+ Reply to Thread
Results 1 to 10 of 10
  1. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #1

    Default Question about port scans

    After all this studying, I'm feeling dumb. The whole CEH book assumes you can scan the pc, find out info, etc...but if the pc is behind a router which performs NAT (which almost all do now) then that whole concept goes out the window, right? So what do you do...?
    Reply With Quote Quote  

  2. SS -->
  3. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #2
    What you need to do is perform several recon "attacks" to discover the topology of the network behind the router. You first need to discover the IP addressing scheme and net mask of the segment(s). You can start by guessing they are using a scheme defined in RFC 1918, or even Microsoft's APIPA. Some people like to screw up the net mask by using classless addressing (e.g., 10.0.0.0/24), so consider that.

    Once you know the IP address ranges, you can perform ping, UDP, and TCP scans to identify all network hosts. Chances are the private network will also be using a firewall, so your scanning won't work unless there are some pretty careless holes in the ACLs. ICMP may be blocked, so ping sweeps won't work. The firewall should also block all packets with internal IP addresses that are inbound from the public network.

    If the firewall is setup properly, then sniff all in/outbound packets looking for unencrypted clues that can reveal info. You can get an idea of what ports are being used, and therefore what services are being run on the private network. Some of these services may have vulnerabilities that can be exploited.

    You also need to try and determine if the router/firewall can be managed from the outside (public) network. You might be able to telnet into the router, or sniff an SNMP or HTTP management session, and pick up topology info (and possibly gain control and disable the firewall). Use a sniffer to see if any NetBIOS, CDP, or routing protocol packets are leaking out on to the public network and revealing any useful private network topology info.

    I recommend the book Hacking Exposed, 4th ed., for some really good exercises and case studies on this subject.
    Reply With Quote Quote  

  4. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #3
    Late reply...

    What I was meant was, it is not possible to scan hosts when a router is doing NAT, even if you know the address range behind the router.
    Reply With Quote Quote  

  5. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #4
    True, it is impossible to initiate a connection from the public side to the private side in a typical NAT config (public-private translation). If the hacker wouldn't give up because of that, he would try to hack the router first performing NAT first. Or, he would try to send Trojan Horses to implement malicious code on one of the internal clients that would initiate the connecting instead, allowing the hacker on the public side to 'reply'.

    I honestly don't know how much the situation has improved since security became a hot issue, but I've encountered several networks where the external (border-) router was easier to attack than the average internal Windows NT file server.
    Reply With Quote Quote  

  6. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #5
    Then again, web servers are more commonly hacked than internal file servers anyway...and you could scan those.

    Usually any type of internal access will have to be done with some sort of social engineering. If you can port scan a companies internal machines, they are just asking for it.
    Reply With Quote Quote  

  7. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #6
    [quote="LostInSpace"]Then again, web servers are more commonly hacked than internal file servers anyway...and you could scan those./quote]Yes, and that's why companies really shouldn't attach webservers to their LAN or WAN unless they have a really good reason. Placing it at a decent host is often much safer.

    Usually any type of internal access will have to be done with some sort of social engineering. If you can port scan a companies internal machines, they are just asking for it.
    Yeah, with a decent firewall (i.e. PIX or Checkpoint) configured by a competent professional you have a lot less to worry about attackers using the front door to enter, by technical means.
    Reply With Quote Quote  

  8. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #7
    You can try spoofing packets with common, private IP address ranges and seeing if the gateway device will pass them through. If the device isn't using SPI--or any kind of packet inspection at all--then that might be your ticket. ACL rules will also reject packets with private IPs as source IPs.

    It's best to try discovering and compromising the border device and then work your way inward. Of course, even a little tickle on a router may trigger IDS alarms. Not knowning if the scanning is throwing alsrms that are noticed immediatly by a human is the part that always concerns me.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Jun 2004
    Posts
    701

    Certifications
    A couple.
    #8

    Default Re: Question about port scans

    Quote Originally Posted by /usr
    After all this studying, I'm feeling dumb. The whole CEH book assumes you can scan the pc, find out info, etc...but if the pc is behind a router which performs NAT (which almost all do now) then that whole concept goes out the window, right? So what do you do...?
    you are correct that nat'd addresses are not routable over the internet...others are correct about scoping out the boarder devices to see what they tell you. Even though they are performing nat, there are usually ports open that can be used to forward you to inside devices...all you have to do is find one hole and start working it. A lot of devices now come with a ingress filter for internal addresses.......
    Reply With Quote Quote  

  10. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #9

    Default Re: Question about port scans

    Quote Originally Posted by Ten9t6
    A lot of devices now come with a ingress filter for internal addresses.......
    Yeah, it's simply too easy to construct ACLs in a firewall that do not permit packets that have internal addresses as source addresses to enter a private network.

    I would attempt to locate any DMZ hosts behind the firewall that may have a trust relationship with the private (protected) hosts and work from there. (You gotta love the default, two-way transitive trust relationship in W2K AD. It made things much easier for the admins, but also for the crackers... )
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Jun 2004
    Posts
    701

    Certifications
    A couple.
    #10
    yes...its always nice to find a domain controller out there...
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks