From: Gabriel Alexandros (agabriel@otenet.gr)
Date: Thu Mar 25 2004 - 16:09:19 EST
hope my idea works,
this is quite interesting, firstly you need to identify which ports are open
in
the NAT server by using nmap -sS NAT(ip) , as you mentioned it has 113 port
open
which is the time protocol, knowing that we have at least one port accepting
traffic
from systems outside the NAT server, we can gain a better prospective of
what is
happening behind the NAT and in order to accomplish this we will use the
idle scan technique
and by using nmap ( you can use hping too ) Nmap -sI NAT(ip):113 LOCAL(ip)
or even better Nmap -sI NAT(ip):NAT(port) LOCAL(ip)
,the problem here would be the local ip but you can try and guess some, the
most comon are 192.168.0.* 192.168.254.* 10.0.0.* and you will get a good
idea what is behind in there.
----- Original Message -----
From: "BillyBobKnob" <billybobknob@hotmail.com>
To: <pen-test@lists.securityfocus.com>
Sent: Thursday, March 25, 2004 4:57 AM
Subject: nmap shows open UDP port 113
> My friend asked me to see if I could scan or penetrate his firewall. He =
> only told me that it was a Linux box setup as a firewall running NAT to =
> hide internal IPs.
>
> - I did a nmap -O and a nmap -O --fuzzy but it said "too many =
> fingerprints match for accurate OS guess"
> but it did tell me that TCP port 113 was in the closed state
> - so I tried a TCP reverse inet scan (nmap -sT -I) and it still gave me =
> same info as this port was closed
> - so I tried nmap -sU and no results
> - then I tried nmap -sU -p 113 and it said that UDP port 113 was open !!
>
> I was then able to netcat to it (nc -u ipaddress 113) and I verified =
> that I was connected with a netstat.
>
> While connected via netcat I tried sending it commands like (ls, cd .., =
> help, echo) but got nothing.
>
>
> Is there anything that can be done with this connection ??
> Or is there anyway to find out what internal IPs are behind it ?
>
>
> Thanks,
> Bill
>
>
> --------------------------------------------------------------------------
-
> You're a pen tester, but is google.com still your R&D team?
> Now you can get trustworthy commercial-grade exploits and the latest
> techniques from a world-class research group.
> www.coresecurity.com/promos/sf_ept1
> --------------------------------------------------------------------------
-- > > --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT