Thanks for the feedback and NAT-hide question

From: Erin Carroll (amoeba@amoebazone.com)
Date: Sun Aug 06 2006 - 21:23:58 EDT


All,

Thank you to everyone who emailed me with suggestion or thoughts on my
moderation of this list. There were some excellent suggestions and I'll do
my best to meet your expectations.

One of the most requested changes or suggestions was along the lines of
Tim's post last week "Let's exploit this" where a scenario was presented and
members contributed various methods to tackle the problem. The nuts n bolts
of pen-testing with real world examples and methods to solve issues is one
thing that I think we can all contribute to and learn from and I would love
to see more posts along those lines. That being said here's my
scenario/question:

You are performing an external pen-test on a weblogic webserver cluster. The
route to the host from the outside is Firewall->IPS->DMZ router->load
balancer->webservers. The router is doing a NAT-hide translation to an
internal subnet that the load balancers sit on with a VIP for the
webservers. How do you get around those obstacles in order to get valid
responses/results and possible find an exploitable hole in Weblogic?

For this scenario I'll let's assume the IP's are:

FW: 256.12.1.11 (yes I know it's not valid)
IPS: none (inline, possible management interface on 10.1.1.0/24)
DMZ router: 256.12.1.15 (ACL for allow 80/443. 256.12.1.15 public IP nats to
various internal IP's. 80/443 traffic routed to LB VIP)
LB: 10.2.1.12 VIP
Webservers: 10.2.2.0/24

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 
-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/410 - Release Date: 8/5/2006
 
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:35 EDT