Upgrade to Pro — share decks privately, control downloads, hide ads and more …

BNAT Hijacking - Repairing Broken Communication Channels

BNAT Hijacking - Repairing Broken Communication Channels

This talk was presented at DEFCON 19 Skytalks track. I talked about a new technique I discovered on how to turn closed ports into open ports using some tcp tom foolery.

Video of Updated Presentation: http://www.irongeek.com/i.php?page=videos/aide2012/bnat-hijacking-repairing-broken-communication-channels-jonathan-claudius

Edb7903a55645abee02925213e0d25b2?s=128

Jonathan Claudius

August 06, 2011
Tweet

Transcript

  1. Jonathan Claudius Rio Hotel and Casino August 4-7, 2011 Defcon

    Skytalk 2011 Repairing Broken Communication Channels Security Begins with Trust
  2. •  Introduc)on   •  What  &  How  of  BNAT  

    •  BNAT  Handshake/Hijack   •  Demo  of  BNAT-­‐Suite   –  Finding  BNAT  (Ac)ve  Iden)fica)on)   –  AFacking  BNAT  (Hijack  BNAT  Session)   •  Conclusions  
  3. “Easier  Said  Than  Done…”  

  4. DST:  1.1.2.1   SRC:  1.1.2.2   Client   “Cloud”  

  5. •  “On  a  S)ck”   DNAT   Firewall   1.1.2.1

      1.1.2.2   SNAT   Server   Client  
  6. •  “A  Loop”   DNAT   SNAT   Firewall  

    Router   1.1.2.1   1.1.2.2   Server   Client  
  7. Outside  view  is  the  same…     BNAT  Loop  ~=

     BNAT  on  a  S)ck     …but  both  are  s)ll  broken  
  8. What  if  I  could  complete  the  TCP  Handshake?  

  9. •  What  would  it  take?   1.  Stop  “RST”  Packet

      2.  Accept  “SYN/ACK”   3.  Send  “ACK”    
  10. •  Ruby  Packe]u  Gem   – Created  by  Tod  Beardsley  (@todb)

      – Used  by  Metasploit  Framework   •  IPTables   – Program  to  configure  Linux  Kernel  Firewall    
  11. •  IPTables  can  do  this  quite  easily…   iptables -A

    OUTPUT -p tcp --tcp-flags RST RST -j DROP •  No  more  RST  J  
  12. •  Capture  “SYN/ACK”  Code   cap = PacketFu::Capture.new(:iface => ARGV[0],

    :start => true, :filter => "tcp and src 1.1.2.2 and dst 1.1.2.3") loop {cap.stream.each { |pkt| packet = PacketFu::Packet.parse(pkt) if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1 puts "got the syn/ack“ end } }    
  13. •  Build  and  Send  “ACK”  Code   ackpkt = TCPPacket.new

    ackpkt.ip_saddr=synackpkt.ip_daddr ackpkt.ip_daddr="1.1.2.2“ ackpkt.eth_saddr="00:0c:29:af:cc:63“ ackpkt.eth_daddr="00:11:93:d0:e9:e0“ ackpkt.tcp_sport=synackpkt.tcp_dport ackpkt.tcp_dport=synackpkt.tcp_sport ackpkt.tcp_flags.syn=0 ackpkt.tcp_flags.ack=1 ackpkt.tcp_ack=synackpkt.tcp_seq+1 ackpkt.tcp_seq=synackpkt.tcp_ack ackpkt.tcp_win=183 ackpkt.recalc injack = PacketFu::Inject.new(:iface => ARGV[0]) injack.a2w(:array => [ackpkt.to_s]) puts "sent the ack"  
  14. DNAT   SNAT   Firewall   Router   1.1.2.1  

    1.1.2.2   SYN   SYN   SYN/ACK   SYN/ACK   ACK   ACK   Server   Client   OUTSIDE   INSIDE  
  15. What  if  I  could  weaponize  this  to  do  more?  

  16. •  I  built  some  tools  to  help…   – BNAT-­‐PCAP  (Offline

     PCAP  Analysis  Tool)   – BNAT-­‐SCAN  (Ac)ve  Scanning  Tool)   – BNAT-­‐ROUTER  (Hijacking  Router)  
  17. •  bnat-­‐scan.rb   •  Perspec)ve:   – External  Penetra)on  Test  

    – Discover  the  hidden  service  
  18. •  bnat-­‐router.rb     •  Perspec)ve:   – External  Penetra)on  Test

      – Use  the  newly  discovered  service  
  19. •  Understand  the  Gaps…   – Port/Vulnerability  Scanners   – Dynamic  Rou)ng

      – Vendor  Limita)ons/Recommenda)ons   – Incomplete  NAT/SPI  Implementa)ons   – Security  vs.  Networking  L   •  Order  &  Flow  MaFer!!!  
  20. •  Add  support  for…   – IPv6  BNAT   – UDP  BNAT

      – IP  +  Port  TCP  BNAT   – IP  +  Seq  TCP  BNAT   – IP  +  Port  +  Seq  TCP  BNAT  
  21. Ques)ons?  

  22. •  Where  to  get  this  code?   –  hFps://github.com/claudijd/BNAT-­‐Suite  

    •  How  to  find  me?   –  Name:  Jonathan  Claudius   –  City:  Chicago,  IL   –  Email:  jclaudius@trustwave.com   –  TwiFer:  @claudijd   •  References   –  hFp://code.google.com/p/packe]u/   –  hFp://www.ne]ilter.org/   –  hFp://blog.thc.org/index.php?/archives/2-­‐Port-­‐Scanning-­‐the-­‐Internet.html   –  hFp://en.wikipedia.org/wiki/Iptables   –  hFp://en.wikipedia.org/wiki/Network_address_transla)on   –  hFp://en.wikipedia.org/wiki/Transmission_Control_Protocol   –  hFps://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg