|
|
| Line 1: |
Line 1: |
| − | '''NAT detection''' is the process of determining hosts running [[Network Address Translator | Network Address Translators]] (NATs).
| + | [[Category:Visualization Tools]] |
| − | | + | |
| − | == Approaches ==
| + | |
| − | | + | |
| − | === Active detection ===
| + | |
| − | | + | |
| − | ==== Port scanning ====
| + | |
| − | | + | |
| − | Some software [[Network Address Translator | NAT]] solutions (such as [http://www.kerio.com/kwf_firewall.html Kerio WinRoute Firewall]), as well as many hardware solutions, provide a control port, which allows users to monitor and control their server (e.g. using a web browser). These control ports can be easily detected by means of port scanning (see [[Nmap]]).
| + | |
| − | | + | |
| − | ==== Routing test ====
| + | |
| − | | + | |
| − | Some improperly configured [[Network Address Translator | NATs]] allow IP packets to be translated from an external network. Routing test can detect these translators by trying to contact external server (e.g. ''forensicswiki.org:80'') with modified routing tables.
| + | |
| − | | + | |
| − | === Passive detection ===
| + | |
| − | | + | |
| − | ==== IP TTL ====
| + | |
| − | | + | |
| − | [[Network Address Translator | Network Address Translators]] decrement IP TTL values of all translated packets.
| + | |
| − | | + | |
| − | ==== Leaked real IP address ====
| + | |
| − | | + | |
| − | Some network protocols leak real IP address of a client. These protocols include:
| + | |
| − | | + | |
| − | * SMTP, HELO/EHLO commands:
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | These commands are used to identify the SMTP client to the SMTP
| + | |
| − | server. The argument field contains the fully-qualified domain name
| + | |
| − | of the SMTP client if one is available. In situations in which the
| + | |
| − | SMTP client system does not have a meaningful domain name (e.g., when
| + | |
| − | its address is dynamically allocated and no reverse mapping record is
| + | |
| − | available), the client SHOULD send an address literal (see section
| + | |
| − | 4.1.3), optionally followed by information that will help to identify
| + | |
| − | the client system.
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | (see RFC 2821)
| + | |
| − | | + | |
| − | * DNS, reverse lookups to an external DNS server:
| + | |
| − | | + | |
| − | Reverse DNS lookups made to an external DNS server can leak information about hosts in an internal network.
| + | |
| − | | + | |
| − | * Oscar (ICQ), MSN, MRA (Mail.Ru Agent), direct connections.
| + | |
| − | | + | |
| − | ==== Strict source port translation ====
| + | |
| − | | + | |
| − | Some network protocols use strict source ports for communication. These protocols include: NTP, Valve.
| + | |
| − | | + | |
| − | Non-heuristic port translators (such as ICS in [[Windows]]) always translate source port numbers.
| + | |
| − | | + | |
| − | ==== [[OS fingerprinting]] ====
| + | |
| − | | + | |
| − | [[Network Address Translator | Network Address Translators]] can be detected by passively fingerprinting all transferred IP packets.
| + | |
| − | | + | |
| − | Generally, single host will not produce different OS fingerprints in a short period of time. However, this method can be extended to fingerprinting different hosts running the same [[OS]] by using IP IDs and [[TCP timestamps]].
| + | |
| − | | + | |
| − | == Tools ==
| + | |
| − | | + | |
| − | * [http://lcamtuf.coredump.cx/p0f.shtml p0f] can do NAT detection using passive [[OS fingerprinting]]. It uses a variety of identifiers to create a score on the confidence level of device doing NAT.
| + | |
| − | | + | |
| − | * [http://itdefence.ru/content/pages/antinat/ AntiNAT] (GPLv2): performs NAT detection based on:
| + | |
| − | | + | |
| − | ** SMTP HELO/EHLO commands;
| + | |
| − | ** Oscar direct connections;
| + | |
| − | ** DNS reverse lookup requests;
| + | |
| − | ** NTP time synchronization;
| + | |
| − | ** Routing test.
| + | |
| − | | + | |
| − | == Links ==
| + | |
| − | | + | |
| − | * [http://phrack.org/issues.html?issue=63&id=3#article TCP Timestamp to count hosts behind NAT], Phrack
| + | |
| − | | + | |
| − | === Non-English ===
| + | |
| − | | + | |
| − | * [http://itdefence.ru/content/articles/obnaruzhenie_nat_i_proxy/ Обнаружение NAT и proxy], ITDefence, 2007
| + | |
| − | * [http://www.xakep.ru/magazine/xa/111/150/1.asp Охота на сетевых партизан], Kris Kaspersky
| + | |
| − | | + | |
| − | | + | |
| − | [[Category:Network Forensics]]
| + | |
