BNAT Hijacking

Jonathan ClaudiusRio Hotel and Casino August 5th, 2011

Defcon Skytalk 2011

Repairing Broken Communication Channels

Security Begins with Trust

Quick Story

“Easier Said Than Done…”

AGENDA

• Introduction• What & How of BNAT• BNAT Handshake/Hijack

• Demo of BNAT-Suite– Finding BNAT (Active Identification)– Attacking BNAT (Hijack BNAT Session)

• Conclusions

BNAT: The What?

DST: 1.1.2.1

SRC: 1.1.2.2Client “Cloud”

BNAT: The How?

• “On a Stick”

DNAT

Firewall1.1.2.1

1.1.2.2 SNAT

ServerClient

BNAT: The How?

• “A Loop”

DNAT

SNAT

Firewall

Router

1.1.2.1

1.1.2.2

ServerClient

The Bottom Line

Outside view is the same…

BNAT Loop ~= BNAT on a Stick

…but both are still broken

BNAT Handshake Idea

What if I could complete the TCP Handshake?

BNAT Handshake Idea

• What would it take?

1. Stop “RST” Packet2. Accept “SYN/ACK”3. Send “ACK”

Tools

• Ruby Packetfu Gem– Created by Tod Beardsley (@todb)– Used by Metasploit Framework

• IPTables– Program to configure Linux Kernel Firewall

#1: Stop the “RST”

• IPTables can do this quite easily…iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

• No more RST

#2: Accept “SYN/ACK”

• Capture “SYN/ACK” Codecap = PacketFu::Capture.new(:iface => ARGV[0], :start => true, :filter => "tcp and src 1.1.2.2 and dst 1.1.2.3")loop {cap.stream.each { |pkt| packet = PacketFu::Packet.parse(pkt) if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1 puts "got the syn/ack“ end }}

#3: Send “ACK”

• Build and Send “ACK” Codeackpkt = TCPPacket.newackpkt.ip_saddr=synackpkt.ip_daddr ackpkt.ip_daddr="1.1.2.2“ackpkt.eth_saddr="00:0c:29:af:cc:63“ackpkt.eth_daddr="00:11:93:d0:e9:e0“ackpkt.tcp_sport=synackpkt.tcp_dportackpkt.tcp_dport=synackpkt.tcp_sportackpkt.tcp_flags.syn=0 ackpkt.tcp_flags.ack=1ackpkt.tcp_ack=synackpkt.tcp_seq+1ackpkt.tcp_seq=synackpkt.tcp_ackackpkt.tcp_win=183ackpkt.recalcinjack = PacketFu::Inject.new(:iface => ARGV[0])injack.a2w(:array => [ackpkt.to_s])puts "sent the ack"

End Result

DNAT

SNAT

Firewall

Router

1.1.2.1

1.1.2.2

SYN SYN

SYN/ACKSYN/ACK

ACK ACKServerClient

OUTSIDE INSIDE

BNAT Hijacking Idea

What if I could weaponize this to do more?

BNAT-Suite

• I built some tools to help…

– BNAT-PCAP (Offline PCAP Analysis Tool)– BNAT-SCAN (Active Scanning Tool)– BNAT-ROUTER (Hijacking Router)

DEMO #1: Find BNAT

• bnat-scan.rb

• Perspective:– External Penetration Test– Discover the hidden service

DEMO #2: Attack BNAT

• bnat-router.rb

• Perspective:– External Penetration Test– Use the newly discovered service

End Result

DNAT

SNAT

Firewall

Router

1.1.2.1

1.1.2.2

SYN SYN

SYN/ACKSYN/ACK

ACK ACKServer

B-Router

OUTSIDE INSIDE

Client

Conclusions

• Understand the Gaps…– Port/Vulnerability Scanners– Dynamic Routing– Vendor Limitations/Recommendations– Incomplete NAT/SPI Implementations– Security vs. Networking

• Order & Flow Matter!!!

What's Next?

• Add support for…– IPv6 BNAT– UDP BNAT– IP + Port TCP BNAT– IP + Seq TCP BNAT– IP + Port + Seq TCP BNAT

Questions?

Some Info/Ref…• Where to get this code?

– https://github.com/claudijd/BNAT-Suite

• How to find me?– Name: Jonathan Claudius– City: Chicago, IL– Email: jclaudius@trustwave.com– Twitter: @claudijd

• References– http://code.google.com/p/packetfu/– http://www.netfilter.org/– http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html– http://en.wikipedia.org/wiki/Iptables– http://en.wikipedia.org/wiki/Network_address_translation– http://en.wikipedia.org/wiki/Transmission_Control_Protocol– https://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg