From: Evrim ULU (evrim@envy.com.tr)
Date: Sun Apr 21 2002 - 10:41:19 EDT
hi,
first message to pen-test =:/
i was trying to get behind my NAT but i've got some problems and people
here might know the reason.
schematic view of net is something like:
A (outsider) --- interface C of NAT ---- interface D of NAT ------ B
(unroutable client)
------ E (another unroutable client)
i've enabled source routing via echo 1 >
proc/sys/net/ipv4/conf/all/accept_source_route on both NAT machine.
Client B is win98 SE so, it answers source routed packets. Btw, i've no
idea where to toggle this option in the registry.
Some useful info about NAT machine:
[root@evrim /root]# uname -a
Linux evrim 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
[root@evrim /root]# ipchains -L -n
Chain forward (policy ACCEPT):
target prot opt source destination ports
MASQ all ------ net_at_the_inside/24 0.0.0.0/0 n/a
Then from outside i've sent some source routed ICMP echo request packets
using SING utility. Also, i've sniffed both interfaces of
NAT seperately.
here are attemps:
1.
./sing ip_of_C@ip_of_B
** ip_of_C@ip_of_B is the sing format which means first go to C and dst
is B.
I've seen that client B get requests having source addr of A and dst
address B . But then, i've seen that client B responded with replies
having destination ip addr of D which is the inner int of NAT machine.
So, no replies reached to the outsider A.
2.
./sing ip_of_C@ip_of_B -S ip_of_E
In this case, i've spoofed source addres using -S parameter and set the
source addr to E which is another client inside the nat. At the end, NAT
machine has converted the source ip to D which is the internal IP of NAT.
I thought it was due to mismatch of MAC addresses and spoofed the source
MAC address using -MAC parameter but the result didn't change.
and now the questions:
1. Why client B responds with a packet having destination ip of D?
(client B has default gw D but i mustn't be related with it it think)
2. why nat machine changed the spoofed source addr to its own internal ip?
Thnx.
-- Evrim ULU evrim@envy.com.tr / evrim@core.gen.tr sysadm http://www.core.gen.tr ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT