Re: Enumeration of NAT'ed computer names

From: Byron Sonne (blsonne@rogers.com)
Date: Tue Jan 17 2006 - 18:23:32 EST


> I have a need to enumerate computer names i.e. \\elvis and \\winbox
> in a SOHO NAT'ed network. The basic idea here is that \\elvis was
> used to commit a crime, but in order to tie \\elvis the offender,
> I have to prove that \\elvis exists on the network.
> I have to do it legally, and I can't actively penetrate the network
> to enumerate the names.
> Any ideas would be greatly appreciated.

Well, you're really kinda hamstrung here if you can't actively penetrate
the network. Sounds like your best bet is going to be passively sniffing
the outgoing traffic looking for anything containing those names.

I'm gonna go out on a limb here and guess that you're not law
enforcement, so good luck getting the target's provider to give you a
span port or otherwise let you get your mitts on their traffic. If
'legal' wasn't a requirement, I'd say you might be able to tap their wire.

Since you prepended '\\' to the hosts I'm guessing you're working in the
windows world, which will complicate matters, as the netbios protocol
doesn't make it out of the current subnet by design (unless you've
piggybacked it on TCP/IP or netware or something). So, as you're outside
the nat'd network, you're probably gonna be stuck looking at just IP
addresses, which probably doesn't help, since I'm guessing you're after
hostnames. Of course, it could be a *nix box running Samba...

Those papers and ideas about counting nat'd hosts via timestamps or
clock skew are neat, but not particularly accurate or useful in the real
world, even less so since you're not gonna be able to map them to
hostnames on the target network. Best you'll get is an idea of the
number of hosts behind the nat.

The only other thing I can think of is to run a wireless sniffer (kismet
or netstumbler, etc.) near the target's physical location and see if
they're leaking anything that way. Even if \\elvis isn't wireless, you
might get lucky and stumble across another computer in the target
network that *is* wireless and is attempting communications to \\elvis.

Make sure you keep track of MAC addresses whatever you're approach,
that's a better indicator of unique identities than IP addresses or
hostnames are for correlation purposes. If you can associate a MAC to
\\elvis, then just look for that MAC elsewhere; it's probably gonna be
the same host.

I don't think you're going to have much luck at all, but please let me
(us?) know if you make any headway. You're in an interesting situation
that I'd like to hear more about.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT