Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Reverse NAT Detection With Nessus

Nessus plugin #31422 named "Reverse NAT/Intercepting Proxy Detection" enables Nessus users to scan remote IP addresses and determine if they are forwarding multiple ports to different internal systems. This is sometimes also known as an Intercepting Proxy Server.

For example, if a user has configured a firewall or router to send SSH traffic to a hardened FreeBSD server, while sending RDP traffic to a Windows 2003 server, a remote Nessus scanner would be able to identify this.

The plugin can accomplish this sort of audit by comparing the OS fingerprinting results for each targeted port. If they are different enough, the plugin concludes that there is a reverse NAT involved. When using this plugin, use a port scan range which will hit ports that are being forwarded. Also keep in mind if there are multiple reverse NAT rules all going to the same host (i.e., a firewall that has forwarded both port 22 and port 443 to a Linux server), there won't be enough difference in the fingerprints of the ports to detect the reverse NAT.

Below are screen shots of performing this sort of audit with the Nessus scanner and Security Center:

Nessusexample Tenable_network_securitys_security_

The plugin is currently available to both the registered and Direct Feeds and is a member of the Firewalls Nessus plugin family.

Why is this sort of Audit Important

If offering services such as this is against your corporate policy, then being able to find a reverse NAT with this technique can help you enforce such a policy. This could mean that a user has bought and installed a cheap firewall or wireless access point.

When auditing a smaller company that may not have a DMZ, being able to identify ports being forwarded this way might be identifying target machines in the middle of he office LAN. Smaller organizations that have not invested in a layered infrastructure could be using reverse NATing to offer services such as RDP, HTTPS, and Windows file sharing directly to a server on the local network.

Knowing which services are offered behind a firewall or router allows for better understanding of the network and the impact of the discovered vulnerabilities.

For More Information

A key part to making this sort of technology work is how Nessus performs its operating system fingerprinting. Specifically, the os_fingerprint_sinfp.nasl script implements the SinFP operating system finger printing  on a per-port basis. Tenable and the SinFP project share operating system fingerprints.

If you are passively monitoring your network, Tenable's Passive Vulnerability Scanner also uses a different technique to find NAT devices in general.

And lastly, we've blogged before in general about using Nessus to perform audits of hosts located behind a firewall.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.