BNAT Hijacking<br />Repairing Broken Communication Channels<br />Jonathan Claudius<br />Rio Hotel and Casino August 5th, 2...
Quick Story<br />“Easier Said Than Done…”<br />
AGENDA<br />Introduction<br />What & How of BNAT<br />BNAT Handshake/Hijack<br />Demo of BNAT-Suite<br />Finding BNAT (Act...
BNAT: The What?<br />DST: 1.1.2.1<br />SRC: 1.1.2.2<br />Client<br />“Cloud”<br />
BNAT: The How?<br />“On a Stick”<br />Firewall<br />1.1.2.1<br />DNAT<br />SNAT<br />1.1.2.2<br />Server<br />Client<br />
BNAT: The How?<br />“A Loop”<br />Firewall<br />DNAT<br />1.1.2.1<br />Server<br />Client<br />Router<br />1.1.2.2<br />SN...
The Bottom Line<br />Outside view is the same…<br />BNAT Loop ~= BNAT on a Stick<br />…but both are still broken<br />
BNAT Handshake Idea<br />What if I could complete the TCP Handshake?<br />
BNAT Handshake Idea<br />What would it take?<br />Stop “RST” Packet<br />Accept “SYN/ACK”<br />Send “ACK”<br />
Tools<br />Ruby Packetfu Gem<br />Created by TodBeardsley (@todb)<br />Used by MetasploitFramework<br />IPTables<br />Prog...
#1: Stop the “RST” <br />IPTables can do this quite easily…<br />iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP<br ...
#2: Accept  “SYN/ACK”<br />Capture “SYN/ACK” Code<br />cap = PacketFu::Capture.new(:iface => ARGV[0], :start => true, :fil...
#3: Send“ACK”<br />Build and Send “ACK” Code<br />ackpkt = TCPPacket.new<br />ackpkt.ip_saddr=synackpkt.ip_daddr<br />ackp...
End Result<br />OUTSIDE<br />INSIDE<br />Firewall<br />DNAT<br />1.1.2.1<br />SYN<br />SYN<br />SYN/ACK<br />SYN/ACK<br />...
BNAT Hijacking Idea<br />What if I could weaponize this to do more?<br />
BNAT-Suite<br />I built some tools to help…<br />BNAT-PCAP (Offline PCAP Analysis Tool)<br />BNAT-SCAN (Active Scanning To...
DEMO #1: Find BNAT<br />bnat-scan.rb<br />Perspective:<br />External Penetration Test<br />Discover the hidden service<br />
DEMO #2: Attack BNAT<br />bnat-router.rb<br />Perspective:<br />External Penetration Test<br />Use the newly discovered se...
End Result<br />OUTSIDE<br />INSIDE<br />Firewall<br />DNAT<br />1.1.2.1<br />B-Router<br />SYN<br />SYN<br />SYN/ACK<br /...
Conclusions<br />Understand the Gaps…<br />Port/Vulnerability Scanners<br />Dynamic Routing<br />Vendor Limitations/Recomm...
What's Next?<br />Add support for…<br />IPv6 BNAT<br />UDP BNAT<br />IP + Port TCP BNAT<br />IP + Seq TCP BNAT<br />IP + P...
Questions?<br />
Some Info/Ref…<br />Where to get this code?<br />https://github.com/claudijd/BNAT-Suite<br />How to find me?<br />Name: Jo...
Upcoming SlideShare
Loading in...5
×

BNAT Hijacking: Repairing Broken Communication Channels

3,899

Published on

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,899
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

BNAT Hijacking: Repairing Broken Communication Channels

  1. 1. BNAT Hijacking<br />Repairing Broken Communication Channels<br />Jonathan Claudius<br />Rio Hotel and Casino August 5th, 2011<br />DefconSkytalk 2011<br />Security Begins with Trust<br />
  2. 2. Quick Story<br />“Easier Said Than Done…”<br />
  3. 3. AGENDA<br />Introduction<br />What & How of BNAT<br />BNAT Handshake/Hijack<br />Demo of BNAT-Suite<br />Finding BNAT (Active Identification)<br />Attacking BNAT (Hijack BNAT Session)<br />Conclusions<br />
  4. 4. BNAT: The What?<br />DST: 1.1.2.1<br />SRC: 1.1.2.2<br />Client<br />“Cloud”<br />
  5. 5. BNAT: The How?<br />“On a Stick”<br />Firewall<br />1.1.2.1<br />DNAT<br />SNAT<br />1.1.2.2<br />Server<br />Client<br />
  6. 6. BNAT: The How?<br />“A Loop”<br />Firewall<br />DNAT<br />1.1.2.1<br />Server<br />Client<br />Router<br />1.1.2.2<br />SNAT<br />
  7. 7. The Bottom Line<br />Outside view is the same…<br />BNAT Loop ~= BNAT on a Stick<br />…but both are still broken<br />
  8. 8. BNAT Handshake Idea<br />What if I could complete the TCP Handshake?<br />
  9. 9. BNAT Handshake Idea<br />What would it take?<br />Stop “RST” Packet<br />Accept “SYN/ACK”<br />Send “ACK”<br />
  10. 10. Tools<br />Ruby Packetfu Gem<br />Created by TodBeardsley (@todb)<br />Used by MetasploitFramework<br />IPTables<br />Program to configure Linux Kernel Firewall<br />
  11. 11. #1: Stop the “RST” <br />IPTables can do this quite easily…<br />iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP<br />No more RST <br />
  12. 12. #2: Accept “SYN/ACK”<br />Capture “SYN/ACK” Code<br />cap = PacketFu::Capture.new(:iface => ARGV[0], :start => true, :filter => "tcp and src 1.1.2.2 and dst1.1.2.3")<br />loop {cap.stream.each{<br />|pkt| packet = PacketFu::Packet.parse(pkt)<br /> if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1<br /> puts "got the syn/ack“<br /> end<br />}<br />}<br />
  13. 13. #3: Send“ACK”<br />Build and Send “ACK” Code<br />ackpkt = TCPPacket.new<br />ackpkt.ip_saddr=synackpkt.ip_daddr<br />ackpkt.ip_daddr="1.1.2.2“<br />ackpkt.eth_saddr="00:0c:29:af:cc:63“<br />ackpkt.eth_daddr="00:11:93:d0:e9:e0“<br />ackpkt.tcp_sport=synackpkt.tcp_dport<br />ackpkt.tcp_dport=synackpkt.tcp_sport<br />ackpkt.tcp_flags.syn=0 <br />ackpkt.tcp_flags.ack=1<br />ackpkt.tcp_ack=synackpkt.tcp_seq+1<br />ackpkt.tcp_seq=synackpkt.tcp_ack<br />ackpkt.tcp_win=183<br />ackpkt.recalc<br />injack = PacketFu::Inject.new(:iface => ARGV[0])<br />injack.a2w(:array => [ackpkt.to_s])<br />puts "sent the ack"<br />
  14. 14. End Result<br />OUTSIDE<br />INSIDE<br />Firewall<br />DNAT<br />1.1.2.1<br />SYN<br />SYN<br />SYN/ACK<br />SYN/ACK<br />Server<br />Client<br />ACK<br />ACK<br />1.1.2.2<br />SNAT<br />Router<br />
  15. 15. BNAT Hijacking Idea<br />What if I could weaponize this to do more?<br />
  16. 16. BNAT-Suite<br />I built some tools to help…<br />BNAT-PCAP (Offline PCAP Analysis Tool)<br />BNAT-SCAN (Active Scanning Tool)<br />BNAT-ROUTER (Hijacking Router)<br />
  17. 17. DEMO #1: Find BNAT<br />bnat-scan.rb<br />Perspective:<br />External Penetration Test<br />Discover the hidden service<br />
  18. 18. DEMO #2: Attack BNAT<br />bnat-router.rb<br />Perspective:<br />External Penetration Test<br />Use the newly discovered service<br />
  19. 19. End Result<br />OUTSIDE<br />INSIDE<br />Firewall<br />DNAT<br />1.1.2.1<br />B-Router<br />SYN<br />SYN<br />SYN/ACK<br />SYN/ACK<br />Server<br />ACK<br />ACK<br />1.1.2.2<br />SNAT<br />Router<br />Client<br />
  20. 20. Conclusions<br />Understand the Gaps…<br />Port/Vulnerability Scanners<br />Dynamic Routing<br />Vendor Limitations/Recommendations<br />Incomplete NAT/SPI Implementations<br />Security vs. Networking <br />Order & Flow Matter!!!<br />
  21. 21. What's Next?<br />Add support for…<br />IPv6 BNAT<br />UDP BNAT<br />IP + Port TCP BNAT<br />IP + Seq TCP BNAT<br />IP + Port + Seq TCP BNAT<br />
  22. 22. Questions?<br />
  23. 23. Some Info/Ref…<br />Where to get this code?<br />https://github.com/claudijd/BNAT-Suite<br />How to find me?<br />Name: Jonathan Claudius<br />City: Chicago, IL<br />Email: jclaudius@trustwave.com<br />Twitter: @claudijd<br />References<br />http://code.google.com/p/packetfu/<br />http://www.netfilter.org/<br />http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html<br />http://en.wikipedia.org/wiki/Iptables<br />http://en.wikipedia.org/wiki/Network_address_translation<br />http://en.wikipedia.org/wiki/Transmission_Control_Protocol<br />https://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×