BNAT Hijacking - Repairing Broken Communication Channels

Transcript

1. Jonathan Claudius Rio Hotel and Casino August 4-7, 2011 Defcon

   Skytalk 2011 Repairing Broken Communication Channels Security Begins with Trust

2. •  Introduc)on   •  What  &  How  of  BNAT  

   •  BNAT  Handshake/Hijack   •  Demo  of  BNAT-­‐Suite   –  Finding  BNAT  (Ac)ve  Iden)fica)on)   –  AFacking  BNAT  (Hijack  BNAT  Session)   •  Conclusions  

3. “Easier  Said  Than  Done…”  

4. DST:  1.1.2.1   SRC:  1.1.2.2   Client   “Cloud”  

5. •  “On  a  S)ck”   DNAT   Firewall   1.1.2.1

     1.1.2.2   SNAT   Server   Client  

6. •  “A  Loop”   DNAT   SNAT   Firewall  

   Router   1.1.2.1   1.1.2.2   Server   Client  

7. Outside  view  is  the  same…     BNAT  Loop  ~=

    BNAT  on  a  S)ck     …but  both  are  s)ll  broken  

8. What  if  I  could  complete  the  TCP  Handshake?  

9. •  What  would  it  take?   1.  Stop  “RST”  Packet

     2.  Accept  “SYN/ACK”   3.  Send  “ACK”    

10. •  Ruby  Packe]u  Gem   – Created  by  Tod  Beardsley  (@todb)

      – Used  by  Metasploit  Framework   •  IPTables   – Program  to  configure  Linux  Kernel  Firewall    

11. •  IPTables  can  do  this  quite  easily…   iptables -A

    OUTPUT -p tcp --tcp-flags RST RST -j DROP •  No  more  RST  J  

12. •  Capture  “SYN/ACK”  Code   cap = PacketFu::Capture.new(:iface => ARGV[0],

    :start => true, :filter => "tcp and src 1.1.2.2 and dst 1.1.2.3") loop {cap.stream.each { |pkt| packet = PacketFu::Packet.parse(pkt) if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1 puts "got the syn/ack“ end } }    

13. •  Build  and  Send  “ACK”  Code   ackpkt = TCPPacket.new

    ackpkt.ip_saddr=synackpkt.ip_daddr ackpkt.ip_daddr="1.1.2.2“ ackpkt.eth_saddr="00:0c:29:af:cc:63“ ackpkt.eth_daddr="00:11:93:d0:e9:e0“ ackpkt.tcp_sport=synackpkt.tcp_dport ackpkt.tcp_dport=synackpkt.tcp_sport ackpkt.tcp_flags.syn=0 ackpkt.tcp_flags.ack=1 ackpkt.tcp_ack=synackpkt.tcp_seq+1 ackpkt.tcp_seq=synackpkt.tcp_ack ackpkt.tcp_win=183 ackpkt.recalc injack = PacketFu::Inject.new(:iface => ARGV[0]) injack.a2w(:array => [ackpkt.to_s]) puts "sent the ack"  

14. DNAT   SNAT   Firewall   Router   1.1.2.1  

    1.1.2.2   SYN   SYN   SYN/ACK   SYN/ACK   ACK   ACK   Server   Client   OUTSIDE   INSIDE  

15. What  if  I  could  weaponize  this  to  do  more?  

16. •  I  built  some  tools  to  help…   – BNAT-­‐PCAP  (Offline

     PCAP  Analysis  Tool)   – BNAT-­‐SCAN  (Ac)ve  Scanning  Tool)   – BNAT-­‐ROUTER  (Hijacking  Router)  

17. •  bnat-­‐scan.rb   •  Perspec)ve:   – External  Penetra)on  Test  

    – Discover  the  hidden  service  

18. •  bnat-­‐router.rb     •  Perspec)ve:   – External  Penetra)on  Test

      – Use  the  newly  discovered  service  

19. •  Understand  the  Gaps…   – Port/Vulnerability  Scanners   – Dynamic  Rou)ng

      – Vendor  Limita)ons/Recommenda)ons   – Incomplete  NAT/SPI  Implementa)ons   – Security  vs.  Networking  L   •  Order  &  Flow  MaFer!!!  

20. •  Add  support  for…   – IPv6  BNAT   – UDP  BNAT

      – IP  +  Port  TCP  BNAT   – IP  +  Seq  TCP  BNAT   – IP  +  Port  +  Seq  TCP  BNAT  

21. Ques)ons?  

22. •  Where  to  get  this  code?   –  hFps://github.com/claudijd/BNAT-­‐Suite  

    •  How  to  find  me?   –  Name:  Jonathan  Claudius   –  City:  Chicago,  IL   –  Email:  [email protected]   –  TwiFer:  @claudijd   •  References   –  hFp://code.google.com/p/packe]u/   –  hFp://www.ne]ilter.org/   –  hFp://blog.thc.org/index.php?/archives/2-­‐Port-­‐Scanning-­‐the-­‐Internet.html   –  hFp://en.wikipedia.org/wiki/Iptables   –  hFp://en.wikipedia.org/wiki/Network_address_transla)on   –  hFp://en.wikipedia.org/wiki/Transmission_Control_Protocol   –  hFps://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg