Your SlideShare is downloading. ×
0
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

BNAT Hijacking: Repairing Broken Communication Channels

3,862

Published on

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,862
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. BNAT Hijacking<br />Repairing Broken Communication Channels<br />Jonathan Claudius<br />Rio Hotel and Casino August 5th, 2011<br />DefconSkytalk 2011<br />Security Begins with Trust<br />
  • 2. Quick Story<br />“Easier Said Than Done…”<br />
  • 3. AGENDA<br />Introduction<br />What &amp; How of BNAT<br />BNAT Handshake/Hijack<br />Demo of BNAT-Suite<br />Finding BNAT (Active Identification)<br />Attacking BNAT (Hijack BNAT Session)<br />Conclusions<br />
  • 4. BNAT: The What?<br />DST: 1.1.2.1<br />SRC: 1.1.2.2<br />Client<br />“Cloud”<br />
  • 5. BNAT: The How?<br />“On a Stick”<br />Firewall<br />1.1.2.1<br />DNAT<br />SNAT<br />1.1.2.2<br />Server<br />Client<br />
  • 6. BNAT: The How?<br />“A Loop”<br />Firewall<br />DNAT<br />1.1.2.1<br />Server<br />Client<br />Router<br />1.1.2.2<br />SNAT<br />
  • 7. The Bottom Line<br />Outside view is the same…<br />BNAT Loop ~= BNAT on a Stick<br />…but both are still broken<br />
  • 8. BNAT Handshake Idea<br />What if I could complete the TCP Handshake?<br />
  • 9. BNAT Handshake Idea<br />What would it take?<br />Stop “RST” Packet<br />Accept “SYN/ACK”<br />Send “ACK”<br />
  • 10. Tools<br />Ruby Packetfu Gem<br />Created by TodBeardsley (@todb)<br />Used by MetasploitFramework<br />IPTables<br />Program to configure Linux Kernel Firewall<br />
  • 11. #1: Stop the “RST” <br />IPTables can do this quite easily…<br />iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP<br />No more RST <br />
  • 12. #2: Accept “SYN/ACK”<br />Capture “SYN/ACK” Code<br />cap = PacketFu::Capture.new(:iface =&gt; ARGV[0], :start =&gt; true, :filter =&gt; &quot;tcp and src 1.1.2.2 and dst1.1.2.3&quot;)<br />loop {cap.stream.each{<br />|pkt| packet = PacketFu::Packet.parse(pkt)<br /> if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1<br /> puts &quot;got the syn/ack“<br /> end<br />}<br />}<br />
  • 13. #3: Send“ACK”<br />Build and Send “ACK” Code<br />ackpkt = TCPPacket.new<br />ackpkt.ip_saddr=synackpkt.ip_daddr<br />ackpkt.ip_daddr=&quot;1.1.2.2“<br />ackpkt.eth_saddr=&quot;00:0c:29:af:cc:63“<br />ackpkt.eth_daddr=&quot;00:11:93:d0:e9:e0“<br />ackpkt.tcp_sport=synackpkt.tcp_dport<br />ackpkt.tcp_dport=synackpkt.tcp_sport<br />ackpkt.tcp_flags.syn=0 <br />ackpkt.tcp_flags.ack=1<br />ackpkt.tcp_ack=synackpkt.tcp_seq+1<br />ackpkt.tcp_seq=synackpkt.tcp_ack<br />ackpkt.tcp_win=183<br />ackpkt.recalc<br />injack = PacketFu::Inject.new(:iface =&gt; ARGV[0])<br />injack.a2w(:array =&gt; [ackpkt.to_s])<br />puts &quot;sent the ack&quot;<br />
  • 14. End Result<br />OUTSIDE<br />INSIDE<br />Firewall<br />DNAT<br />1.1.2.1<br />SYN<br />SYN<br />SYN/ACK<br />SYN/ACK<br />Server<br />Client<br />ACK<br />ACK<br />1.1.2.2<br />SNAT<br />Router<br />
  • 15. BNAT Hijacking Idea<br />What if I could weaponize this to do more?<br />
  • 16. BNAT-Suite<br />I built some tools to help…<br />BNAT-PCAP (Offline PCAP Analysis Tool)<br />BNAT-SCAN (Active Scanning Tool)<br />BNAT-ROUTER (Hijacking Router)<br />
  • 17. DEMO #1: Find BNAT<br />bnat-scan.rb<br />Perspective:<br />External Penetration Test<br />Discover the hidden service<br />
  • 18. DEMO #2: Attack BNAT<br />bnat-router.rb<br />Perspective:<br />External Penetration Test<br />Use the newly discovered service<br />
  • 19. End Result<br />OUTSIDE<br />INSIDE<br />Firewall<br />DNAT<br />1.1.2.1<br />B-Router<br />SYN<br />SYN<br />SYN/ACK<br />SYN/ACK<br />Server<br />ACK<br />ACK<br />1.1.2.2<br />SNAT<br />Router<br />Client<br />
  • 20. Conclusions<br />Understand the Gaps…<br />Port/Vulnerability Scanners<br />Dynamic Routing<br />Vendor Limitations/Recommendations<br />Incomplete NAT/SPI Implementations<br />Security vs. Networking <br />Order &amp; Flow Matter!!!<br />
  • 21. What&apos;s Next?<br />Add support for…<br />IPv6 BNAT<br />UDP BNAT<br />IP + Port TCP BNAT<br />IP + Seq TCP BNAT<br />IP + Port + Seq TCP BNAT<br />
  • 22. Questions?<br />
  • 23. Some Info/Ref…<br />Where to get this code?<br />https://github.com/claudijd/BNAT-Suite<br />How to find me?<br />Name: Jonathan Claudius<br />City: Chicago, IL<br />Email: jclaudius@trustwave.com<br />Twitter: @claudijd<br />References<br />http://code.google.com/p/packetfu/<br />http://www.netfilter.org/<br />http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html<br />http://en.wikipedia.org/wiki/Iptables<br />http://en.wikipedia.org/wiki/Network_address_translation<br />http://en.wikipedia.org/wiki/Transmission_Control_Protocol<br />https://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg<br />

×