0

If there are 3 machines A, B and C and A communicate directly with B (A -> B) but B is executing port fordwarding with the next command

socat TCP4-LISTEN:443,fork TCP4:<ip machine C>:443

So in fact the communication is A -> B -> C. Is there any way that A could know it is really communicating with C?

Paula
  • 5
  • 2
  • Are you asking about the specific command or the port forwarding concept? – allo May 05 '22 at 14:17
  • Both xd. I mean, I need the command but I do not really know if this is possible in a conceptual level – Paula May 05 '22 at 14:21
  • For the concept the receiver doesn't have any hints about if the data is generated by a program like a webserver or forwarded from another network connection by a program like socat. On the other hand, socat may have specific characteristics one might be able to detect that socat is used. Still I would doubt if you can detect if it forwards data over a network or, e.g., using a pipe. – allo May 05 '22 at 14:30
  • Ok. I've been focusing more at the network level and I tryed traceroute to see if this way I could show the B machine is only a redirector but it doesn't work so meaby you are right. – Paula May 05 '22 at 14:34
  • Traceroute won't help you, because with socat there is a "non-network" hop in your connection and traceroute cannot trace the forwarding through the program. The best you can hope for is determining that socat is listening on the port and forwarding something (e.g. by characteristic use of TCP-flags, latency, etc.) but you cannot trace the further path. – allo May 05 '22 at 14:36
  • It makes sense, thank you. – Paula May 05 '22 at 14:38
  • You may look at nat detection of ipsec, which basically determines if a nat or pat is used in communication on both sides – Batuhan May 05 '22 at 23:20
  • port 443 is _conventionally_ used for HTTPS i.e. HTTP over SSL/TLS. SSL/TLS stacks sometimes have minor quirks, and if A knows what OS and/or software runs on B (or is authorized to) it may be able to detect that the SSL/TLS behavior is inconsistent with that. Similarly HTTP responses sometimes directly identify the software used, and even if not, may have quirks that make it incompatible with the software known/expected to be on B. But the more alike B and C are, the less chance of detecting an inconsistency. For a quick start on this approach, I would try nmap's 'fingerprinting'. – dave_thompson_085 May 07 '22 at 00:30

1 Answers1

0

No, it's not possible to A to know if B is forwarding packets to C or not.

As soon as the packets reach B, A does not have any visibility on them. B will send the packet data to C, not the packets themselves. When a packet reaches B coming from C, B will read the packet, get its data, and send the data to A.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142