Discriminating hosts behind a NAT

[amikoAce]

Hi All,

I am new to this forum - I decided to join after being highly impressed with some hak5 videos I saw on youtube.

My current (new) job is conducting security research in industry.

My question is: - if (and how) would it be possible to assess the number of users "behind" a given NAT server?

Let's assume I can record all IP traffic at the internet side of the router -- Is there any clever way to de-mulpitlex it?

What would be the correct level to look at? packet? session?

(There is some work on this in the literature, but I wanted to get an opinion from IT experts...)

Thanks in Advance :)

Edited January 2, 2014 by amikoAce

[Mr-Protocol]

The NAT is what protects visibility of users behind the device. At this time, I don't think it's possible to do what you want.

[digip]

The only way I can see you getting info, is if you can find the encapsulated ethernet frame containing the mac address of the original node requesting something which you'd really need to be on the same subnet though as the device doing the request, since the flag set after it leaves, is going to change the IP and MAC address to that of the router's external interface IP and MAC address until it receives data back and then knows which node to send it to based on its own arp table and sessions in use unless its multi-cast which would send to everyone behind the router and that helps even less to know who requested the data. All clients behind NAT share the same IP externally, so the IP will always be the same but the router knows which nodes to send data back to based on their MAC address and its arp table. Without being on the lan, to do an arp sweep or nmap scan for nodes, I don't see an easy way to count each device unless you know how to do deep packet inspection and can identify the flags set for different nodes after it comes out of the NAT'd gateway, which the router sending should send unique identifiers for each node, but no way to tell if every packet is one machine or 20 unless the router has some known flaw that uses the same identifier per node, which could potentially be counted I guess.

If you had access to the clients router itself, you would be able to list known nodes in its arp table but I have to agree with Mr-Protocol, if its behind NAT, you need to defeat NAT first and intercept the traffic before its encapsulated and sent out of the external interface. High end routers though, you'd be able to share routing tables and possibly query another router for its list of nodes, but you'd have to be in control of the routers and be able to authenticate to them in most cases unless something is severely mis-configured. Especially if this is trying to be done remotely and after it hits a home router goes to a modem and then an ISP's CMTS, you'd need to be on the ISP side to see that traffic really. Corporate LAN, if you're on the same subnet, then its a matter of getting at the routers arp table or scanning for nodes on your subnet/vlan.

If you're aware of some other way, please share, since it would make a great topic for discussion and people to try setting up in a lab to work on and try themselves.

[Dec100]

You could maybe look at the source ports to determine the number of separate connections (e.g. for PAT), but that isn't going to tell you if it's from a different source or another connection from the same source.

[digip]

Only thing I can see, other than maybe IPv6 attacks, since they don't use NAT, but I did find an article on slashdot about how ISP's do it, although the link is dead and no longer available to read the article - http://beta.slashdot.org/story/32193

[amikoAce]

Thanks for the advice :)

I'm looking for a more "fingerprint" like way of separating the hosts, wihout obtaining specific information about the subnet behind the router.

For example, if there was some way of determining that two TCP/IP streams originate from different machines

From what I saw in the literature (e.g. the article sent by digip), there are several possibilities for inspection:

1) TTL and/or IP ID within IP Headers

2) Time information (timestamp?) within TCP Headers

3) Port numbers to see whether the source port number in TCP/UDP packets from a source reaches a high number quickly

For IP-ID it's possible, for example, to plot the values received on a graph, and see how they group together - assuming consecutively-received values sent from the same host are closer to one another that values sent from different hosts

What do you think about this?

Edited January 5, 2014 by amikoAce

[digip]

I think if you can intercept the traffic, the easier way, would maybe be to redirect or insert an iframe. If you have control of the traffic flowing back to the NAT'd router, if you can create a session to log the traffic via a web server, you may be able to identify things with user agents. If everyone used the same OS and browser, this might make things a bit harder if all the agents we're the same, but if you can correlate things to specific sites as well, like, one person visits a specific site continually like their facebook page, while another sits on a different site simultanenously, or another facebook account, thats 2 right there.

There may be some other ways like you were saying as well, since the tcp/ip stack between different devices will be different depending on the OS in use, which could help with TTL's and such, since each browser fragments packets differently and uses different protocols too, like Googles Quic protocol for instance, might help identify more than one machine, although I'm using multiple browsers on one machine all the time for different reasons including VM's for my work, I could generate all sorts of random traffic from one node so that comes into play.

If people in the house used different OS's too, like windows vs an iPad, the timing and fragmentation of packets will be different, and also NIC's window and jumbo frames if someone had only a 10/100 nic vs a 10/100/1000 or 10/100/10,000 nic, timing and packet windows and such will be different(even on the same host window timing will change and adjust under tcp/ip to some extent, latency, etc) but there's been research done to fingerprint users based on browsers in the past which may be useful if the user agent and requests can be seen in a packet capture, or injecting your own web bug/iframe to log vists on another host, you could start querying the hosts for more data like the OS, screen resolution, etc, which can help count machines. It would be come much harder if everyone had the same equipment across every node in the house which then comes down to browsing habits and browser choices.

There are probably other ways to check as well.

[yabasoya]

The NAT is what protects visibility of users behind the device. At this time, I don't think it's possible to do what you want.

My cable company was able to tell me on the phone that I had 4 devices connected to my router. I didn't think that was possible either.

[Mr-Protocol]

My cable company was able to tell me on the phone that I had 4 devices connected to my router. I didn't think that was possible either.

If they own the router/modem then of course they can. All my ISP can see is my NAT router because they don't own it, only the modem.

[digip]

My cable company was able to tell me on the phone that I had 4 devices connected to my router. I didn't think that was possible either.

If its an all in one modem/router, they can see all the devices, because ISP's should be able to tell whats on the network if they can remote into the modem. I have over like 10 devices and two different subnets/routers on my home network. I doubt they can differentiate every device other than whats directly on the modem, even though I own my own modem, since all ISP's can flash modems and remote into them from the ISP side, they can see the routing table of the modem for the first hop.

Read your ISP's TOS. Comcast, Fios, and many DSL providers, have access to your network and can updated and even remote into the gateways, as well as flash them and change configurations on them, owned on rented(which I hate because my ISP has actually bricked 2 of my modems in the past that I own, and never rent a modem).

Want to check yourself what you can see(although ISP's can see more) go to 192.168.100.1, default for most home modems and gateways to the ISP, regardless of what you make your home network subnet set to. My modem by default did not come with a lot of things that are now installed on it, like dropbear and ssh, that my ISP installed onto it, which lets them remote into my modem, even though I own it. If they want, they can even flash your cable cards for your PC and your televisions at will, if its seen via their end.

[amikoAce]

Thanks for the info.

Where would be a good place to start getting some hands-on experience with pen testing?

I have programming experience in C and Python, and some knowledge of TCP-IP

is this book reccomended? :

BackTrack 5 Wireless Penetration Testing Beginner’s Guide

Edited January 13, 2014 by amikoAce

[yabasoya]

Thanks for the info.

Where would be a good place to start getting some hands-on experience with pen testing?

I have programming experience in C and Python, and some knowledge of TCP-IP

is this book reccomended? :

BackTrack 5 Wireless Penetration Testing Beginner’s Guide

I watched the entire set and I loved it. It got me started with many of the utilities in Back-Track/Kali

http://www.cbtnuggets.com/it-training-videos/course/backtrack-kali-linux

[no42]

Also these links are interesting; do you know all the software that may be installed on your ISPs router? food for thought

http://www.cs.arizona.edu/~bzhang/nat/nattt.htm

http://samy.pl/chownat/

http://samy.pl/pwnat/