BNAT Hijacking: Repairing Broken Communication Channels
-
Upload
claudijd -
Category
Technology
-
view
3.871 -
download
3
Transcript of BNAT Hijacking: Repairing Broken Communication Channels
![Page 1: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/1.jpg)
BNAT Hijacking
Jonathan ClaudiusRio Hotel and Casino August 5th, 2011
Defcon Skytalk 2011
Repairing Broken Communication Channels
Security Begins with Trust
![Page 2: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/2.jpg)
Quick Story
“Easier Said Than Done…”
![Page 3: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/3.jpg)
AGENDA
• Introduction• What & How of BNAT• BNAT Handshake/Hijack
• Demo of BNAT-Suite– Finding BNAT (Active Identification)– Attacking BNAT (Hijack BNAT Session)
• Conclusions
![Page 4: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/4.jpg)
BNAT: The What?
DST: 1.1.2.1
SRC: 1.1.2.2Client “Cloud”
![Page 5: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/5.jpg)
BNAT: The How?
• “On a Stick”
DNAT
Firewall1.1.2.1
1.1.2.2 SNAT
ServerClient
![Page 6: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/6.jpg)
BNAT: The How?
• “A Loop”
DNAT
SNAT
Firewall
Router
1.1.2.1
1.1.2.2
ServerClient
![Page 7: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/7.jpg)
The Bottom Line
Outside view is the same…
BNAT Loop ~= BNAT on a Stick
…but both are still broken
![Page 8: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/8.jpg)
BNAT Handshake Idea
What if I could complete the TCP Handshake?
![Page 9: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/9.jpg)
BNAT Handshake Idea
• What would it take?
1. Stop “RST” Packet2. Accept “SYN/ACK”3. Send “ACK”
![Page 10: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/10.jpg)
Tools
• Ruby Packetfu Gem– Created by Tod Beardsley (@todb)– Used by Metasploit Framework
• IPTables– Program to configure Linux Kernel Firewall
![Page 11: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/11.jpg)
#1: Stop the “RST”
• IPTables can do this quite easily…iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
• No more RST
![Page 12: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/12.jpg)
#2: Accept “SYN/ACK”
• Capture “SYN/ACK” Codecap = PacketFu::Capture.new(:iface => ARGV[0], :start => true, :filter => "tcp and src 1.1.2.2 and dst 1.1.2.3")loop {cap.stream.each { |pkt| packet = PacketFu::Packet.parse(pkt) if packet.tcp_flags.syn == 1 and packet.tcp_flags.ack == 1 puts "got the syn/ack“ end }}
![Page 13: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/13.jpg)
#3: Send “ACK”
• Build and Send “ACK” Codeackpkt = TCPPacket.newackpkt.ip_saddr=synackpkt.ip_daddr ackpkt.ip_daddr="1.1.2.2“ackpkt.eth_saddr="00:0c:29:af:cc:63“ackpkt.eth_daddr="00:11:93:d0:e9:e0“ackpkt.tcp_sport=synackpkt.tcp_dportackpkt.tcp_dport=synackpkt.tcp_sportackpkt.tcp_flags.syn=0 ackpkt.tcp_flags.ack=1ackpkt.tcp_ack=synackpkt.tcp_seq+1ackpkt.tcp_seq=synackpkt.tcp_ackackpkt.tcp_win=183ackpkt.recalcinjack = PacketFu::Inject.new(:iface => ARGV[0])injack.a2w(:array => [ackpkt.to_s])puts "sent the ack"
![Page 14: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/14.jpg)
End Result
DNAT
SNAT
Firewall
Router
1.1.2.1
1.1.2.2
SYN SYN
SYN/ACKSYN/ACK
ACK ACKServerClient
OUTSIDE INSIDE
![Page 15: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/15.jpg)
BNAT Hijacking Idea
What if I could weaponize this to do more?
![Page 16: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/16.jpg)
BNAT-Suite
• I built some tools to help…
– BNAT-PCAP (Offline PCAP Analysis Tool)– BNAT-SCAN (Active Scanning Tool)– BNAT-ROUTER (Hijacking Router)
![Page 17: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/17.jpg)
DEMO #1: Find BNAT
• bnat-scan.rb
• Perspective:– External Penetration Test– Discover the hidden service
![Page 18: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/18.jpg)
DEMO #2: Attack BNAT
• bnat-router.rb
• Perspective:– External Penetration Test– Use the newly discovered service
![Page 19: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/19.jpg)
End Result
DNAT
SNAT
Firewall
Router
1.1.2.1
1.1.2.2
SYN SYN
SYN/ACKSYN/ACK
ACK ACKServer
B-Router
OUTSIDE INSIDE
Client
![Page 20: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/20.jpg)
Conclusions
• Understand the Gaps…– Port/Vulnerability Scanners– Dynamic Routing– Vendor Limitations/Recommendations– Incomplete NAT/SPI Implementations– Security vs. Networking
• Order & Flow Matter!!!
![Page 21: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/21.jpg)
What's Next?
• Add support for…– IPv6 BNAT– UDP BNAT– IP + Port TCP BNAT– IP + Seq TCP BNAT– IP + Port + Seq TCP BNAT
![Page 22: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/22.jpg)
Questions?
![Page 23: BNAT Hijacking: Repairing Broken Communication Channels](https://reader034.fdocuments.us/reader034/viewer/2022052412/558c7ba4d8b42a7f4c8b45da/html5/thumbnails/23.jpg)
Some Info/Ref…• Where to get this code?
– https://github.com/claudijd/BNAT-Suite
• How to find me?– Name: Jonathan Claudius– City: Chicago, IL– Email: [email protected]– Twitter: @claudijd
• References– http://code.google.com/p/packetfu/– http://www.netfilter.org/– http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html– http://en.wikipedia.org/wiki/Iptables– http://en.wikipedia.org/wiki/Network_address_translation– http://en.wikipedia.org/wiki/Transmission_Control_Protocol– https://cocktails365.files.wordpress.com/2010/04/barnapkin.jpg