Network Penetration networkpenetration.com Copyright (c) 2003 Ste Jones root@networkpenetration.com Distributed port scanning using OpenBSD's packet filter (Another good reason to use OpenBSD) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: By using openBSD's packet filter pf one can utilize the NAT address pools added into OpenBSD 3.3 to aid in distributed port scanning. How it works :::::::::::: http://www.openbsd.org/faq/pf/pools.html#nat - NAT Address Pool As the text explains NAT can be used in a large network to split outgoing connections over multiple source IP addresses. Under normal circumstances NAT is normally used to hide a internal network behind a single external public IP address. By using multiple external IP addresses a host on the internal network can port scan with multiple source IP's. Technical Breakdown ::::::::::::::::::- 1. Port scan from internal network: send a SYN packet to a target to initiate a connection. The packets source IP address for example 192.168.0.1. 2. Packet passes through NAT gateway: The packets source IP address is now changed to the external IP assigned to the NAT gateway. Each new connection passing through the gateway has its source IP address translated to the one / many IP addresses assigned to the NAT gateway. For example 1.1.1.* 3. The packet reaches the host and reply is returned to the NAT gateway. The packet returned has a destination IP address of the external interface on the NAT gateway. So in this example 1.1.1.1 4. The NAT gateway translates this packets destination IP address back to 192.168.0.1 and the packet is sent to the source. OpenBSD 3.3 Pf setup :::::::::::::::::::: Replace your existing NAT rule for the one below. This enables PF to do NAT translation over multiple source IP addresses. It has its problems with things such as web page connection tracking. Check the OpenBSD FAQ for more info. nat on $ext_if inet from any to any -> { x.x.x.a, x.x.x.b, x.x.x.c } You will probably have to tweak some of your other rules to get it working correctly You will also need to edit your /etc/hostname.interface file inet x.x.x.a 255.255.255.0 NONE inet alias x.x.x.b 255.255.255.0 NONE inet alias x.x.x.c 255.255.255.0 NONE This is all performed by PF's stateful connection tracking.... thanks guys Note: I presume this would also work on a single machine running pf :) Thanks to HacK of LuB for letting me abuse his firewall Original Document can be found at http://www.networkpenetration.com/pfdistnatscan.html