Recommended
Recommended
More Related Content
Similar to BNAT Hijacking: Repairing Broken Communication Channels
Similar to BNAT Hijacking: Repairing Broken Communication Channels (20)
Recently uploaded
Recently uploaded (20)
BNAT Hijacking: Repairing Broken Communication Channels
- 1. BNAT Hijacking Repairing Broken Communication Channels Jonathan Claudius Rio Hotel and Casino August 5th, 2011 DefconSkytalk 2011 Security Begins with Trust
- 2. Quick Story “Easier Said Than Done…”
- 3. AGENDA Introduction What & How of BNAT BNAT Handshake/Hijack Demo of BNAT-Suite Finding BNAT (Active Identification) Attacking BNAT (Hijack BNAT Session) Conclusions
- 4. BNAT: The What? DST: 1.1.2.1 SRC: 1.1.2.2 Client “Cloud”
- 5. BNAT: The How? “On a Stick” Firewall 1.1.2.1 DNAT SNAT 1.1.2.2 Server Client
- 6. BNAT: The How? “A Loop” Firewall DNAT 1.1.2.1 Server Client Router 1.1.2.2 SNAT
- 7. The Bottom Line Outside view is the same… BNAT Loop ~= BNAT on a Stick …but both are still broken
- 8. BNAT Handshake Idea What if I could complete the TCP Handshake?
- 9. BNAT Handshake Idea What would it take? Stop “RST” Packet Accept “SYN/ACK” Send “ACK”
- 10. Tools Ruby Packetfu Gem Created by TodBeardsley (@todb) Used by MetasploitFramework IPTables Program to configure Linux Kernel Firewall
- 11. #1: Stop the “RST” IPTables can do this quite easily… iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP No more RST
- 12. #2: Accept “SYN/ACK” Capture “SYN/ACK” Code cap = PacketFu::Capture.new(:iface => ARGV[0], :start => true, :filter => "tcp and src 1.1.2.2 and dst1.1.2.3") loop {cap.stream.each{ |pkt| packet = PacketFu::Packet.parse(pkt) if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1 puts "got the syn/ack“ end } }
- 13. #3: Send“ACK” Build and Send “ACK” Code ackpkt = TCPPacket.new ackpkt.ip_saddr=synackpkt.ip_daddr ackpkt.ip_daddr="1.1.2.2“ ackpkt.eth_saddr="00:0c:29:af:cc:63“ ackpkt.eth_daddr="00:11:93:d0:e9:e0“ ackpkt.tcp_sport=synackpkt.tcp_dport ackpkt.tcp_dport=synackpkt.tcp_sport ackpkt.tcp_flags.syn=0 ackpkt.tcp_flags.ack=1 ackpkt.tcp_ack=synackpkt.tcp_seq+1 ackpkt.tcp_seq=synackpkt.tcp_ack ackpkt.tcp_win=183 ackpkt.recalc injack = PacketFu::Inject.new(:iface => ARGV[0]) injack.a2w(:array => [ackpkt.to_s]) puts "sent the ack"
- 14. End Result OUTSIDE INSIDE Firewall DNAT 1.1.2.1 SYN SYN SYN/ACK SYN/ACK Server Client ACK ACK 1.1.2.2 SNAT Router
- 15. BNAT Hijacking Idea What if I could weaponize this to do more?
- 16. BNAT-Suite I built some tools to help… BNAT-PCAP (Offline PCAP Analysis Tool) BNAT-SCAN (Active Scanning Tool) BNAT-ROUTER (Hijacking Router)
- 17. DEMO #1: Find BNAT bnat-scan.rb Perspective: External Penetration Test Discover the hidden service
- 18. DEMO #2: Attack BNAT bnat-router.rb Perspective: External Penetration Test Use the newly discovered service
- 19. End Result OUTSIDE INSIDE Firewall DNAT 1.1.2.1 B-Router SYN SYN SYN/ACK SYN/ACK Server ACK ACK 1.1.2.2 SNAT Router Client
- 20. Conclusions Understand the Gaps… Port/Vulnerability Scanners Dynamic Routing Vendor Limitations/Recommendations Incomplete NAT/SPI Implementations Security vs. Networking Order & Flow Matter!!!
- 21. What's Next? Add support for… IPv6 BNAT UDP BNAT IP + Port TCP BNAT IP + Seq TCP BNAT IP + Port + Seq TCP BNAT
- 22. Questions?
- 23. Some Info/Ref… Where to get this code? https://github.com/claudijd/BNAT-Suite How to find me? Name: Jonathan Claudius City: Chicago, IL Email: jclaudius@trustwave.com Twitter: @claudijd References http://code.google.com/p/packetfu/ http://www.netfilter.org/ http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html http://en.wikipedia.org/wiki/Iptables http://en.wikipedia.org/wiki/Network_address_translation http://en.wikipedia.org/wiki/Transmission_Control_Protocol https://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg