Backtrack 5 in a VM - Why bridged networking over NAT?

Question

When running Backtrack 5 from a VM, it is recommended to use the bridged networking option instead of the NAT networking option? How does it affect the usage of Backtrack - port scanning, vulnerability scanning, wireless packet injections?

Answer 1

When in NAT mode the network subsystem of the hypervisor operates by modifying the packets as they leave the host. Assuming TCP/IP over ethernet, the components definitely changed are:

• source address
• source MAC
• usually the TTL
• often the source port

Sometimes other TCP flags will get modified as well such as DF, Window size, etc.

In a well behaved network, where all of those flags and options are set in a way that makes sense according to RFC then that stuff can be, and is expected to be, modified appropriately. A vulnerability assessment tool, however, operates by doing things in non-compliant and misbehaved ways. So those normally acceptable header and protocol modifications can actually cause the software to misinterpret the results.

Let's take OS detection as an example. The system will throw a combination of normal and abnormal packets at a system. The network stacks used in most OSes are well known enough that their responses should be predictable in both success and failure situations. So the assessment tool will take the responses, look them up in the OS detection table, and make some guesses about what it thinks the remote host is running based on those responses. Since the NAT device works by munging all of the packets coming in and out you taint your data.

Now, in the vast majority of cases the data may still be totally fine. However, since the packets are modified externally from the assessment tool, the tool won't necessarily know what changes were made. As a result you run the risk of the tool performing analysis on incorrect data which may invalidate your results.

On a related note it has historically been the recommendation to not run host firewalls on vulnerability assessment systems for much the same reason. Since they, by design, spew out abnormal traffic, and since firewalls are designed to protect you from abnormal traffic, it's entirely possible your firewall may drop something in a way unexpected by the assessment tool. Much like the NAT example, this can also invalidate your results.