Agreed. Every time something security related is supposed to be *impossible* I get nervous...
You might be able to put the scanner directly outside the router and set the router as your default route, then try to scan the 192 range. Not sure if you would see anything, but it wouldn't take long to try it. Otherwise, I would suggest: 1) do recon/scan from the outside of anything you can find (address ranges, guessed names/services, etc. etc.) This is to replicate basically what most "opportunistic" scanners might be able to find. 2) do scan from the outside *knowing* the internal layout and the configuration of routers/firewalls/servers. This should be a more targeted scan than a normal bad-guy is "likely" to have the information to perform. 3) perform internal scans from places that might be publicly (or easily) accessible to a bad-guy (especially if there are open areas with live ports or if wireless is offered anywhere at any of your sites) Again. This should be a general scan that looks for opportunities for easy targets. If you have "high-level permission" (it absolutely must be written!!) these first three can be done with no real "knowledge" of your IT department. One of the things you are testing is would this sort of activity be noticed, or would it come in "under the radar". 4) perform internal scans that are specifically targeted at machines/networks/services given full internal knowledge of the systems. These *must* be done with full cooperation of your IT department since they almost certainly will cause some sort of problems and you need the admins available to reboot/reset/restart services if/as they fail. Luck! Jim > -----Original Message----- > From: Richard P. Koett [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2003 3:13 AM > To: [EMAIL PROTECTED] > Subject: Re: How to scan Private Network through Public Gateway > > > >>Naveen Pareek wrote: > >> I want to scan my company's private network. This will be external > >> scan. There is one router with one public IP. Through that > IP i want > >> to scan private network of my company. Is it possible then how? > >> If i'll put target as 192.168.0.0/24 then it will not scan because > this > >> IP is range is invalid. If i'll put 202.145.16.0/29 then it will > scan > >> only subnet of 202.145.16.0 but i want to scan 192.168.0.0 > >> through this router ip address. (IP addresses are changed due to > >> security reason.) Please help me out in this issue. > > Carl Houseman wrote: > > It's not possible. That is the nature of NAT. If you want to know > > the security vulnerabilities of the internal network _as seen by the > > outside world_, you scan the single public IP with a wide range of > > ports and all possible ping methods. > > Actually it *may* be possible to scan the internal IPs' from outside > the gateway. If the machine you scan from is plugged in to the same > subnet as the external interface of the router and is > configured with a > static route to the internal network that uses the router as it's > gateway, > then the router *might* pass the packets through to the internal > network. It depends on how the router is configured. Even though > nobody is supposed to route RFC1918 addresses it is possible to > do so. I don't really see what the point of all this would > be, however. > > > >
