Reverse NAT Detection With Nessus

Nessus plugin #31422 named "Reverse NAT/Intercepting Proxy Detection" enables Nessus users to scan remote IP addresses and determine if they are forwarding multiple ports to different internal systems. This is sometimes also known as an Intercepting Proxy Server.

For example, if a user has configured a firewall or router to send SSH traffic to a hardened FreeBSD server, while sending RDP traffic to a Windows 2003 server, a remote Nessus scanner would be able to identify this.

The plugin can accomplish this sort of audit by comparing the OS fingerprinting results for each targeted port. If they are different enough, the plugin concludes that there is a reverse NAT involved. When using this plugin, use a port scan range which will hit ports that are being forwarded. Also keep in mind if there are multiple reverse NAT rules all going to the same host (i.e., a firewall that has forwarded both port 22 and port 443 to a Linux server), there won't be enough difference in the fingerprints of the ports to detect the reverse NAT.

Below are screen shots of performing this sort of audit with the Nessus scanner and Security Center:

The plugin is currently available to both the registered and Direct Feeds and is a member of the Firewalls Nessus plugin family.

Why is this sort of Audit Important

If offering services such as this is against your corporate policy, then being able to find a reverse NAT with this technique can help you enforce such a policy. This could mean that a user has bought and installed a cheap firewall or wireless access point.

When auditing a smaller company that may not have a DMZ, being able to identify ports being forwarded this way might be identifying target machines in the middle of he office LAN. Smaller organizations that have not invested in a layered infrastructure could be using reverse NATing to offer services such as RDP, HTTPS, and Windows file sharing directly to a server on the local network.

Knowing which services are offered behind a firewall or router allows for better understanding of the network and the impact of the discovered vulnerabilities.

For More Information

A key part to making this sort of technology work is how Nessus performs its operating system fingerprinting. Specifically, the os_fingerprint_sinfp.nasl script implements the SinFP operating system finger printing  on a per-port basis. Tenable and the SinFP project share operating system fingerprints.

If you are passively monitoring your network, Tenable's Passive Vulnerability Scanner also uses a different technique to find NAT devices in general.

And lastly, we've blogged before in general about using Nessus to perform audits of hosts located behind a firewall.