Date post: | 26-Jun-2015 |
Category: |
Technology |
Upload: | claudijd |
View: | 3,868 times |
Download: | 3 times |
BNAT Hijacking
Jonathan ClaudiusRio Hotel and Casino August 5th, 2011
Defcon Skytalk 2011
Repairing Broken Communication Channels
Security Begins with Trust
Quick Story
“Easier Said Than Done…”
AGENDA
• Introduction• What & How of BNAT• BNAT Handshake/Hijack
• Demo of BNAT-Suite– Finding BNAT (Active Identification)– Attacking BNAT (Hijack BNAT Session)
• Conclusions
BNAT: The What?
DST: 1.1.2.1
SRC: 1.1.2.2Client “Cloud”
BNAT: The How?
• “On a Stick”
DNAT
Firewall1.1.2.1
1.1.2.2 SNAT
ServerClient
BNAT: The How?
• “A Loop”
DNAT
SNAT
Firewall
Router
1.1.2.1
1.1.2.2
ServerClient
The Bottom Line
Outside view is the same…
BNAT Loop ~= BNAT on a Stick
…but both are still broken
BNAT Handshake Idea
What if I could complete the TCP Handshake?
BNAT Handshake Idea
• What would it take?
1. Stop “RST” Packet2. Accept “SYN/ACK”3. Send “ACK”
Tools
• Ruby Packetfu Gem– Created by Tod Beardsley (@todb)– Used by Metasploit Framework
• IPTables– Program to configure Linux Kernel Firewall
#1: Stop the “RST”
• IPTables can do this quite easily…iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
• No more RST
#2: Accept “SYN/ACK”
• Capture “SYN/ACK” Codecap = PacketFu::Capture.new(:iface => ARGV[0], :start => true, :filter => "tcp and src 1.1.2.2 and dst 1.1.2.3")loop {cap.stream.each { |pkt| packet = PacketFu::Packet.parse(pkt) if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1 puts "got the syn/ack“ end }}
#3: Send “ACK”
• Build and Send “ACK” Codeackpkt = TCPPacket.newackpkt.ip_saddr=synackpkt.ip_daddr ackpkt.ip_daddr="1.1.2.2“ackpkt.eth_saddr="00:0c:29:af:cc:63“ackpkt.eth_daddr="00:11:93:d0:e9:e0“ackpkt.tcp_sport=synackpkt.tcp_dportackpkt.tcp_dport=synackpkt.tcp_sportackpkt.tcp_flags.syn=0 ackpkt.tcp_flags.ack=1ackpkt.tcp_ack=synackpkt.tcp_seq+1ackpkt.tcp_seq=synackpkt.tcp_ackackpkt.tcp_win=183ackpkt.recalcinjack = PacketFu::Inject.new(:iface => ARGV[0])injack.a2w(:array => [ackpkt.to_s])puts "sent the ack"
End Result
DNAT
SNAT
Firewall
Router
1.1.2.1
1.1.2.2
SYN SYN
SYN/ACKSYN/ACK
ACK ACKServerClient
OUTSIDE INSIDE
BNAT Hijacking Idea
What if I could weaponize this to do more?
BNAT-Suite
• I built some tools to help…
– BNAT-PCAP (Offline PCAP Analysis Tool)– BNAT-SCAN (Active Scanning Tool)– BNAT-ROUTER (Hijacking Router)
DEMO #1: Find BNAT
• bnat-scan.rb
• Perspective:– External Penetration Test– Discover the hidden service
DEMO #2: Attack BNAT
• bnat-router.rb
• Perspective:– External Penetration Test– Use the newly discovered service
End Result
DNAT
SNAT
Firewall
Router
1.1.2.1
1.1.2.2
SYN SYN
SYN/ACKSYN/ACK
ACK ACKServer
B-Router
OUTSIDE INSIDE
Client
Conclusions
• Understand the Gaps…– Port/Vulnerability Scanners– Dynamic Routing– Vendor Limitations/Recommendations– Incomplete NAT/SPI Implementations– Security vs. Networking
• Order & Flow Matter!!!
What's Next?
• Add support for…– IPv6 BNAT– UDP BNAT– IP + Port TCP BNAT– IP + Seq TCP BNAT– IP + Port + Seq TCP BNAT
Questions?
Some Info/Ref…• Where to get this code?
– https://github.com/claudijd/BNAT-Suite
• How to find me?– Name: Jonathan Claudius– City: Chicago, IL– Email: [email protected]– Twitter: @claudijd
• References– http://code.google.com/p/packetfu/– http://www.netfilter.org/– http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html– http://en.wikipedia.org/wiki/Iptables– http://en.wikipedia.org/wiki/Network_address_translation– http://en.wikipedia.org/wiki/Transmission_Control_Protocol– https://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg