|
|
| Line 1: |
Line 1: |
| − | '''NAT detection''' is the process of determining hosts running [[Network Address Translator | Network Address Translators]] (NATs). | + | <div style="border:1px solid #aaaaaa; color:#000000; background-color:#ffeeff; text-align:center;"> |
| | + | <table border="0" align="center"><tr><td> |
| | + | [[Image:40px-Ambox warning pn.png]] |
| | + | </td><td> |
| | + | '''This tool is deprecated.''' |
| | + | <br> |
| | + | The tool that this page describes is deprecated and is no longer under active development.<br> |
| | + | Further information might be found on the [[{{TALKPAGENAME}}|discussion page]]. |
| | + | </td></tr></table></div> |
| | | | |
| − | == Approaches ==
| + | [[Category:Deprecated tools]] |
| − | | + | |
| − | === Active detection ===
| + | |
| − | | + | |
| − | * Port scanning
| + | |
| − | | + | |
| − | Some software [[Network Address Translator | NAT]] solutions (such as [http://www.kerio.com/kwf_firewall.html Kerio WinRoute Firewall]), as well as many hardware solutions, provide a control port, which allows users to monitor and control their server (e.g. using a web browser). These control ports can be easily detected by means of port scanning (see [[Nmap]]).
| + | |
| − | | + | |
| − | * Routing test
| + | |
| − | | + | |
| − | Some improperly configured [[Network Address Translator | NATs]] allow IP packets to be translated from an external network. Routing test can detect these translators by trying to contact external server (e.g. ''forensicswiki.org:80'') with modified routing tables.
| + | |
| − | | + | |
| − | === Passive detection ===
| + | |
| − | | + | |
| − | ==== IP TTL ====
| + | |
| − | | + | |
| − | [[Network Address Translator | Network Address Translators]] decrement IP TTL values of all translated packets.
| + | |
| − | | + | |
| − | ==== Leaked real IP address ====
| + | |
| − | | + | |
| − | Some network protocols leak real IP address of a client. These protocols include:
| + | |
| − | | + | |
| − | * SMTP, HELO/EHLO commands:
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | These commands are used to identify the SMTP client to the SMTP
| + | |
| − | server. The argument field contains the fully-qualified domain name
| + | |
| − | of the SMTP client if one is available. In situations in which the
| + | |
| − | SMTP client system does not have a meaningful domain name (e.g., when
| + | |
| − | its address is dynamically allocated and no reverse mapping record is
| + | |
| − | available), the client SHOULD send an address literal (see section
| + | |
| − | 4.1.3), optionally followed by information that will help to identify
| + | |
| − | the client system.
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | (see RFC 2821)
| + | |
| − | | + | |
| − | * DNS, reverse lookups to an external DNS server:
| + | |
| − | | + | |
| − | Reverse DNS lookups made to an external DNS server can leak information about hosts in an internal network.
| + | |
| − | | + | |
| − | * Oscar (ICQ), MSN, MRA (Mail.Ru Agent), direct connections.
| + | |
| − | | + | |
| − | ==== Strict source port translation ====
| + | |
| − | | + | |
| − | Some network protocols use strict source ports for communication. These protocols include: NTP, Valve.
| + | |
| − | | + | |
| − | Non-heuristic port translators (such as ICS in [[Windows]]) always translate source port numbers.
| + | |
| − | | + | |
| − | ==== [[OS fingerprinting]] ====
| + | |
| − | | + | |
| − | [[Network Address Translator | Network Address Translators]] can be detected by passively fingerprinting all transferred IP packets.
| + | |
| − | | + | |
| − | Generally, single host will not produce different OS fingerprints in a short period of time. However, this method can be extended to fingerprinting different hosts running the same [[OS]] by using IP IDs and [[TCP timestamps]].
| + | |
| − | | + | |
| − | == Links ==
| + | |
| − | | + | |
| − | === Non-English ===
| + | |
| − | | + | |
| − | * [http://itdefence.ru/content/articles/obnaruzhenie_nat_i_proxy/ Обнаружение NAT и proxy], ITDefence, 2007
| + | |
| − | * [http://itdefence.ru/content/pages/antinat/ AntiNAT], PoC tool, ITDefence, 2006-2007
| + | |
| − | | + | |
| − | | + | |
| − | [[Category:Network Forensics]] | + | |
