Legal limits when given an IP address (theoretical discussion)

LoLth

Just a theoretical question here, not a problem I am working on.

first, two interesting links:

http://www.dataprotection.ie/docs/PrivStatements/290.htm

section on Privacy Statements from the Dataprotection Commission. relevant bit:

If your site does any of the following, a Privacy Statement is required

Collects personal data (vis itors filling in web forms, feedback forms, etc).
Uses cookies or web beacons.
Covertly collects personal data (IP addresses, e- mail addresses.)

second link is a post on TJ McIntyre's page (for those not familiar, TJ is a solicitor specialising in IT Law in particular privacy - its a very interesting site to read, especially for non-legalese as he explains legal issues in an almost technical way)

http://www.tjmcintyre.com/2010/01/why-ip-addresses-are-no-longer-enough.html

this is from 2010 but it basically describes the issues with NAT. Which leads me to a point.


What can you legally do to identify the machine behind a public IP ?

We all know companies can have an external facing router with a large network on a private IP address space behind, possibly a DMZ with servers and an internal LAN with the worker-bees and maybe even a secure LAN alongside with system critical servers.

But the thing is, houses can potentially have this too.

I'm on UPC. I have a forward facing router that gives me access from my home to the internet through UPC's systems.

you, on the internet see my public IP address when I interact with you.

I, on my home computer, see a private IP. I have several machines here that connect to the internet, my housemates/spouse/kids would also have machines.

So, if I were to hire you to perform a pentest on my shiney new stealth android application that I'm using to rob banks - possibly - and I give you my public IP address and say "go for it do anything you want, BUT the scope of the pentest is my phone and my phone only"

how would you go about it? what approach can you take that is legal, what is grey and what would be outright wrong ?

given NAT and the fact that IPs are considered personal information,
given that your letter of marque / pentest get out of jail free card only extends to actions taken in testing one specific piece of equipment which has been identified

how do you legally determine which machine behind the router is the correct machine to be tested?

Just to clarify, I'm just curious here and interested in the views of the other users. What tools become illegal because they would negatively infringe on the privacy of those not covered by the indemnity clause? (who would have a reasonable expectation of privacy seeing as they are sitting on a private lan)

please feel free to point out if this is stupidly simplistic and by all means embellish the scenario to increase the challenge or make other options more or less viable.

syklops

So, if I were to hire you to perform a pentest on my shiney new stealth android application that I'm using to rob banks - possibly - and I give you my public IP address and say "go for it do anything you want, BUT the scope of the pentest is my phone and my phone only"

how would you go about it? what approach can you take that is legal, what is grey and what would be outright wrong ?

given NAT and the fact that IPs are considered personal information,
given that your letter of marque / pentest get out of jail free card only extends to actions taken in testing one specific piece of equipment which has been identified

how do you legally determine which machine behind the router is the correct machine to be tested?

If it was me I would ask for VPN credentials so I can be on the same local segment of the network as the phone running the application, or that the phone be put into a DMZ or the phone be put on my own test network.

jmcc

LoLth wrote: »

section on Privacy Statements from the Dataprotection Commission. relevant bit:

All websites serving Google Adsense adverts have to have a privacy statement on their websites. The cookie thing from the morons in Brussels has also caused issues.

What can you legally do to identify the machine behind a public IP ?

The situation is far more complex when it comes to the web as opposed to identifying a box behind a user NAT. The number of sites on a shared hosting IP where the hoster is using a load balancer can be in the thousands or hundreds of thousands. A few /24 ranges of the larger hosters have millions of sites pointing at the IP. (One of Godaddy's /24s has 13,529,469 websites.) Identifying the physical box (beyond the simple website account) would require the help of the hoster. I ran a full com/net/org/biz/info/mobi/asia/us/etc website>ip survey recently and it resulted in the IP data for approximately 147 million sites. There are even private IP ranges and false IPs included in that dataset.

how would you go about it? what approach can you take that is legal, what is grey and what would be outright wrong ?

Obviously the phone would have to be identified but moving beyond a simple identification on a box could be a problem.

how do you legally determine which machine behind the router is the correct machine to be tested?

Get you to identify it? The key element would be a well written contract that defines the limitations and activities. The contract would also cover information gathered in the process. This would not be quite the same as a user visiting a website as there is an agreement between you and the pentester. It may be more of a legal question than a one of simple data protection concerning private IPs.

Regards...jmcc

LoLth

edit: sorry, this is in response to skylops , jmcc posted while I was typing

good point.

If that weren't an option? Is there a way to pinpoint the device in question if its behind a NAT setup ?

jmcc

LoLth wrote: »

If that weren't an option? Is there a way to pinpoint the device in question if its behind a NAT setup ?

MAC address? But it would require getting something running that could help with that.

Regards...jmcc

LoLth

found this just now:

http://www.auditmypc.com/internal-ip-address.asp

gets internal IP address from the web browser. I was reading up on a method I learned but never practised, firewalking - pinging one step beyond the firewall to map the range of private ip addresses in use, though I was always dubious about how this could be done without prior knowledge of the private address range in use and the fact that many firewalls allow this ping to be dropped as invalid in the first place.

syklops

LoLth wrote: »

edit: sorry, this is in response to skylops , jmcc posted while I was typing

good point.

If that weren't an option? Is there a way to pinpoint the device in question if its behind a NAT setup ?

Is there a way to pinpoint the device behind NAT? Not really. MAC as jmcc has said, but then I would still need to be on the same local network segment using some kind of VPN.

If that weren't an option then depending how desperate i was for the contract, I would be cautious. Permission to do a Pen test must come from the owner of the network, if VPN cant be set up and the phone can't be put into a DMZ, and I cant get the physical phone for testing I would be starting to wonder if you the client have the authority to grant me permission to do the Pen Test.

syklops

LoLth wrote: »

found this just now:

http://www.auditmypc.com/internal-ip-address.asp

gets internal IP address from the web browser. I was reading up on a method I learned but never practised, firewalking - pinging one step beyond the firewall to map the range of private ip addresses in use, though I was always dubious about how this could be done without prior knowledge of the private address range in use and the fact that many firewalls allow this ping to be dropped as invalid in the first place.

Firewalking is a cool concept. I even wrote a firewalker in python, but I have found its real world applications to be limited. It really is only useful for seeing if there is a firewall between you and the IP you are scanning. It can't be used for scanning private IP addresses through NAT.

LoLth

syklops wrote: »

Firewalking is a cool concept. I even wrote a firewalker in python, but I have found its real world applications to be limited. It really is only useful for seeing if there is a firewall between you and the IP you are scanning. It can't be used for scanning private IP addresses through NAT.

perhaps a crossed wire there. In the ECSA firewalking is taught as a method of enumerating the clients behind a firewall. However, ECSA/CEH do have some quirks in terminology. (cross site scripting is referred to as CSS for example).

you're right that the more common firewalking definition is poking ports to see how a firewall responds, I was referring to the ECSA practise of setting the number hops of a ping to 1 or 2 beyond the firewall itself. to be honest, I never really understood how it worked as I never tried it out in practise. (the dangers of theory based certification!)

syklops

LoLth wrote: »

perhaps a crossed wire there. In the ECSA firewalking is taught as a method of enumerating the clients behind a firewall. However, ECSA/CEH do have some quirks in terminology. (cross site scripting is referred to as CSS for example).

you're right that the more common firewalking definition is poking ports to see how a firewall responds, I was referring to the ECSA practise of setting the number hops of a ping to 1 or 2 beyond the firewall itself. to be honest, I never really understood how it worked as I never tried it out in practise. (the dangers of theory based certification!)

I am also ECSA certified but I wouldn't take everything that is taught as gospel. I also disagree with their definition of a 0-day.

Here you can find the white paper written by the creators of the original firewalk tool and discussing its use. From the introduction:

Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker’s host to a destination host through a packet-filtering device. This technique can be used to map ‘open’ or ‘pass through’
ports on a gateway.

LoLth

LoLth wrote: »

edit: sorry, this is in response to skylops , jmcc posted while I was typing

good point.

If that weren't an option? Is there a way to pinpoint the device in question if its behind a NAT setup ?

I'd probably try find if you're forwarding a port to it, surely as you said if it's running some kind of app for 'robbing banks' or what ever then you will probably have some port forwarded to it. So if I can figure that out or find you're running a service on a port then I'll try to fingerprint the device behind it. I don't think anything so far would be breaking the law. However that does depend on many variables.

oscarBravo

LoLth wrote: »

In the ECSA firewalking is taught as a method of enumerating the clients behind a firewall.

This has piqued my curiosity: I have no theoretical training on security issues (although I plan to address that at some point); just practical experience

Does this enumeration process rely on vulnerabilities in particular firewall implementations, or is it something that's inherent in NAT? In other words, is it something that can be done to any firewall, or just a means of exploiting broken ones?

LoLth

assuming the firewall doesn't have a rule that kills ICMP with hops that would carry it past the perimeter then the theory was:


external attacker:
|
|
Firewall (2 hops for example) attacker can tell this from either experimentation or by examining the returned ping of an accurate ping to the public IP.
|
private LAN = hops to firewall +1 (or 2 or 3 but usually 1).

from the course, we were told that an attacker could systematically ping the firewall with the hops set to FW+1 and enumerate the private IP address range beyond the firewall itself.....

as I said, never tried it but I always thought it a bit fishy... you'd need to know the private IP address range first to have a target beyond the firewall and even then, how do you ping a private IP across a public network without establishing a VPN. If its the public IP of the firewall you use and then add a hop to it, which one of multiple devices does the ping packet get sent to , if any seeing as none of them are at the Public IP, the firewall is.

sorry, a little off topic, to answer, no, it is not firewall specific but the firewall rule to block this behaviour is increasingly becoming default and I wouldn't be surprised if it was preconfigured on a firewall when you first plug it in.

I'll see if I can dig up the ECSA notes and find the bit with the example.

syklops

oscarBravo wrote: »

This has piqued my curiosity: I have no theoretical training on security issues (although I plan to address that at some point); just practical experience

Does this enumeration process rely on vulnerabilities in particular firewall implementations, or is it something that's inherent in NAT? In other words, is it something that can be done to any firewall, or just a means of exploiting broken ones?

See my link above.

Firewalking involves monitoring the TTL(Time to Live) of packets sent to a host. If a firewall has port 22 open, the firewall will allow the connection but it will also decrement the TTL by one. Thats the secret. It is used for finding holes in a firewall. It isn't some magical way to bypass firewalls, and scan private IP ranges, like the EC council would have you believe.

syklops

LoLth wrote: »

assuming the firewall doesn't have a rule that kills ICMP with hops that would carry it past the perimeter then the theory was:


external attacker:
|
|
Firewall (2 hops for example) attacker can tell this from either experimentation or by examining the returned ping of an accurate ping to the public IP.
|
private LAN = hops to firewall +1 (or 2 or 3 but usually 1).

from the course, we were told that an attacker could systematically ping the firewall with the hops set to FW+1 and enumerate the private IP address range beyond the firewall itself.....

as I said, never tried it but I always thought it a bit fishy... you'd need to know the private IP address range first to have a target beyond the firewall and even then, how do you ping a private IP across a public network without establishing a VPN. If its the public IP of the firewall you use and then add a hop to it, which one of multiple devices does the ping packet get sent to , if any seeing as none of them are at the Public IP, the firewall is.

sorry, a little off topic, to answer, no, it is not firewall specific but the firewall rule to block this behaviour is increasingly becoming default and I wouldn't be surprised if it was preconfigured on a firewall when you first plug it in.

I'll see if I can dig up the ECSA notes and find the bit with the example.

Genuinely, no offence meant to you, but either you didnt understand what they were teaching, or the teacher didnt understand what they were teaching, or the source material is fuqqed up. Private IP addresses are not included in the equation. The Target must be routable.


Attacker -> Target

oscarBravo

LoLth wrote: »

I'll see if I can dig up the ECSA notes and find the bit with the example.

That would be cool, cheers.

syklops wrote: »

Firewalking involves monitoring the TTL(Time to Live) of packets sent to a host. If a firewall has port 22 open, the firewall will allow the connection but it will also decrement the TTL by one.

Just to clarify the terminology: when you say port 22 is "open", do you mean that it is using destination NAT to forward the port to an internal host?

LoLth

syklops wrote: »

Genuinely, no offence meant to you, but either you didnt understand what they were teaching, or the teacher didnt understand what they were teaching, or the source material is fuqqed up. Private IP addresses are not included in the equation. The Target must be routable.


Attacker -> Target

none taken I admit I pretty much dismissed it when it was taught but that was because they were talking about enumerating a private ip range and at the time I was busier getting to grips with snort rules However, one of the students asked for the teacher to go through it again and he, very detailed, went through how it enumerate the IPs of the network behind the firewall (his words) and even included diagrams on a whiteboard.

It should be pointed out that I listened to the ECSA Snort material for over an hour and I practised what was in the book... in the end a fellow student taught me all I needed to know for the exam in less than five minutes. (I'm not a snort expert by any means but it was enough for that exam).

LoLth

which bring me back to the topic....

what is the best way to , legally, distinguish between devices behind a public facing router/firewall.

infodox

Obviously would be a very "grey area" (or just plain ole illegal, depending on what is in-scope) but pop the router/firewall and work from there is the obvious solution here.

Anyone who has ever gone looking at routers firmware (I have) will tell you its like a wonderful pile of 0day waiting to be discovered and exploited. Most home routers are little cute Linux boxes sitting between a persons internal net and the big bad internet, with horrendously buggy web interfaces full of CGI-BIN scripts riddled with command injection holes. Welcome back to the 1990's kind of awful.

oscarBravo

So, if I were to hire you to perform a pentest on my shiney new stealth android application that I'm using to rob banks - possibly - and I give you my public IP address and say "go for it do anything you want, BUT the scope of the pentest is my phone and my phone only"

I think the scope statement is internally inconsistent, if there's a NAT router involved. If the phone is behind a NAT device, then that device (at least) has to form part of the pentest. Without accessing the router you don't have enough access to identify the phone, never mind test it. It would be a bit like asking someone to test the security of an internal door in their building from the street outside, but telling them that the external doors are off-limits.

LoLth

oscarBravo wrote: »

I think the scope statement is internally inconsistent, if there's a NAT router involved. If the phone is behind a NAT device, then that device (at least) has to form part of the pentest. Without accessing the router you don't have enough access to identify the phone, never mind test it. It would be a bit like asking someone to test the security of an internal door in their building from the street outside, but telling them that the external doors are off-limits.

I didnt consider whether or not the router would have to be in scope when i was thinking of the scenario...

so, lets say it is in scope (the current minimum requirements have gone from IP address + device description to (public)IP address + device description (mobile phone) + router access)

what can be done to identify the actual target device without infringing on the privacy of the other devices that may be on the internal network. ?

it doesnt have to be a pentest, it could be a garda tracking down a cybercrime and the warrant only covers a single suspect device. Doesnt have to be a mobile phone either, I was just using that as a way to differentiate.

even if you had permission to subvert the router, would that not expose the traffic and identity of the other devices behind the router which would unnecessarily infringe on their expectation of privacy and could breach the pentest agreement / render the search/intercept warrant void or violated?

But, for argument's sake, lets say you cant hack the router or perform any other action that would render the retrieved evidence inadmissable.

I know, I'm moving the goalposts a bit here but only to facilitate discussion and I dont have an exact example or scenario in mind, its just one of those idle thoughts that popped up and I thought it might be interesting to see what others have to say on the matter - or maybe someone knows of a utility I havent heard of before.

Manach

Leaving aside a tech point of view and taking a legalish point of view. AFAIR, when the state (perhaps Guards or other organs thereof) obtain a warrant, they are allowed a degree of leeway. In that the document, all other issues being above board, in the non-IT world can be fairly broad and the judges can support this broadness so long as it does not directly infringe on constitutional rights. So if the terminology the state uses covers a generic network of devices, then they could hunt through that network without worrying too much the niceties of where the IP does/does not reside (within jurisdictional limits).