Network Exploration???

[Nikolai]

Hi guys Iam new in the forum.This is my first message. but i am using linux for a long time.

Now My big question is about a network exploration.suppose that someone attacked me and i got his ip adress but i dont know if he is using nat.or let me ask different way this guy has a x.x.x.x ip and one more 192.168.x.x which is local ip so what i dont know is his network adres or how many computer exist in that network and each of ip adress or that guy may not be using any network or nat.

[sickness]

Well first of all your question does not make much sense, you should write just one question and be explicit in it so that all can see what you actually want to achieve.

By this question if I understand correctly you want to see if that someone who attacked you with an "external ip" found in your logs is behind a nat ( I hope this is what you want ).

I will give you a short answer: If someone attacks you and you find his IP in logs, phone your ISP company and report this incident, they will take care of it.

[Nikolai]

sorry about scenario.i made it up my point is computer using nat has two ip one of is local another is global so i am curious about how it works.how do we understand that if somebody using local network to connect internet.

[andurin]

erm... are you really asking: "How am I able to detect if some other using a nat device between his system and my own?"

If so: IMHO you aren't able to

Code:

|CLIENT| ----> |NAT Device| ----> {INTERNET} ----> |Your System|

In that scenario the client don't know he's a nat'ed client. It's the job of the NAT Device to change the source addresses while sending and re-change the destination addresses while the answer comes back. TCP don't have a field for s.th. like "natted for 192.168.x.y" like it might be supplied by some http proxy f.e..

But maybe I just don't understand your question.

-
Andurin

[iproute]

As I see it the only way to even come close to determining this would be to perform illegal scans against his IP, which of course you do not want to do. Reporting this to your ISP is the correct action, and if possible provide all records and logs of the attack to your ISP. I do understand that this is a scenario and not a real situation, but I myself work for an ISP and can tell you we have a Network Operations Center department or division that deals solely with law enforcement related issues. I have had to perform IP address to Physical address traces for CALEA requests myself as part of my duties.

Communications Assistance for Law Enforcement Act - Wikipedia, the free encyclopedia

[dec1bel]

You won't be able to get much information with the user behind a NATed address. If the address is NATed by the ISP port scanning will also prove futile.

Hypothetically you could get info by pwning the user and then setting up pivoting to get info about his system and network, but it's not a very viable option with all the variables involved. You will need him to connect to you to do so via some social engineering, a lot of luck, and/or more. That's if there's even a vulnerability you could exploit.

Again, you're not likely to glean much about 'em.

[gunrunr]

you can also tell something about the IP by its class, class c addresses starting with 172. or 192 are usually behind NAT and are local addresses. compared to addresses that are in the a and b classes, if you are interested check up on arin for data pertaining to classes and blocks of ip's leased by isp's