Have you ever wanted to be able to tell if a host is using port forwarding? In this post we will setup a test scenario and you will learn how!
Setting up our lab
For this experiment we will need 3 host, in my case I have 2 Linux VM and a windows box. One of them will be used for scanning with nmap and send packets with hping, the second is going to be our NAT/firewall device and the windows machine will host the real service.
In case you need a refresher on iptables take a look at this link. We will need 2 rules for portforwading: one will change the destination IP and port of the received packet (prerouting) and the other will change the source ip (masquerade) so it seems that the connection is coming from the firewall instead of the client, also this will add an entry on the conn_track table so when the response comes back it can be routed correctly.
iptables -t nat -A PREROUTING -p tcp --dport -j DNAT --to
iptables -t nat -A POSTROUTING -o -j MASQUERADE
In addition we have to enable ip forwading:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now we can test if the rules work from our scanning machine, we scan the port that is being forwaded and check if the rule counter has increased with the following command:
iptables -T -t nat -v
If the “pkts” column has increased after the scan then the rules are probably working correctly.
Putting things together
At this point the only thing left is running some service on the destination host and test with nmap that the port is open, then we can proceed to see how we can tell the forwarded port from a local service. For this we will use hping with the –syn option to send a packet with the SYN bit set and -p to indicate our target port (in our case this will an open port on the firewall). We will observe the different header values we get in the response (TTP, ID, and window size), these will give away the forwarded port.
And finally we will launch another hping against the firewall, but this time with the port that we suspect is being forwarded, note how all three values (TTL, ID, and window size) have changed. This tells us that the host responding to this connection attempt is a different one. In addition, we can use these values for passive OS recon.
That’s it for now! We have seen how to set up ip forwarding and how we can learn information about the target network using the packet header fields using tools like hping.