Difference between pages "File:BBDM 1.JPG" and "NAT detection"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(New page: '''NAT detection''' is the process of determining hosts running Network Address Translators (NATs). == Approaches == === Active detection === * Port sca...)
 
Line 1: Line 1:
 +
'''NAT detection''' is the process of determining hosts running [[Network Address Translator | Network Address Translators]] (NATs).
  
 +
== Approaches ==
 +
 +
=== Active detection ===
 +
 +
* Port scanning
 +
 +
Some software [[Network Address Translator | NAT]] solutions (such as [http://www.kerio.com/kwf_firewall.html Kerio WinRoute Firewall]), as well as many hardware solutions, provide a control port, which allows users to monitor and control their server (e.g. using a web browser). These control ports can be easily detected by means of port scanning (see [[Nmap]]).
 +
 +
* Routing test
 +
 +
Some improperly configured [[Network Address Translator | NATs]] allow IP packets to be translated from an external network. Routing test can detect these translators by trying to contact external server (e.g. ''forensicswiki.org:80'') with modified routing tables.
 +
 +
=== Passive detection ===
 +
 +
==== IP TTL ====
 +
 +
[[Network Address Translator | Network Address Translators]] decrement IP TTL values of all translated packets.
 +
 +
==== Leaked real IP address ====
 +
 +
Some network protocols leak real IP address of a client. These protocols include:
 +
 +
* SMTP, HELO/EHLO commands:
 +
 +
<pre>
 +
  These commands are used to identify the SMTP client to the SMTP
 +
  server.  The argument field contains the fully-qualified domain name
 +
  of the SMTP client if one is available.  In situations in which the
 +
  SMTP client system does not have a meaningful domain name (e.g., when
 +
  its address is dynamically allocated and no reverse mapping record is
 +
  available), the client SHOULD send an address literal (see section
 +
  4.1.3), optionally followed by information that will help to identify
 +
  the client system.
 +
</pre>
 +
 +
(see RFC 2821)
 +
 +
* DNS, reverse lookups to an external DNS server:
 +
 +
Reverse DNS lookups made to an external DNS server can leak information about hosts in an internal network.
 +
 +
* Oscar (ICQ), MSN, MRA (Mail.Ru Agent), direct connections.
 +
 +
==== Strict source port translation ====
 +
 +
Some network protocols use strict source ports for communication. These protocols include: NTP, Valve.
 +
 +
Non-heuristic port translators (such as ICS in [[Windows]]) always translate source port numbers.
 +
 +
==== [[OS fingerprinting]] ====
 +
 +
[[Network Address Translator | Network Address Translators]] can be detected by passively fingerprinting all transferred IP packets.
 +
 +
Generally, single host will not produce different OS fingerprints in a short period of time. However, this method can be extended to fingerprinting different hosts running the same [[OS]] by using IP IDs and [[TCP timestamps]].
 +
 +
== Links ==
 +
 +
=== Non-English ===
 +
 +
* [http://itdefence.ru/content/articles/obnaruzhenie_nat_i_proxy/ Обнаружение NAT и proxy], ITDefence, 2007
 +
* [http://itdefence.ru/content/pages/antinat/ AntiNAT], PoC tool, ITDefence, 2006-2007
 +
 +
 +
[[Category:Network Forensics]]

Revision as of 16:11, 4 November 2008

NAT detection is the process of determining hosts running Network Address Translators (NATs).

Contents

Approaches

Active detection

  • Port scanning

Some software NAT solutions (such as Kerio WinRoute Firewall), as well as many hardware solutions, provide a control port, which allows users to monitor and control their server (e.g. using a web browser). These control ports can be easily detected by means of port scanning (see Nmap).

  • Routing test

Some improperly configured NATs allow IP packets to be translated from an external network. Routing test can detect these translators by trying to contact external server (e.g. forensicswiki.org:80) with modified routing tables.

Passive detection

IP TTL

Network Address Translators decrement IP TTL values of all translated packets.

Leaked real IP address

Some network protocols leak real IP address of a client. These protocols include:

  • SMTP, HELO/EHLO commands:
   These commands are used to identify the SMTP client to the SMTP
   server.  The argument field contains the fully-qualified domain name
   of the SMTP client if one is available.  In situations in which the
   SMTP client system does not have a meaningful domain name (e.g., when
   its address is dynamically allocated and no reverse mapping record is
   available), the client SHOULD send an address literal (see section
   4.1.3), optionally followed by information that will help to identify
   the client system.

(see RFC 2821)

  • DNS, reverse lookups to an external DNS server:

Reverse DNS lookups made to an external DNS server can leak information about hosts in an internal network.

  • Oscar (ICQ), MSN, MRA (Mail.Ru Agent), direct connections.

Strict source port translation

Some network protocols use strict source ports for communication. These protocols include: NTP, Valve.

Non-heuristic port translators (such as ICS in Windows) always translate source port numbers.

OS fingerprinting

Network Address Translators can be detected by passively fingerprinting all transferred IP packets.

Generally, single host will not produce different OS fingerprints in a short period of time. However, this method can be extended to fingerprinting different hosts running the same OS by using IP IDs and TCP timestamps.

Links

Non-English

File history

Click on a date/time to view the file as it appeared at that time.

Date/TimeThumbnailDimensionsUserComment
current22:43, 18 March 2013Thumbnail for version as of 22:43, 18 March 2013325 × 234 (14 KB)Maintenance script (Talk)Importing image file

The following page links to this file: