Many the results may be skewed as there may be ports open that are forwarded to different remote hosts.

Static 1-1 NAT would most likely result in a true approximation of the open ports on the system.

NAPT or Many - 1 would most likely result in a true approximation of the open ports on the system depending on how it is implemented.

IP Masquerading will probably result in a true approximation also but the response may come from a different host.
0
 
LVL 3

Author Comment

by:pma111
ID: 37795961
So theres no way to port scan the systems from the outside? How would you do a remote vulnerability assessment of the systems under the context of an outsider if you cant portscan them? Could this still be done?
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 2

Expert Comment

by:4drahil
ID: 37795977
See my comment above it is most likely that the system has some kind of IP Masquerading going on where all 8 addresses resolve to 1 physical machine.

If you ping each address do the responses all come from the same address? If so try using something like nmap on all 8 addresses if they all resolve on the same machine you should get the same result 8 times.

To judge correctly you really need to know what kind of NATing is going on.
0
 
LVL 98

Assisted Solution

by:John Hurst
John Hurst earned 400 total points
ID: 37795983
If NAT is in use, and then let us say, the NAT range is 192.168.1.x, then that range is in use all over the world. So the short answer is, No, you cannot directly ping an internal NAT address.

You can do it if you have a VPN tunnel set up. I do this all the time.

.... Thinkpads_User
0
 
LVL 3

Author Comment

by:pma111
ID: 37795998
>>If you ping each address do the responses all come from the same address?

Interestingly no not all do.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796014
they can have multiple NAT ip's also.
0
 
LVL 3

Author Comment

by:pma111
ID: 37796039
I am struggling to see how remote security guys can run vulnerability scanners against their public IP range with this kind of thing in place. Its often a requirement a security team run a vuln scanner/tool against the public IP simulating the rights an ousider has, but if they cant query the systems, how can they do this/
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796057
it depends upon the type of scanning and agreement done. If their network is not reachable you can scan from outer network to see what all ports are open and what all you can do to detect other stuff. Company can provide you access to their network by premise or VPN connection or they want to get it checked if their are vulnerable from Outside world.
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 400 total points
ID: 37796070
Make one of the hosts, behind the NAT, a DMZ host. In that context, it operates as if it were in front of the NAT.
0
 
LVL 3

Author Comment

by:pma111
ID: 37796143
>>scan from outer network

Whats the definition of an outer network?
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796293
by outer network i mean scanning the network accessible through Internet for vulnerability.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 400 total points
ID: 37799760
The position of NAT/no NAT is not relevant. The port scan is run against the public ip/ip's and each of the ports. If a port is found to be open or listening then it is reported as such. If nothing is found then it is shown as clean.

From an external checking perspective, that is the main reason for running a scan. The results are then compared against your security policy. If they match - great.... if they don't then corrective measures are put forward.

If you have eight IP addresses only a portion of these will be useable once you have assigned a broadcast address and an ip for the router/firewall itself. There is only a couple of ways these addresses can be used -

1-1 NAT directly to an internal device, multiple ip's on the router/firewall external interface which reply to ARP requests and so on.
0
 
LVL 3

Author Comment

by:pma111
ID: 37800478
Thanks Keith makes a little more sense.

Can I ask though (you'll have to speak to me in laymans management terms) when you say if you have a list of 8 public IP addresses, that "only a portion of these will be useable once you have assigned a broadcast address and an ip for the router/firewall itself" - how can you then scan the other 6 systems? Or cant you? Or how do you know what you are scanning?

Say you have 8 systems, all with their own IP, how can you scan all 8, if say you only have 2 left after "you have assigned a broadcast address and an ip for the router/firewall itself", and what will those 2 represent?

 Excuse my ignorance :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37802084
Nothing to do with ignorance - we have all been where you are now.

This depends on the tool tou have used to 'front those addresses. For example, using an ISA Server or Forefront TMG, these devices allow a single IP address to front up multiple web sites because it can read the web host header in the packet but this digresses from the question - and the point.

Each IP address - whether it be a real IP address assigned to a nic or it is a 'virtual' ip that the router/firewall holds and just ARPs responses back is still a tangible entity. To take this up a level, let say you have a block from 217.155.82.112 - 217.155.82.119. the .119 is your broadcast address and the .112 is the network ID - neither of which can be assigned so this leaves you with 6 ip addresses.

I assign the .116 to the external interface of my external firewall along with the .117 and the .118 giving three addresses. I also create a 1:1 NAT to one of my DMZ boxes and use the .115 address. I don't bother assigning the .113 and the .114 address to anything - I just ignore them for the moment.

I tell my firewall to listen for smtp traffic on port 25 on the .116 address and then to forward any interesting traffic that matches this scenario to my internal mail server. I tell it to listen for http & https traffic on .117 and to forward this to my internal web server, rdp on port 3389 using the .118 address etc. I also tell it to 'pass through' any vpn traffic directly to the 115 address.

Running a port scan externally against each of the ip addresses - individually - will only return the open ports that my config has permitted (not necessarily the same as my security policy intended......). A scan against the .113 and .114 would return a completely clean report because they have not been assigned to anything.

As I mentioned above, whether an address is natted or just forwarded does not come into the equation at all.

Probably rambled a bit here but I am also on the phone.......
0
 
LVL 3

Author Comment

by:pma111
ID: 37805274
Ok thanks, think I have some reading to do!
0
 
LVL 3

Author Comment

by:pma111
ID: 37805276
can you just confirm what a clean report means  

"A scan against the .113 and .114 would return a completely clean report because they have not been assigned to anything."
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37806006
It would mean that nothing would be found against those addresses. As they will not have been assigned to an interface (NAT or not) there will be nothing to respond to. Picture it as being your telephone number - the telephone number is yours but until you plug a telephone handset into the socket, nothing can ring should anyone ever try to dial it i.e. NO RESPONSE. The same is the case with assigned IP addresses - they are yours to use but are not really in physical existence until you apply them to interfaces.

As above, we have all been where you are so don't worry about asking what may sound silly/naive questions. The only difference between us is that I was asking these questions 30+ years ago when I started with IBM :)
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
How does someone stay on the right and legal side of the hacking world?
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question