Difference between revisions of "NAT detection"

From ForensicsWiki
Jump to: navigation, search
Line 69: Line 69:
== Links ==
== Links ==
* [http://phrack.org/issues.html?issue=63&id=3#article TCP Timestamp to count hosts behind NAT], Phrack
=== Non-English ===
=== Non-English ===
* [http://itdefence.ru/content/articles/obnaruzhenie_nat_i_proxy/ Обнаружение NAT и proxy], ITDefence, 2007
* [http://itdefence.ru/content/articles/obnaruzhenie_nat_i_proxy/ Обнаружение NAT и proxy], ITDefence, 2007
* [http://www.xakep.ru/magazine/xa/111/150/1.asp Охота на сетевых партизан], Kris Kaspersky
[[Category:Network Forensics]]
[[Category:Network Forensics]]

Latest revision as of 22:13, 25 November 2008

NAT detection is the process of determining hosts running Network Address Translators (NATs).


Active detection

Port scanning

Some software NAT solutions (such as Kerio WinRoute Firewall), as well as many hardware solutions, provide a control port, which allows users to monitor and control their server (e.g. using a web browser). These control ports can be easily detected by means of port scanning (see Nmap).

Routing test

Some improperly configured NATs allow IP packets to be translated from an external network. Routing test can detect these translators by trying to contact external server (e.g. forensicswiki.org:80) with modified routing tables.

Passive detection


Network Address Translators decrement IP TTL values of all translated packets.

Leaked real IP address

Some network protocols leak real IP address of a client. These protocols include:

  • SMTP, HELO/EHLO commands:
   These commands are used to identify the SMTP client to the SMTP
   server.  The argument field contains the fully-qualified domain name
   of the SMTP client if one is available.  In situations in which the
   SMTP client system does not have a meaningful domain name (e.g., when
   its address is dynamically allocated and no reverse mapping record is
   available), the client SHOULD send an address literal (see section
   4.1.3), optionally followed by information that will help to identify
   the client system.

(see RFC 2821)

  • DNS, reverse lookups to an external DNS server:

Reverse DNS lookups made to an external DNS server can leak information about hosts in an internal network.

  • Oscar (ICQ), MSN, MRA (Mail.Ru Agent), direct connections.

Strict source port translation

Some network protocols use strict source ports for communication. These protocols include: NTP, Valve.

Non-heuristic port translators (such as ICS in Windows) always translate source port numbers.

OS fingerprinting

Network Address Translators can be detected by passively fingerprinting all transferred IP packets.

Generally, single host will not produce different OS fingerprints in a short period of time. However, this method can be extended to fingerprinting different hosts running the same OS by using IP IDs and TCP timestamps.


  • p0f can do NAT detection using passive OS fingerprinting. It uses a variety of identifiers to create a score on the confidence level of device doing NAT.
  • AntiNAT (GPLv2): performs NAT detection based on:
    • SMTP HELO/EHLO commands;
    • Oscar direct connections;
    • DNS reverse lookup requests;
    • NTP time synchronization;
    • Routing test.