ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "NAT detection" and "Visualizing Web History"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
m
 
Line 1: Line 1:
'''NAT detection''' is the process of determining hosts running [[Network Address Translator | Network Address Translators]] (NATs).
+
[[Category:Visualization Tools]]
 
+
== Approaches ==
+
 
+
=== Active detection ===
+
 
+
==== Port scanning ====
+
 
+
Some software [[Network Address Translator | NAT]] solutions (such as [http://www.kerio.com/kwf_firewall.html Kerio WinRoute Firewall]), as well as many hardware solutions, provide a control port, which allows users to monitor and control their server (e.g. using a web browser). These control ports can be easily detected by means of port scanning (see [[Nmap]]).
+
 
+
==== Routing test ====
+
 
+
Some improperly configured [[Network Address Translator | NATs]] allow IP packets to be translated from an external network. Routing test can detect these translators by trying to contact external server (e.g. ''forensicswiki.org:80'') with modified routing tables.
+
 
+
=== Passive detection ===
+
 
+
==== IP TTL ====
+
 
+
[[Network Address Translator | Network Address Translators]] decrement IP TTL values of all translated packets.
+
 
+
==== Leaked real IP address ====
+
 
+
Some network protocols leak real IP address of a client. These protocols include:
+
 
+
* SMTP, HELO/EHLO commands:
+
 
+
<pre>
+
  These commands are used to identify the SMTP client to the SMTP
+
  server.  The argument field contains the fully-qualified domain name
+
  of the SMTP client if one is available.  In situations in which the
+
  SMTP client system does not have a meaningful domain name (e.g., when
+
  its address is dynamically allocated and no reverse mapping record is
+
  available), the client SHOULD send an address literal (see section
+
  4.1.3), optionally followed by information that will help to identify
+
  the client system.
+
</pre>
+
 
+
(see RFC 2821)
+
 
+
* DNS, reverse lookups to an external DNS server:
+
 
+
Reverse DNS lookups made to an external DNS server can leak information about hosts in an internal network.
+
 
+
* Oscar (ICQ), MSN, MRA (Mail.Ru Agent), direct connections.
+
 
+
==== Strict source port translation ====
+
 
+
Some network protocols use strict source ports for communication. These protocols include: NTP, Valve.
+
 
+
Non-heuristic port translators (such as ICS in [[Windows]]) always translate source port numbers.
+
 
+
==== [[OS fingerprinting]] ====
+
 
+
[[Network Address Translator | Network Address Translators]] can be detected by passively fingerprinting all transferred IP packets.
+
 
+
Generally, single host will not produce different OS fingerprints in a short period of time. However, this method can be extended to fingerprinting different hosts running the same [[OS]] by using IP IDs and [[TCP timestamps]].
+
 
+
== Tools ==
+
 
+
* [http://lcamtuf.coredump.cx/p0f.shtml p0f] can do NAT detection using passive [[OS fingerprinting]]. It uses a variety of identifiers to create a score on the confidence level of device doing NAT.
+
 
+
* [http://itdefence.ru/content/pages/antinat/ AntiNAT] (GPLv2): performs NAT detection based on:
+
 
+
** SMTP HELO/EHLO commands;
+
** Oscar direct connections;
+
** DNS reverse lookup requests;
+
** NTP time synchronization;
+
** Routing test.
+
 
+
== Links ==
+
 
+
* [http://phrack.org/issues.html?issue=63&id=3#article TCP Timestamp to count hosts behind NAT], Phrack
+
 
+
=== Non-English ===
+
 
+
* [http://itdefence.ru/content/articles/obnaruzhenie_nat_i_proxy/ Обнаружение NAT и proxy], ITDefence, 2007
+
* [http://www.xakep.ru/magazine/xa/111/150/1.asp Охота на сетевых партизан], Kris Kaspersky
+
 
+
 
+
[[Category:Network Forensics]]
+

Revision as of 18:24, 5 November 2008