Network Penetration
networkpenetration.com
Copyright (c) 2003 Ste Jones
root@networkpenetration.com

Distributed port scanning using OpenBSD's packet filter (Another good reason to use OpenBSD)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


By using openBSD's packet filter pf one can utilize the NAT address pools added into OpenBSD 3.3 to aid in distributed port scanning.

How it works
::::::::::::

http://www.openbsd.org/faq/pf/pools.html#nat - NAT Address Pool

As the text explains NAT can be used in a large network to split outgoing connections over multiple source IP addresses. Under normal circumstances NAT is 
normally used to hide a internal network behind a single external public IP address. By using multiple external IP addresses a host on the internal network 
can port scan with multiple source IP's.


Technical Breakdown
::::::::::::::::::-

1. Port scan from internal network: send a SYN packet to a target to initiate a connection. The packets source IP address for example 192.168.0.1.

2. Packet passes through NAT gateway: The packets source IP address is now changed to the external IP assigned to the NAT gateway. Each new connection passing 
through the gateway has its source IP address translated to the one / many IP addresses assigned to the NAT gateway. For example 1.1.1.*

3. The packet reaches the host and reply is returned to the NAT gateway. The packet returned has a destination IP address of the external interface on the NAT 
gateway. So in this example 1.1.1.1

4. The NAT gateway translates this packets destination IP address back to 192.168.0.1 and the packet is sent to the source.


OpenBSD 3.3 Pf setup
::::::::::::::::::::

Replace your existing NAT rule for the one below. This enables PF to do NAT translation over multiple source IP addresses. It has its problems with things 
such as web page connection tracking. Check the OpenBSD FAQ for more info.

nat on $ext_if inet from any to any -> { x.x.x.a, x.x.x.b, x.x.x.c }


You will probably have to tweak some of your other rules to get it working correctly


You will also need to edit your /etc/hostname.interface file

inet x.x.x.a 255.255.255.0 NONE
inet alias x.x.x.b 255.255.255.0 NONE
inet alias x.x.x.c 255.255.255.0 NONE


This is all performed by PF's stateful connection tracking.... thanks guys
Note: I presume this would also work on a single machine running pf :)

Thanks to HacK of LuB for letting me abuse his firewall


Original Document can be found at http://www.networkpenetration.com/pfdistnatscan.html