LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-28-2005, 03:47 AM   #1
arpanet1969
LQ Newbie
 
Registered: Dec 2004
Location: On your SQL server.
Distribution: Mandrivia Linux 10.1
Posts: 25

Rep: Reputation: 15
Scan behind Router With nMap?


Hi,

I recently had a system comprimise. This kinda baffled me because my logs definately show typical nMap scanning techniques, but all the computers on the network (192.168.0.2, 192.168.0.3 and so on...) are behind a router on 192.168.0.1 (which uses an external IP address to communicate with the internet). I tried to scan myself (using the external IP address), only to find my scan results returned my router with ONLY port 5190/tcp (aol) open.

-Is it possible to use nMap to scan behind a router??
-Is there another method (such as traceroute) which is used to locate 'network computers' (ones connecting to the internet via a router)?
-Am I right in assuming that when on the internet, for example on the computer 192.168.0.5, this has a new IP address assigned to it even though it's going through a router which uses an external IP address?
-How are computers identified on the internet, when using the same external IP address on the router?

Please, please help me with the above questions.

Any help would be much appreciated.

Thanks

Arpanet
[a not-so-good sysadmin ]
 
Old 01-28-2005, 05:38 AM   #2
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Ok, let's take it from the beginning.
theorically, when a LAN uses internet services behind a NAT, it works with the same external IP address (or address, with nat pools, but it's not your case). It is the router's job to translate addresses and no one would ever know if it's a siingle workstation or an entire LAN.
If you add a static NAT translation you allow a person to contact a PC in your LAN from the outside but, again, it shouldn't be your case.
But this is theory. There are malicious techniques to force not-so-well-configured or not-so-great-quality routers to give out informations reguarding the LAN. Moreover, there are malicious techniques to contact LAN members directly.
The main dubt in this case is that your firewall seems to be blocking almost everything except one port. AOL can be an entrance point, but, man... these guy must be very angry. If I were you, I'd first try to search the problem elsewhere, like unknown mail messages etc.
Reguarding NMAP... as I always say, NAT doesn't mean security. NMAPping a router with NO firewall can end up with different responses, depending on the router. Does your router have a firewall?
For istance, there are vendors (their name will no be told) whose routers... if they don't have NAT infos, nor firewall rules, they just forward to all the cilents!!
That's mad

Last edited by TheIrish; 01-28-2005 at 05:47 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cant scan with nmap or nessus saltas Linux - Networking 2 09-29-2004 03:34 PM
scan my network with nmap. amer_58 Linux - Networking 3 06-17-2004 12:11 AM
Port Scan (nmap -st) TroelsSmit Linux - Newbie 2 05-22-2004 03:13 PM
How can I scan *every* port with nmap? davee Linux - Security 6 12-11-2003 04:44 PM
nmap scan loganwva Linux - Security 5 02-25-2003 07:16 PM


All times are GMT -5. The time now is 03:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration