JSON hijacking - OWASP · PDF fileJSON hijacking For the modern web. About me
BNAT Hijacking: Repairing Broken Communication Channels
-
Upload
claudijd -
Category
Technology
-
view
3.871 -
download
3
Transcript of BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking
Jonathan ClaudiusRio Hotel and Casino August 5th, 2011
Defcon Skytalk 2011
Repairing Broken Communication Channels
Security Begins with Trust
Quick Story
“Easier Said Than Done…”
AGENDA
• Introduction• What & How of BNAT• BNAT Handshake/Hijack
• Demo of BNAT-Suite– Finding BNAT (Active Identification)– Attacking BNAT (Hijack BNAT Session)
• Conclusions
BNAT: The What?
DST: 1.1.2.1
SRC: 1.1.2.2Client “Cloud”
BNAT: The How?
• “On a Stick”
DNAT
Firewall1.1.2.1
1.1.2.2 SNAT
ServerClient
BNAT: The How?
• “A Loop”
DNAT
SNAT
Firewall
Router
1.1.2.1
1.1.2.2
ServerClient
The Bottom Line
Outside view is the same…
BNAT Loop ~= BNAT on a Stick
…but both are still broken
BNAT Handshake Idea
What if I could complete the TCP Handshake?
BNAT Handshake Idea
• What would it take?
1. Stop “RST” Packet2. Accept “SYN/ACK”3. Send “ACK”
Tools
• Ruby Packetfu Gem– Created by Tod Beardsley (@todb)– Used by Metasploit Framework
• IPTables– Program to configure Linux Kernel Firewall
#1: Stop the “RST”
• IPTables can do this quite easily…iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
• No more RST
#2: Accept “SYN/ACK”
• Capture “SYN/ACK” Codecap = PacketFu::Capture.new(:iface => ARGV[0], :start => true, :filter => "tcp and src 1.1.2.2 and dst 1.1.2.3")loop {cap.stream.each { |pkt| packet = PacketFu::Packet.parse(pkt) if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1 puts "got the syn/ack“ end }}
#3: Send “ACK”
• Build and Send “ACK” Codeackpkt = TCPPacket.newackpkt.ip_saddr=synackpkt.ip_daddr ackpkt.ip_daddr="1.1.2.2“ackpkt.eth_saddr="00:0c:29:af:cc:63“ackpkt.eth_daddr="00:11:93:d0:e9:e0“ackpkt.tcp_sport=synackpkt.tcp_dportackpkt.tcp_dport=synackpkt.tcp_sportackpkt.tcp_flags.syn=0 ackpkt.tcp_flags.ack=1ackpkt.tcp_ack=synackpkt.tcp_seq+1ackpkt.tcp_seq=synackpkt.tcp_ackackpkt.tcp_win=183ackpkt.recalcinjack = PacketFu::Inject.new(:iface => ARGV[0])injack.a2w(:array => [ackpkt.to_s])puts "sent the ack"
End Result
DNAT
SNAT
Firewall
Router
1.1.2.1
1.1.2.2
SYN SYN
SYN/ACKSYN/ACK
ACK ACKServerClient
OUTSIDE INSIDE
BNAT Hijacking Idea
What if I could weaponize this to do more?
BNAT-Suite
• I built some tools to help…
– BNAT-PCAP (Offline PCAP Analysis Tool)– BNAT-SCAN (Active Scanning Tool)– BNAT-ROUTER (Hijacking Router)
DEMO #1: Find BNAT
• bnat-scan.rb
• Perspective:– External Penetration Test– Discover the hidden service
DEMO #2: Attack BNAT
• bnat-router.rb
• Perspective:– External Penetration Test– Use the newly discovered service
End Result
DNAT
SNAT
Firewall
Router
1.1.2.1
1.1.2.2
SYN SYN
SYN/ACKSYN/ACK
ACK ACKServer
B-Router
OUTSIDE INSIDE
Client
Conclusions
• Understand the Gaps…– Port/Vulnerability Scanners– Dynamic Routing– Vendor Limitations/Recommendations– Incomplete NAT/SPI Implementations– Security vs. Networking
• Order & Flow Matter!!!
What's Next?
• Add support for…– IPv6 BNAT– UDP BNAT– IP + Port TCP BNAT– IP + Seq TCP BNAT– IP + Port + Seq TCP BNAT
Questions?
Some Info/Ref…• Where to get this code?
– https://github.com/claudijd/BNAT-Suite
• How to find me?– Name: Jonathan Claudius– City: Chicago, IL– Email: [email protected]– Twitter: @claudijd
• References– http://code.google.com/p/packetfu/– http://www.netfilter.org/– http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html– http://en.wikipedia.org/wiki/Iptables– http://en.wikipedia.org/wiki/Network_address_translation– http://en.wikipedia.org/wiki/Transmission_Control_Protocol– https://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg