BNAT Hijacking: Repairing Broken Communication Channels
Upcoming SlideShare
Loading in...5
×
 

BNAT Hijacking: Repairing Broken Communication Channels

on

  • 3,902 views

 

Statistics

Views

Total Views
3,902
Views on SlideShare
3,877
Embed Views
25

Actions

Likes
2
Downloads
24
Comments
0

5 Embeds 25

http://twitter.com 9
http://tweetedtimes.com 7
https://twitter.com 5
http://www.linkedin.com 3
http://fr.twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

BNAT Hijacking: Repairing Broken Communication Channels BNAT Hijacking: Repairing Broken Communication Channels Presentation Transcript

  • BNAT Hijacking
    Repairing Broken Communication Channels
    Jonathan Claudius
    Rio Hotel and Casino August 5th, 2011
    DefconSkytalk 2011
    Security Begins with Trust
  • Quick Story
    “Easier Said Than Done…”
  • AGENDA
    Introduction
    What & How of BNAT
    BNAT Handshake/Hijack
    Demo of BNAT-Suite
    Finding BNAT (Active Identification)
    Attacking BNAT (Hijack BNAT Session)
    Conclusions
  • BNAT: The What?
    DST: 1.1.2.1
    SRC: 1.1.2.2
    Client
    “Cloud”
  • BNAT: The How?
    “On a Stick”
    Firewall
    1.1.2.1
    DNAT
    SNAT
    1.1.2.2
    Server
    Client
  • BNAT: The How?
    “A Loop”
    Firewall
    DNAT
    1.1.2.1
    Server
    Client
    Router
    1.1.2.2
    SNAT
  • The Bottom Line
    Outside view is the same…
    BNAT Loop ~= BNAT on a Stick
    …but both are still broken
  • BNAT Handshake Idea
    What if I could complete the TCP Handshake?
  • BNAT Handshake Idea
    What would it take?
    Stop “RST” Packet
    Accept “SYN/ACK”
    Send “ACK”
  • Tools
    Ruby Packetfu Gem
    Created by TodBeardsley (@todb)
    Used by MetasploitFramework
    IPTables
    Program to configure Linux Kernel Firewall
  • #1: Stop the “RST”
    IPTables can do this quite easily…
    iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
    No more RST 
  • #2: Accept “SYN/ACK”
    Capture “SYN/ACK” Code
    cap = PacketFu::Capture.new(:iface => ARGV[0], :start => true, :filter => "tcp and src 1.1.2.2 and dst1.1.2.3")
    loop {cap.stream.each{
    |pkt| packet = PacketFu::Packet.parse(pkt)
    if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1
    puts "got the syn/ack“
    end
    }
    }
  • #3: Send“ACK”
    Build and Send “ACK” Code
    ackpkt = TCPPacket.new
    ackpkt.ip_saddr=synackpkt.ip_daddr
    ackpkt.ip_daddr="1.1.2.2“
    ackpkt.eth_saddr="00:0c:29:af:cc:63“
    ackpkt.eth_daddr="00:11:93:d0:e9:e0“
    ackpkt.tcp_sport=synackpkt.tcp_dport
    ackpkt.tcp_dport=synackpkt.tcp_sport
    ackpkt.tcp_flags.syn=0
    ackpkt.tcp_flags.ack=1
    ackpkt.tcp_ack=synackpkt.tcp_seq+1
    ackpkt.tcp_seq=synackpkt.tcp_ack
    ackpkt.tcp_win=183
    ackpkt.recalc
    injack = PacketFu::Inject.new(:iface => ARGV[0])
    injack.a2w(:array => [ackpkt.to_s])
    puts "sent the ack"
  • End Result
    OUTSIDE
    INSIDE
    Firewall
    DNAT
    1.1.2.1
    SYN
    SYN
    SYN/ACK
    SYN/ACK
    Server
    Client
    ACK
    ACK
    1.1.2.2
    SNAT
    Router
  • BNAT Hijacking Idea
    What if I could weaponize this to do more?
  • BNAT-Suite
    I built some tools to help…
    BNAT-PCAP (Offline PCAP Analysis Tool)
    BNAT-SCAN (Active Scanning Tool)
    BNAT-ROUTER (Hijacking Router)
  • DEMO #1: Find BNAT
    bnat-scan.rb
    Perspective:
    External Penetration Test
    Discover the hidden service
  • DEMO #2: Attack BNAT
    bnat-router.rb
    Perspective:
    External Penetration Test
    Use the newly discovered service
  • End Result
    OUTSIDE
    INSIDE
    Firewall
    DNAT
    1.1.2.1
    B-Router
    SYN
    SYN
    SYN/ACK
    SYN/ACK
    Server
    ACK
    ACK
    1.1.2.2
    SNAT
    Router
    Client
  • Conclusions
    Understand the Gaps…
    Port/Vulnerability Scanners
    Dynamic Routing
    Vendor Limitations/Recommendations
    Incomplete NAT/SPI Implementations
    Security vs. Networking 
    Order & Flow Matter!!!
  • What's Next?
    Add support for…
    IPv6 BNAT
    UDP BNAT
    IP + Port TCP BNAT
    IP + Seq TCP BNAT
    IP + Port + Seq TCP BNAT
  • Questions?
  • Some Info/Ref…
    Where to get this code?
    https://github.com/claudijd/BNAT-Suite
    How to find me?
    Name: Jonathan Claudius
    City: Chicago, IL
    Email: jclaudius@trustwave.com
    Twitter: @claudijd
    References
    http://code.google.com/p/packetfu/
    http://www.netfilter.org/
    http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html
    http://en.wikipedia.org/wiki/Iptables
    http://en.wikipedia.org/wiki/Network_address_translation
    http://en.wikipedia.org/wiki/Transmission_Control_Protocol
    https://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg