I didnt realize this would be so difficult to answer. Any advice at all?

Yes, that is what im trying to do.

And no, I have no services listening at the network border yet.

God damn my browser and touchpad.. I had just written a very long and detailed reply...  Oh well, I will write some of it again and exclude other parts that pseud0 covered.


There are multiple ways to scan an internal network from the outside, but it isn't always easy. This is what I'd call breaking the perimeter defense.

Imagine a router with a webserver in a DMZ, which is the only host allowed to reach the internal network where a SQL database is hosted. The webserver has an Internet IP-address, where the SQL database has an internal LAN IP-address.

The router has SSH, HTTP and SNMP services open and these are not firewalled in this case, even though they are in most cases by default nowadays.

The router itself, has NAT enabled and is handling this, and it also forwards any FTP connections to port 21 externally, to another host internally.

A firewall could be enabled in this case, but let's say it is misconfigured.


From this case study, I'd say we have a good chance of breaking into the internal network. I will quote sections of what I've just wrote, to make each possible way of attack more easy to distinguish.

Before I begin, I should mention that in this case, the external IP-address of the router is 60.70.80.90, and that the internal IP-address space is 192.168.0.0/24 (CIDR), and the router is handling NAT.

Case 1:

So, if you make a connection to port 21 on 60.70.80.90, it will be forwarded by the router to 192.168.0.2 (port 21). From here, you can try to hack the FTP service, with e.g., a buffer overflow, and gain high enough privileges to install perhaps NMAP on this host, and scan the rest of the internal network.

Somewhat irrelevant to this case study, is also the FTP Bounce Scan that may interest you: http://nmap.org/nmap_doc.html


Case 2:

So, we've identified these three services on the target router. What good could come out from hacking them? Well, on some routers we could use port forwarding to scan the individuals hosts, or try to put them in DMZ's, where the last option is not really a good idea if it's a real pentest. If the router supports VPN, you could potentially setup a VPN connection to the internal network if you've compromised the network, or for that sake do Man-in-the-Middle attacks in some cases too.

The easiest service in most cases to compromises, is the HTTP service. Many routers implementing HTTP servers, are often vulnerable to known attacks, or they're misconfigured so they use default credentials easily guessable. (Most manuals include the default passwords too.) You could therefore try buffer overflow attacks, password attacks, and other attacks related to web application security. If you compromise the HTTP service, you could reconfigure the router to as previously set, create VPN tunnel which would allow you to connect to the internal network.

About the SSH service, you could try default credentials too, password (bruteforce) attacks, and even overflow attacks too.

If the SNMP service is available, you could try a very interesting attack, which I think everyone should read about if they don't know about it already: http://www.symantec.com/connect/articles/cisco-snmp-configuration-attack-gre-tunnel

It's probably one of the coolest attacks I've seen and played with, and it does actually work  This type of attack, can reconfigure the router and I think, will even allow you to upload new firmware too, which you should be extremely careful with, but it could potentially allow you to use other features not allowed by default in the router.


Case 3:

In this case, which is actually quite common, you would compromise the webserver, perhaps with SQL injection, and then you would compromise the SQL server, let's say it's a MSSQL server, that allows xp_cmdshell, which in return allows you to run commands such as downloading and executing a meterpreter executable, perhaps via the tftp client in windows. ( xp_cmdshell reference: http://msdn.microsoft.com/en-us/library/ms175046.aspx )


Case 4:
Let's say the router has a wireless interface, and that it's on a different network (192.168.1.0/24), but that it is able to reach 192.168.0.0/24. The encryption method used is WEP, so you use one of the common attacks, break into the wireless network, associate yourself with the Access Point, and start scanning the other network.


Case 5:
Okay, everything is secure on the router and hosts in DMZ in this case, you've tried everything, nothing works. What do you do? Social Engineering of course!

The easiest example being sending an e-mail to a user, who downloads and executes a trojan, which gives you access to the internal network. You could also try to exploit the e-mail server in case it is behind the router, the actual e-mail client of the server, or make the user run a java applet, that functions like a trojan.

You could also try to port scan the internal network with some smart javascript and HTML, which then relays the results to you. References:
http://blog.andlabs.org/2010/12/port-scanning-with-html5-and-js-recon.html and http://www.andlabs.org/tools/jsrecon.html

Of course, the last type of attack would have to be customized to work most likely, but since javascript runs locally, it should be possible theoretically if the browser allows this.



That's pretty much all of the best advise I can give you, I've written pretty much all of the ways I can think of right now, that will make you able to scan the internal network  (I think the "cool smiley" is deserved to be used in this case after using more than half an hour or more writing this reply hehe  )