drwxr-xr-x 14 elceef 4.0K Jan 24 15:20 ..
-rw-r--r-- 1 elceef 2.1K Feb 18 2007 FAQ
-rw-r--r-- 1 elceef 99 Dec 28 2010 Platforms
-rw-r--r-- 1 elceef 3.6K Feb 13 2011 README
-rw-r--r-- 1 elceef 25K May 17 2005 natdet-1.0.5.tar.gz
-rw-r--r-- 1 elceef 28K Apr 15 2010 natdet-1.0.6.1.tar.gz
-rw-r--r-- 1 elceef 28K Feb 22 2007 natdet-1.0.6.tar.gz
-rw-r--r-- 1 elceef 28K Mar 11 2011 natdet-1.0.7.tar.gz
-rw-r--r-- 1 elceef 29K May 11 2011 natdet-devel.tar.gz
lrwxrwxrwx 1 elceef 19 Mar 10 2011 natdet-latest.tar.gz -> natdet-1.0.7.tar.gz
-rw-r--r-- 1 elceef 368K Feb 14 2011 natdet-screenshot-1.png
-rw-r--r-- 1 elceef 336 Jan 22 2006 natdet_secured.png
-rw-r--r-- 1 elceef 4.0K Feb 13 2011 signatures
-------------------------------------------------------------------------------
NATDet - README
(c) Marcin Ulikowski <elceef@itsec.pl>
-------------------------------------------------------------------------------
Okay, so what's that?
-------------------------------------------------------------------------------
NATDet is quite small but very useful (especially for network administrators)
tool. By using it, you're able to detect guys who share internet connection
illegaly, without your authorization and of course without payment.
As you see, with NATDet you can safe some money and time for catching packets
and hand-parsing them (grep, awk, etc). If you're some b0fh, NATDet is for you.
It's too beautiful to be real, don't you think?
-------------------------------------------------------------------------------
No, I don't. Me and many other guys (thanks for testing) use it in our networks
and NATDet does very effective job. It also detects smart dudes who play with
TTL (+1 increasing, set to static, etc), with Linux router which shares
connection for other Windows box. Of course it works with other combinations,
but it's most popular example (also Windows shares for Windows).
Show me!
-------------------------------------------------------------------------------
No problem. NATDet is easy to use. You need to select a device to listen to,
or you can use first avalible, detected by NATDet. You should take a look at
verbose output option (-v switch), which prints some useful informations about
used factors.
Here you have short demo:
[*] 20:22:57 19-08-2004: NAT at 192.168.0.69 for 3 system(s) [100%]
Used factors: OSGENRE TSTAMP TTL | | |
| | | | | |
OS difference ---' | | | | |
TCP timestamp difference ' | | | |
TTL difference ---------------' | | |
(illegal) router address ----------' | |
Number of used systems behind masquerade ----' |
Probability -----------------------------------------------'
In most cases probability is 100%. By default, NATDet reports masquerade only
if probability is more than 50% so you can have a solid basics to talk with
some bad user. If you need to write some logs, switch -l <file> is for you.
But if you don't like reading logs, use natstat.c which is pretty good NATDet
logs parser. By one command you can create nice statistics.
Any suggestions how to use it more effective?
-------------------------------------------------------------------------------
Yes, setting some BPF (tcpdump-like) filter expression is a very good idea.
You can tell NATDet to read packets only from selected network/host. Try this:
# natdet -v -i eth0 'src host 192.168.0.69'
# natdet -v 'src net 192.168.0.0 mask 255.255.255.0'
Read more about filter rules in man tcpdump.
Damn, it doesn't work...
-------------------------------------------------------------------------------
Ups, sorry. NATDet requires pcap library (minimum 0.6.x). You can download it
from http://www.tcpdump.org/ or install from some package if avalible (must be)
Download latest avalible version. Still nothing? Please contact me with full
specification of platform you're running on.
Helping out
-------------------------------------------------------------------------------
OS fingerprints are needed (just send dumps of some SYN packets). Also send
some comments/suggestions or compilation/running problems. Bugs reports are
welcome. Contact me via e-mail with detailed information of platform you're
running on.