Penetration Testing mailing list archives
Re: Inverse NAT?
From: Alexandre Bezroutchko <abb () gremwell com>
Date: Wed, 17 Aug 2011 12:11:16 +0200
Hi,NAT boxes tend to drop unexpected traffic coming from WAN, by design. Assuming there are no implementation flaws, I don't think you can penetrate into LAN without involving a user sitting there.
Apart from social engineering attacks mentioned, DNS rebinding might be relevant. The attack does not require any actions from the victim beyond opening a rogue page in their browser. It works against web admin interfaces and UPnP listeners. I played with both in the past, mileage varies depending on victims's browser and peculiarities of webadmin interface. I .had attack against UPnP service working for Firefox sitting behind NetGear router. You may find some more details here http://www.gremwell.com/dns-rebinding-checklist.
Best regards, Alex Bezroutchko Gremwell www.gremwell.com On 08/16/2011 08:09 PM, Todd Haverkos wrote:
"Turamarth"<admin () turamarth com> writes:There is any way to enter a lan interface through a wan interface ( in a normal router ) without a nat forwarding rule, or admin account of the router? maybe a variance of routing tables, o something like this, any idea or documentation about it ?Reading between the lines and given that we're in a penetration testing mailing list, would it be fair to assume that your goal is to penetrate a client that employs a nat router? Assuming it's part of the scope (and hopefuly it is since the attackers are certainly using it), client-side exploitation would be the easiest way to go here. One way or another (be it through a email phishing campaign or phone social engineering), provide your payload that does a call back on traffic from their LAN connected machine to your waiting web server. This leverages the "hiding in plain sight" approach of leveraging traffic that everyone needs to let out of their environment: outbound tcp/80 and tcp/44. The Social Engineering Toolkit (SET) makes pretty quick work of such. http://www.secmaniac.com/movies/ for demos of what that looks like. This may be something you already know, but as network perimeters have gotten pretty hard and crunchy, client side is the method that's making the most hay for the bad guys. If client side or SE is not in scope, you'd have go hunting for an overlooked nat forward rule or a VPN listening somehow. Wireless is another path of lower resistance if that's in scope to get behind that router. Also don't forget last year's gem from HD Moore about the UDP port that a frightening number of VxWorks based routers are listening on. http://www.darkreading.com/blog/227700848/vxworks-vulnerability-tools-released.html Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Inverse NAT? Turamarth (Aug 16)
- Re: Inverse NAT? John C Borkowski III (Aug 17)
- Re: Inverse NAT? Jerry (Aug 17)
- Re: Inverse NAT? Todd Haverkos (Aug 17)
- Re: Inverse NAT? Alexandre Bezroutchko (Aug 17)
- Re: Inverse NAT? Marcelo Soria (Aug 17)
- Re: Inverse NAT? John C Borkowski III (Aug 17)