Can NetworkAdmin detect machine is being used behind the windows ICS?

Question

Our laptops are authorized to connect to the company's network while they don't allow users to connect personal computers to the network. I did and got warned.

I've got a wireless router with a sim card and connect my Macbook to the router for internet browsing. I also connect my company laptop to my personal router and the company's network through the wire simultaneously so that I can rsync my code to Windows.

If I turn on the company's laptop(win10) internet sharing feature and point my Macbook's gateway and DNS to the company's laptop's IP address ess (the one provided by my router), I could access the company's website、 servers, and etc.

and to my limited knowledge ics works pretty much like NAT, but I'm not sure if the network admin will be able to detect it.

Answer 1

It's literally NAT – enabling ICS makes your system work as an actual router, complete with standard IPv4 packet forwarding (routing), NAT (including DNAT for "port forwarding"), and even DHCP service.

One way to detect connection sharing of this kind is to look at packet TTLs. If the network admin inspects packets going through e.g. the company's external gateway, then all packets from the subnet you're in will have the same TTLs as they've all started with the same 2-3 standard values and gone through the same number of routers – except for your Macbook, which is connected through an additional router (your Windows ICS machine) and its packets will have a TTL that's one lower than the rest.

Proxies cannot be detected this way (and probably would be less of a security risk too), e.g. a SOCKS or HTTP proxy, or more commonly an ssh -D connection emulating a SOCKS proxy could be used to give certain apps on your Macbook access to the corporate network through an SSH or proxy server running on your other laptop.