How good and secure they are!
I been told by my firend they are easy to crack
He can break it real easy
I been told by my firend they are easy to crack
He can break it real easy
Nat Fire wall
- Thread starter Mir96TA
- Start date
Considering that there is *no way* to initiate a connection from outside a properly configured NAT box to the interior network (unless you have opened specific ports for incoming traffic or you have a system in the DMZ), tell him to try his best. Should keep him busy for a while. 
- Oct 25, 1999
- 29,545
- 422
- 126
On Firewalls.
All Entry Level Cable/DSL Routers by default are NAT-Firewall. Some have additional protection like Statefull Package Inspection (SPI).
When you use few computers to share one Internet connection, the information that comes from the Internet needs to know to which computer it belongs. The main function of Cable/DSL Router is to Route the Internet signal to the requesting computer.
This function is called Network Address Translation (NAT).
As result of the NAT information that comes from the Internet and was not requested by one of you LAN's computers (e.g. hacking attempts) does not know where to go, and it is blocked, hence NAT Firewall.
The NAT-Firewall does not do any thing active concerning the content and the nature of the information. It is a "Dumb" Doorman that does not know what to do with the univited Guest so it blocks it (A Good Thing).
Additional methods employed by more sophisticated Firewalls (like using SPI) actually inspect the content of the packets and can block it according to a set of given rules.
When you are connected to a Website or downloading files, a lot of junk can get to your Hard Drive. Since you requested the pages from the site the NAT Firewall will not block what comes in from these pages. If the "Site Keeper" loaded the pages with "Junk" it will get to your computer.
So you have NAT-Firewall, but you can end up with Viruses, Zombies, Trojan, Leeches, Hijackers, etc. "Dished" to you by sites that you visited on your own volition (this is a normal situation, just part of the technology).
Since the NAT-Firewall blocks only Incoming, any communication initiated from any of your LAN's computers will go out to the Internet, and will be answered. As a result programs, calling home, OCXs, and DLLs, spywares, "zombies" etc. can communicate freely in lieu of the NAT Firewall. You will not be aware of these activities unless you monitor the communication locally with a software Firewall, or similar software.
Most decent software Firewalls will alert you to existence of this communication, and will allow controlling it in various ways.
In addition using programs like Ad-ware, and Trojan Blocker, will further secure the Network.
How much safety you need? It is a matter of Surfing habits and personal preference?
Link to: Basic Protection for Broadband Internet Installation.
Link to: What is the Best Firewall?
All Entry Level Cable/DSL Routers by default are NAT-Firewall. Some have additional protection like Statefull Package Inspection (SPI).
When you use few computers to share one Internet connection, the information that comes from the Internet needs to know to which computer it belongs. The main function of Cable/DSL Router is to Route the Internet signal to the requesting computer.
This function is called Network Address Translation (NAT).
As result of the NAT information that comes from the Internet and was not requested by one of you LAN's computers (e.g. hacking attempts) does not know where to go, and it is blocked, hence NAT Firewall.
The NAT-Firewall does not do any thing active concerning the content and the nature of the information. It is a "Dumb" Doorman that does not know what to do with the univited Guest so it blocks it (A Good Thing).
Additional methods employed by more sophisticated Firewalls (like using SPI) actually inspect the content of the packets and can block it according to a set of given rules.
When you are connected to a Website or downloading files, a lot of junk can get to your Hard Drive. Since you requested the pages from the site the NAT Firewall will not block what comes in from these pages. If the "Site Keeper" loaded the pages with "Junk" it will get to your computer.
So you have NAT-Firewall, but you can end up with Viruses, Zombies, Trojan, Leeches, Hijackers, etc. "Dished" to you by sites that you visited on your own volition (this is a normal situation, just part of the technology).
Since the NAT-Firewall blocks only Incoming, any communication initiated from any of your LAN's computers will go out to the Internet, and will be answered. As a result programs, calling home, OCXs, and DLLs, spywares, "zombies" etc. can communicate freely in lieu of the NAT Firewall. You will not be aware of these activities unless you monitor the communication locally with a software Firewall, or similar software.
Most decent software Firewalls will alert you to existence of this communication, and will allow controlling it in various ways.
In addition using programs like Ad-ware, and Trojan Blocker, will further secure the Network.
How much safety you need? It is a matter of Surfing habits and personal preference?
Link to: Basic Protection for Broadband Internet Installation.
Link to: What is the Best Firewall?
Regardless of the facts, let your friend go for it, $5 says he's full of sh*t, and couldn't find his way into your network in a year.
BTW, if he does make it in, tell him to stop trying with you, as gaining entry into a network without permission is illegal, do it across state lines, and here comes the FBI with the patriot act and a pair of cuffs.
BTW, if he does make it in, tell him to stop trying with you, as gaining entry into a network without permission is illegal, do it across state lines, and here comes the FBI with the patriot act and a pair of cuffs.
I have to give him writting
"Like I want him to do"
He thinks its peice of Cake
Little walk in a park!
"Like I want him to do"
He thinks its peice of Cake
Little walk in a park!
Here is what he is telling me
If I give him my Ext IP; he can sniff the packets. SOme how he can mask him self as computer inside my NAT network. SO he would fool my router as a inside computer!
Is that even possiable ????
If I give him my Ext IP; he can sniff the packets. SOme how he can mask him self as computer inside my NAT network. SO he would fool my router as a inside computer!
Is that even possiable ????
If he sniffed the packets, he still wouldn't know what IP's you were using internally. Even if he did figure that out, it still wouldn't do anything because those are LAN side IP's. The only way that IP would work is if he was internal to your network....
If he knows what ip's you're using internally, that doesn't mean the NAT router is going to be like "hey, its the same ip coming from the OUTSIDE, lets let him in!" that would just be asanine. Tell your friend to stop smoking crack.
If he knows what ip's you're using internally, that doesn't mean the NAT router is going to be like "hey, its the same ip coming from the OUTSIDE, lets let him in!" that would just be asanine. Tell your friend to stop smoking crack.
Just as an addendum, the reason he would not know your internal IP's if he sniffed them from an external source is because the device doing the NAT actually changes the IP header in the IP packet. Sniffing your internal IP from INSIDE the network would give you the NAT'd addresses....but then you're local anyway.
He could sniff packets and spoof an IP (possibly via DNS cache poisioning) in order to get one of your computers to connect to his computer instead of some other system out on the Internet. At that point (if you're not running antivirus software on the system in question) he might be able to exploit some security vulnerability on your machine. But he can't just "break into" your network through a NAT box, or fool it into thinking he's a local host.
skyking
Lifer
- Nov 21, 2001
- 22,705
- 5,829
- 146
Routers are designed to ignore any traffic on the outside interface that is coming from an RFC 1918 network, eg 10.0.0.x, or 192.168.x.x.
Cracking machines on the inside via forwarded ports is the most likely method. If the machines at those forwarded ports are secure and up-to-date, it is unlikely an outside attack will be successful.
Cracking machines on the inside via forwarded ports is the most likely method. If the machines at those forwarded ports are secure and up-to-date, it is unlikely an outside attack will be successful.
Originally posted by: buleyb
whoa guys, don't forget that this friend is a computer genious, he's probably already in...
Good Point. Maybe he is that kid from Antitrust! BOY! he sure was smart
the only way to circumvent NAT (provided you are doing any port forwarding and are truly doing outbound NAT/PAT) is to hijack an existing connection. And its extremely difficult to do where you play "man in the middle" and intercept/modify the connection/socket.
Not for the amateur hacker at all. Very difficult.
Now I can still find out what your internal IP addresses are depending on what application you are using if I were to sniff the packets.
Not for the amateur hacker at all. Very difficult.
Now I can still find out what your internal IP addresses are depending on what application you are using if I were to sniff the packets.
NAT (Network Address Translation) works like this:
Computer A (MAC 00:00:00:00:00:01 IP 10.1.1.1) opens a connection to www.msn.com with source port TCP/4000, destination port TCP/80.
A DNS request is sent out to whatever the configured DNS server is, with a source port of UDP/4000, and a destination port of UDP/53.
The request is sent to the default gateway (MAC 00:00:00:00:00:02 IP 10.1.1.254) since its destined for a host outside the local subnet (255.255.255.0).
The default gateway (NAT box) receives the request, and opens the Connection State Table. It remembers the combination of 10.1.1.1/UDP/4000. It then strips the IP and MAC from the packet, replaces it with it's own information, and makes the request to the DNS server for the address for www.msn.com with the source being 24.48.34.68/UDP4001 to the DNS server. When the request comes back, the state table identifies the traffic coming back to port 4001, and forwards it back to 10.1.1.1.
Then the same thing happens with the HTTP request. Traffic is sent to the DG, the IP and MAC are stripped, and then replaced with the information from the external interface on the NAT box.
It IS entirely possible to get around NAT machines, and it isn't terribly difficult. The fact of the matter is that not many people are interested in doing it, and it isn't common-knowledge.
Stateful Packet Inspection is a wonderful way of going about firewalling, as it actually evaluates each packet. For instance, if a telnet request came in to port 25 (SMTP), the firewall would look at it and say "Wait a minute, telnet traffic doesn't belong on this port", and drops it. If a malformed or fragmented packet comes in, even if it is on the correct port and has valid addressing, it is dropped because it's not correct/complete.
The best way to stop spyware and zombies and such is to firewall in BOTH directions. ONLY let out traffic on the ports that you want (TCP 21,23,25,80,110, UDP 53), and then only allow responses to traffic initiated from the inside.
It is entirely possible to sniff traffic, spoof a source IP, and then hi-jack a session to gain access.
Trying to spoof an internal address to get in from the outside won't work, because (I think someone mentioned this already) RFC 1918 prevents certain address ranges from being publicly routable (10.x.x.x -- Class A, 172.x.x.x -- Class B, and 192.168.x.x -- Class C), so the traffic would never get to your NAT box to begin with because it couldn't be routed there.
However, if someone was able to compromise the NAT box itself, and root it, then they could simply get into that box via the external interface, install a root kit, and then use that as a launching pad for attacks against the internal network.
HTH,
Jeff
Computer A (MAC 00:00:00:00:00:01 IP 10.1.1.1) opens a connection to www.msn.com with source port TCP/4000, destination port TCP/80.
A DNS request is sent out to whatever the configured DNS server is, with a source port of UDP/4000, and a destination port of UDP/53.
The request is sent to the default gateway (MAC 00:00:00:00:00:02 IP 10.1.1.254) since its destined for a host outside the local subnet (255.255.255.0).
The default gateway (NAT box) receives the request, and opens the Connection State Table. It remembers the combination of 10.1.1.1/UDP/4000. It then strips the IP and MAC from the packet, replaces it with it's own information, and makes the request to the DNS server for the address for www.msn.com with the source being 24.48.34.68/UDP4001 to the DNS server. When the request comes back, the state table identifies the traffic coming back to port 4001, and forwards it back to 10.1.1.1.
Then the same thing happens with the HTTP request. Traffic is sent to the DG, the IP and MAC are stripped, and then replaced with the information from the external interface on the NAT box.
It IS entirely possible to get around NAT machines, and it isn't terribly difficult. The fact of the matter is that not many people are interested in doing it, and it isn't common-knowledge.
Stateful Packet Inspection is a wonderful way of going about firewalling, as it actually evaluates each packet. For instance, if a telnet request came in to port 25 (SMTP), the firewall would look at it and say "Wait a minute, telnet traffic doesn't belong on this port", and drops it. If a malformed or fragmented packet comes in, even if it is on the correct port and has valid addressing, it is dropped because it's not correct/complete.
The best way to stop spyware and zombies and such is to firewall in BOTH directions. ONLY let out traffic on the ports that you want (TCP 21,23,25,80,110, UDP 53), and then only allow responses to traffic initiated from the inside.
It is entirely possible to sniff traffic, spoof a source IP, and then hi-jack a session to gain access.
Trying to spoof an internal address to get in from the outside won't work, because (I think someone mentioned this already) RFC 1918 prevents certain address ranges from being publicly routable (10.x.x.x -- Class A, 172.x.x.x -- Class B, and 192.168.x.x -- Class C), so the traffic would never get to your NAT box to begin with because it couldn't be routed there.
However, if someone was able to compromise the NAT box itself, and root it, then they could simply get into that box via the external interface, install a root kit, and then use that as a launching pad for attacks against the internal network.
HTH,
Jeff
AFAIK, all new NAT boxes have had the known vulnerabilities that existed at some point in the past (such as overwriting packet fragments in flight to get around address restrictions) fixed. A properly functioning NAT box will not allow any traffic from the outside in unless it's in direct response to a connection initiated by one of the local hosts.
Spoofing an IP and hijacking a session *does* work, but it's complicated, and a properly configured DNS/routing setup outside your firewall shouldn't let it happen. And even if you do hijack a session, ideally the machine you're connected to should be secure enough that you can't do anything harmful to it via a remote HTTP session.
And obviously, if you have physical access to the network, you can do all sorts of things. A general assumption to be made here is that the attacker is not going to break into your house -- at that point they may as well just grab your PC (or make a copy of the hard disk) and walk out with it, then sift through your data at their leisure.
I am not runing any DMZ or Port FWD!
I usally leave my Computer off.
DMZ is off
No Network services running (Print or File Sharing)
I usally leave my Computer off.
DMZ is off
No Network services running (Print or File Sharing)
Whether you know it or not, you could still have open ports. Any UPnP capable nat device + MSN Messenger running on a client could be a way in, if the messenger were vulnerable (and I believe it's been proven to be a couple times in the past, though I could be mistaken).
skyking
Lifer
- Nov 21, 2001
- 22,705
- 5,829
- 146
I believe this is referring to an actual computer, not just a firmware device router. If you can break in and get root access to the gateway, then you can open a shell session in that box and hammer on anything you want inside the LAN.
My router has ssh disabled via the outside interface, so I am not too worried about it getting rooted or cracked.
Actually, that's fairly accurate. In some larger routers/NAT boxes you will find they actually run a complete OS, with shells. Some smaller home routers run a copy of linux, and have shells installed, so it's just a matter of getting it to dump you to a shell, if that is possible. If Genx87's post was in response to mine, I was talking about passing through the NAT device and back to the client, attempting to exploit the client. I was simply making the point that while you may have EVERYTHING disabled, certain apps open connections whether you like it or not.
Couldnt you FIREWALK thru the nat box and basically spoof a session? (not that it is easy, but it can be done)
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter