Re: Natted IP

From: Jim Nugent (
Date: 02/23/05

Date: Wed, 23 Feb 2005 15:03:10 GMT

"winged" <> wrote in message

> While it is not desirable to advertise the local IP (if one knows the
> local IP and can guess other protocols that might be allowed through the
> firewall, knowing the natted IP (even if the IP is un-routable)is very
> useful if one trys to tunnel an exploit of one protocol inside a second
> protocol.

Just how would that work? How would you guess? Lots of protocols are
"allowed though the router" if the connection is initiated from the inside,
but the router "firewall" will block all unsolicited packets unles they are
addressed to a port that you have forwarded to a machine inside. And then,
there has to be a program (server) listening on the socket connected to that
port or the port will appear closed (return "Connection Refused"). If all
these conditions are met, you can try to start a converstation with a server
WITHOUT knowing or caring about the LAN address.

The only way to reach an IP on the inside if if the router forwards it, and
that's transparent. The remote end has to address the packet to
<WAN_IP>:<Port#>. The remote doesn't know which LAN IP it's forwarded to,
and can't find out unless (e.g. with mobile code is
downloaded and allowed to retreive it.

If you send some kind of tunneled packet wrapped inside, what's going to be
there on the other end to unwrap it? Remember, a packet is not on the LAN
until the router forwards it, and it forwards it to a SPECIFIC IP.

> Knowing the internal IP assists in the footprinting effort
> against a target and required for firewall protocol tunneling exploits.

Again I asked, where is the tunnel endpoint? What knows how to "unwrap" it?

> Firewalls (especially stateful ones) are very rude when one tries to
> guess the internal address with multiple attempts often shunning the
> attacker for a preset time before another attack can be attempted.

My router's WAN side would never see a packet addressed to, say, because it can't get there over the internet. If it's wrapped
in another packet addressed to my WAN address, how does it magically get
unwrapped so the router can decide to "be rude" to it.

> Part
> of the footprinting process should determine how many attempts can be
> made before the firewall shuns the attacker and how long the trigger
> lasts. Firewalls do impede attacks but should only be considered the
> first line of defense not the only line of defense. They are devices
> with their own peculiarities, but can not be relied on to keep all the
> bad guys out.

I'd be curious to see an explanation (or a reference to one) that describes
how such an attack is carried out. The only thing I can guess is VPN, and I
have to set that up on my end as well as the remote end before it will work.

> When Java (applets) are enabled and JS enabled site does what is
> described. When either is disabled the function breaks. Typically I
> run only with JS enabled with Java applets disabled. Java applets can
> break out of the sandbox. I have found Java script to be far less
> dangerous to the local machine. I try to restrict Java applets or
> programs from trusted sources like any other executable program.

I could be wrong but i don't think an applet has to break out of the Sandbox
to get the machine's IP. I've never seen a vulnerability related to this.

> While I have seen issues with the MS implementation of Java, Sun's
> flavor has overall been much more respectful of my computer space. Sun
> has had a few vulnerabilities, but I have had few problems from their
> implementation. But I am sure some one else's mileage may vary.

FWIW I'm running Sun Java 1.5.

BTW my questions are genuine. I'm willing to learn.

"Be right back... Godot"

Relevant Pages

  • Re: Wich protocol numbers?
    ... what I want to do is to drop any other protocol packet (packet with ... The firewall is Tiny/Kerio WinRoute Pro 4.2. ... > handling the TCP/IP protocol, then what other protocols are you talking ...
  • [fw-wiz] UNSUBSCRIBE
    ... (Paul D. Robertson) ... > fixup protocol icmp error ... >> isn't about the security properties of the control, ... errors in the firewall, configuration errors, and it then takes physical ...
  • Re: [fw-wiz] Secure Computing Sidewinder?
    ... We are moving off Sidewinder G2 solely because of the price. ... There are many different approaches to designing a firewall, ... thorough than most other "application proxy" firewalls, ... packet, tear it apart, inspects it, and then depending on the protocol it ...
  • Re: Problem with the NDIS MUX IM driver (decapsulation not working)
    ... If the higher-level protocol and the lower-level miniport have enabled some TCP task offload contract, then the decapsulated packet you are indicating may not provide the necessary task offload information. ... then temporarily disabling the NDIS task offload features of the adapter using the adapter's NCPA advanced property tab should make the behavior "better". ... I slap on my own ethernet header infront of the real ...
  • Re: Serial port read latency (SERIOUS - NEED HELP FAST!)
    ... In regular Windows XP, expecting a 5ms interval would normally encounter geers and cat-calls from the news group. ... Is the 5ms "window" the only termination, or are you using a protocol that defines end of text or message? ... ReadFile will complete when there is 5 ms interval between received bytes. ... > The protocol requires our embedded device to respond to a packet> within ...