Difference between pages "NAT detection" and "Visualizing Web History"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
m
 
Line 1: Line 1:
'''NAT detection''' is the process of determining hosts running [[Network Address Translator | Network Address Translators]] (NATs).
+
[[Category:Visualization Tools]]
 
+
== Approaches ==
+
 
+
=== Active detection ===
+
 
+
==== Port scanning ====
+
 
+
Some software [[Network Address Translator | NAT]] solutions (such as [http://www.kerio.com/kwf_firewall.html Kerio WinRoute Firewall]), as well as many hardware solutions, provide a control port, which allows users to monitor and control their server (e.g. using a web browser). These control ports can be easily detected by means of port scanning (see [[Nmap]]).
+
 
+
==== Routing test ====
+
 
+
Some improperly configured [[Network Address Translator | NATs]] allow IP packets to be translated from an external network. Routing test can detect these translators by trying to contact external server (e.g. ''forensicswiki.org:80'') with modified routing tables.
+
 
+
=== Passive detection ===
+
 
+
==== IP TTL ====
+
 
+
[[Network Address Translator | Network Address Translators]] decrement IP TTL values of all translated packets.
+
 
+
==== Leaked real IP address ====
+
 
+
Some network protocols leak real IP address of a client. These protocols include:
+
 
+
* SMTP, HELO/EHLO commands:
+
 
+
<pre>
+
  These commands are used to identify the SMTP client to the SMTP
+
  server.  The argument field contains the fully-qualified domain name
+
  of the SMTP client if one is available.  In situations in which the
+
  SMTP client system does not have a meaningful domain name (e.g., when
+
  its address is dynamically allocated and no reverse mapping record is
+
  available), the client SHOULD send an address literal (see section
+
  4.1.3), optionally followed by information that will help to identify
+
  the client system.
+
</pre>
+
 
+
(see RFC 2821)
+
 
+
* DNS, reverse lookups to an external DNS server:
+
 
+
Reverse DNS lookups made to an external DNS server can leak information about hosts in an internal network.
+
 
+
* Oscar (ICQ), MSN, MRA (Mail.Ru Agent), direct connections.
+
 
+
==== Strict source port translation ====
+
 
+
Some network protocols use strict source ports for communication. These protocols include: NTP, Valve.
+
 
+
Non-heuristic port translators (such as ICS in [[Windows]]) always translate source port numbers.
+
 
+
==== [[OS fingerprinting]] ====
+
 
+
[[Network Address Translator | Network Address Translators]] can be detected by passively fingerprinting all transferred IP packets.
+
 
+
Generally, single host will not produce different OS fingerprints in a short period of time. However, this method can be extended to fingerprinting different hosts running the same [[OS]] by using IP IDs and [[TCP timestamps]].
+
 
+
== Tools ==
+
 
+
* [http://lcamtuf.coredump.cx/p0f.shtml p0f] can do NAT detection using passive [[OS fingerprinting]]. It uses a variety of identifiers to create a score on the confidence level of device doing NAT.
+
 
+
* [http://itdefence.ru/content/pages/antinat/ AntiNAT] (GPLv2): performs NAT detection based on:
+
 
+
** SMTP HELO/EHLO commands;
+
** Oscar direct connections;
+
** DNS reverse lookup requests;
+
** NTP time synchronization;
+
** Routing test.
+
 
+
== Links ==
+
 
+
* [http://phrack.org/issues.html?issue=63&id=3#article TCP Timestamp to count hosts behind NAT], Phrack
+
 
+
=== Non-English ===
+
 
+
* [http://itdefence.ru/content/articles/obnaruzhenie_nat_i_proxy/ Обнаружение NAT и proxy], ITDefence, 2007
+
* [http://www.xakep.ru/magazine/xa/111/150/1.asp Охота на сетевых партизан], Kris Kaspersky
+
 
+
 
+
[[Category:Network Forensics]]
+

Revision as of 13:24, 5 November 2008