Last month while haphazardly scrolling through a networking book i came across something known as the shared address space , shared addresses are something ISPs use to achieve CGNAT (carrier grade NAT) which is just like regular old NAT but on the ISPs router , ISPs do this so that they don’t have to assign each one you a public address (IPv4 address space is running out/ran out remember ?) . so CGNAT is basically ISPs NATing a bunch of customers into using a single public address in order to conserve the IPv4 address space.
According to IANA, 100.64.0.0/10 is reserved for CGNAT purposes.
Note : some ISPs in their naivety may use private ranges for CGNAT puposes , which certainly will cause problems to customers who use the same address range for their LANs
Lets compare regular NAT and CGNAT setups .
Regular NAT : all devices in this setup use one public address (188.8.131.52) to communicate with the internet
CGNAT : multiple customers of the ISP share the same public address (184.108.40.206) , in order to conserve the IPv4 address space.
Note the 100.xx.xx.xx shared address being used in the WAN
Now you might ask, why exactly are we interested in this shared address space? well everybody scans LANs and shodan scans the internet, dont you think WANs should recieve fair treatment as well ?
Here are a few reasons why ISP WANs should be explored :
WANs are special because they contain a lot of devices which are otherwise not reachable from the internet due to CGNAT , these might include poorly configured routers ,ISPs router firmware upgrade servers etc.
WANs of Mobile Network provider are especially interesting , as many embedded devices
use them , examples of such devices could be street light systems, traffic controllers, customer modems etc.
WANs present a unexplored landscape where you are more likely to discover something exciting.
Tools of trade : Ive been a long time admirer of masscan, its a stable scanning solution , but recent experience with rustscan has also been very good , i find it to be faster than masscan, you can choose whatever suits you.
Finding the right range to scan : Mobile ISP tend to use the shared address space 100.64.0.0/10 , while broadband ISPs are more likely to use private ranges such as 172.16.0.0/12 or 10.0.0.0/8, in either case these are very large ranges to scan, in case of broadband ISPs you can visit you routers page to find your WAN address , in case of mobile ISPs you can visit your phones ‘about’ section in settings to find your IP/WAN address, if your using a modem ifconfig should do the trick.
Note : not all ISPs employ CGNAT , dont be surprised if you see a public address in place of your WAN address
Scanning Smartly : Like i have previously mentioned ip ranges used for WAN are large, instead of wasting time scanning the entire range you can you the following trick , lets say your WAN address is 10.27.27.123, you could scan the subnet 10.27.0.0/16 since you were assigned a address in this range, it is likely that other devices exist in the same range, you could also scan subsequent ranges such as 10.28.0.0/16, 10.29.0.0/16 and so forth as it is very likely that ISP uses these (masscan automatically does this), another neat trick is case of mobile ISPs is to continuously connect and disconnect from the network while noting down your WAN address each time, this should give you a good idea of the subnets your ISP uses.
Note : Its likely devices you find in WANs will change their addresses from time to time , especially in case of mobile networks , its thus advisable to scan smaller ip block and immediately analyze the results.
Note : In a few cases you might be able to reach a few not so obvious private ranges which your ISP might be using, for example lets say your WAN address is 100.90.1.27, you would assume that your ISP only uses the shared address space 100.64.0.0/10, but this is not always the case, you may be able to reach devices in the subnets 172.16.0.0/12 or 10.0.0.0/8, a random scan of these address space might reveal interesting targets, performing a traceroute to a internet address(say 220.127.116.11) can also reveal the use of such alternate WAN address spaces.
Scanning and analyzing devices :
- Scanning with masscan :
sudo masscan -p80 100.99.0.0/16 2> /dev/null | tee results.txt
Note: piping masscans error stream to /dev/null hides its status messages so that you can get a clean output file , although masscan does support the ‘-oL’ option like nmap for output, the above approach shows you ips discovered in realtime and also saves them in the result file, while the ‘-oL’ option requires you wait untill the whole scan is complete in order to view the results.
Note: if you are using a modem and masscan timesout with a ARP resolve error, specify the MAC address of your modem using the --router-mac=aa:bb:cc:dd:ee:ff option.
Note: you can save time by increasing packet rate of masscan using --rate option , --rate=300 is a good rate for 4G mobile networks , broadband users can rise it even higher , but be mindful of the packet rate, very high packet rate can negatively affect device discovery probability.
Analyzing results: since we scanned for port 80, we can use httpx to look for interesting targets.
Picking ips from the results file
cat results.txt | cut -f6 -d' ' > ip.txt
Probing targets with httpx
httpx -status-code -title -l ip.txt
Note: while i have choosen to target web based services(port 80) here, you can modify your scan to include ssh and telnet ports, which perhaps will yield more interesting results.
Recommended ports for scanning :
Persistant Access / Device Rediscovery : Devices on WANs can change their ip address unpredictably , this can happen due to power outage, network disconnection etc, this is more wide spread in case of Mobile Networks, its a pain to re-scan an entire network range to find a particular device you are interested in, in such cases you can leverage DDNS settings which many devices offer, you can create an free account on NoIp (upto 3 devices) and setup the DDNS service on the device, so everytime a device changes its WAN address it will update the corresponding DDNS hostname accordingly , you’ll just have to resolve your DDNS hostname to find its WAN address.
Note: If you are confused as to why a DDNS client would update its WAN address instead of its public address to the DDNS server, DDNS client works by checking the WAN interfaces ip address, it does not attempt to determine its actual public ip address, in its point of view the address assigned to the WAN interface is globally routable.
Results : Lets take a look what we managed to find
strange routers that i have never seen before :
Note: ‘TCCC’ stands for ‘The Coca Cola Company’ (no im not kidding )
- Firstly we notice a variety of routers whose administration panels are accessible from the WAN network,this is often the result of misconfiguring the http service to listen on all interfaces, the absence of routers manufactured by popular vendors in our results tells us that such a misconfiguration is rather the trait of uncommon and shady vendors, if one finds routers from such vendors in large numbers it is likely that the ISP is distributing them, for they are cheaper than regular routers.
IOT devices : we come across the administrative interface of a very interesting device which seems to be an electric meter(how do i know ?, i checked the vendors website)(the other screenshot is of a controller of modbus devices), the sheer nature of such devices requires them to use mobile networks for connectivity, in which case its obvious that there does not exist any router/intermediate device between such a IOT device and the ISPs router , this combined with the fact that it exposes a administrative interface (most likely by default) yet again confirms the infamous security posture of IOT devices. Like a good friend of mine once said “The ‘S’ in IOT stands for Security”. WANs in near future(if not already) will be gold mines of IOT devices which depend on mobile networks.
Subscriber modems are the devices you are most likely to run into when scanning mobile ISP WANs, it does not always have to be those old-fashioned data cards , there are also devices such as these (a travel modem)
only devices such as these and datacards(ones with wifi) have web based administrative interfaces. These devices are fascinating because of their capability to send and recieve SMS messages, many services on the internet requires SMS verification (example: hunter.io) to prevent fraud , these services can also detect disposable phone numbers and VOIP numbers which leaves attackers without much choice, in such cases these modems become lucrative targets.
Note: one can determine a modems phone number by running a operator specific USSD code, some operators have a SMS based service wherein they send back the phone number when you send a SMS to specific service number, in other cases one can check the SMS archive of the modem, some messages from operators might contain the phone number.
- Dicovering Firewalls on broadband ISP WANs are pretty common , but i found a few on a mobile ISPs network , after some research i found that many enterprise grade firewalls have a so called ‘fail safe’ mode wherein you connect a modem to the firewall which makes it accessible even when all wired internet connections fail.
Like i have previously mentioned, not all ISP have CGNATS
in such cases there is not much you can do.
A WAN network usually contains users of a particular area or a city, there may not be too many devices sometimes
Some ISPs prevent communication between devices in a WAN (i’m not sure how effective this actually is)
Interacting with devices on a WAN (especially on mobile networks) is extremely slow sometimes.