BNAT Hijacking: Repairing Broken Communication Channels

BNAT Hijacking
Repairing Broken Communication Channels
Jonathan Claudius
Rio Hotel and Casino August 5th, 2011
DefconSkytalk 2011
Security Begins with Trust

Quick Story
“Easier Said Than Done…”

AGENDA
Introduction
What & How of BNAT
BNAT Handshake/Hijack
Demo of BNAT-Suite
Finding BNAT (Active Identification)
Attacking BNAT (Hijack BNAT Session)
Conclusions

BNAT: The What?
DST: 1.1.2.1
SRC: 1.1.2.2
Client
“Cloud”

BNAT: The How?
“On a Stick”
Firewall
1.1.2.1
DNAT
SNAT
1.1.2.2
Server
Client

BNAT: The How?
“A Loop”
Firewall
DNAT
1.1.2.1
Server
Client
Router
1.1.2.2
SNAT

The Bottom Line
Outside view is the same…
BNAT Loop ~= BNAT on a Stick
…but both are still broken

BNAT Handshake Idea
What if I could complete the TCP Handshake?

BNAT Handshake Idea
What would it take?
Stop “RST” Packet
Accept “SYN/ACK”
Send “ACK”

Tools
Ruby Packetfu Gem
Created by TodBeardsley (@todb)
Used by MetasploitFramework
IPTables
Program to configure Linux Kernel Firewall

#1: Stop the “RST”
IPTables can do this quite easily…
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
No more RST 

#2: Accept “SYN/ACK”
Capture “SYN/ACK” Code
cap = PacketFu::Capture.new(:iface => ARGV[0], :start => true, :filter => "tcp and src 1.1.2.2 and dst1.1.2.3")
loop {cap.stream.each{
|pkt| packet = PacketFu::Packet.parse(pkt)
if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1
puts "got the syn/ack“
end
}
}

#3: Send“ACK”
Build and Send “ACK” Code
ackpkt = TCPPacket.new
ackpkt.ip_saddr=synackpkt.ip_daddr
ackpkt.ip_daddr="1.1.2.2“
ackpkt.eth_saddr="00:0c:29:af:cc:63“
ackpkt.eth_daddr="00:11:93:d0:e9:e0“
ackpkt.tcp_sport=synackpkt.tcp_dport
ackpkt.tcp_dport=synackpkt.tcp_sport
ackpkt.tcp_flags.syn=0
ackpkt.tcp_flags.ack=1
ackpkt.tcp_ack=synackpkt.tcp_seq+1
ackpkt.tcp_seq=synackpkt.tcp_ack
ackpkt.tcp_win=183
ackpkt.recalc
injack = PacketFu::Inject.new(:iface => ARGV[0])
injack.a2w(:array => [ackpkt.to_s])
puts "sent the ack"

End Result
OUTSIDE
INSIDE
Firewall
DNAT
1.1.2.1
SYN
SYN
SYN/ACK
SYN/ACK
Server
Client
ACK
ACK
1.1.2.2
SNAT
Router

BNAT Hijacking Idea
What if I could weaponize this to do more?

BNAT-Suite
I built some tools to help…
BNAT-PCAP (Offline PCAP Analysis Tool)
BNAT-SCAN (Active Scanning Tool)
BNAT-ROUTER (Hijacking Router)

DEMO #1: Find BNAT
bnat-scan.rb
Perspective:
External Penetration Test
Discover the hidden service

DEMO #2: Attack BNAT
bnat-router.rb
Perspective:
External Penetration Test
Use the newly discovered service

End Result
OUTSIDE
INSIDE
Firewall
DNAT
1.1.2.1
B-Router
SYN
SYN
SYN/ACK
SYN/ACK
Server
ACK
ACK
1.1.2.2
SNAT
Router
Client

Conclusions
Understand the Gaps…
Port/Vulnerability Scanners
Dynamic Routing
Vendor Limitations/Recommendations
Incomplete NAT/SPI Implementations
Security vs. Networking 
Order & Flow Matter!!!

What's Next?
Add support for…
IPv6 BNAT
UDP BNAT
IP + Port TCP BNAT
IP + Seq TCP BNAT
IP + Port + Seq TCP BNAT

Questions?

Some Info/Ref…
Where to get this code?
https://github.com/claudijd/BNAT-Suite
How to find me?
Name: Jonathan Claudius
City: Chicago, IL
Email: jclaudius@trustwave.com
Twitter: @claudijd
References
http://code.google.com/p/packetfu/
http://www.netfilter.org/
http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html
http://en.wikipedia.org/wiki/Iptables
http://en.wikipedia.org/wiki/Network_address_translation
http://en.wikipedia.org/wiki/Transmission_Control_Protocol
https://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg

http://twitter.com	9
http://tweetedtimes.com	7
https://twitter.com	5
http://www.linkedin.com	3
http://fr.twitter.com	1

BNAT Hijacking: Repairing Broken Communication Channels

by claudijd

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 25

Statistics

BNAT Hijacking: Repairing Broken Communication Channels Presentation Transcript