Penetration Testing mailing list archives

Re: Inverse NAT?

From: Alexandre Bezroutchko <abb () gremwell com>
Date: Wed, 17 Aug 2011 12:11:16 +0200

Hi,

NAT boxes tend to drop unexpected traffic coming from WAN, by design.Assuming there are no implementation flaws, I don't think you canpenetrate into LAN without involving a user sitting there.

Apart from social engineering attacks mentioned, DNS rebinding might berelevant. The attack does not require any actions from the victim beyondopening a rogue page in their browser. It works against web admininterfaces and UPnP listeners. I played with both in the past, mileagevaries depending on victims's browser and peculiarities of webadmininterface. I .had attack against UPnP service working for Firefoxsitting behind NetGear router. You may find some more details herehttp://www.gremwell.com/dns-rebinding-checklist.


Best regards,
Alex Bezroutchko
Gremwell
www.gremwell.com

On 08/16/2011 08:09 PM, Todd Haverkos wrote:

"Turamarth"<admin () turamarth com>  writes:

There is any way to enter a lan interface through a wan interface ( in
a normal router ) without a nat forwarding rule, or admin account of
the router?

maybe a variance of routing tables, o something like this, any idea or
documentation about it ?

Reading between the lines and given that we're in a penetration
testing mailing list, would it be fair to assume that your goal is to
penetrate a client that employs a nat router?

Assuming it's part of the scope (and hopefuly it is since the
attackers are certainly using it), client-side exploitation would be
the easiest way to go here. One way or another (be it through a email
phishing campaign or phone social engineering), provide your payload
that does a call back on traffic from their LAN connected machine to
your waiting web server. This leverages the "hiding in plain sight"
approach of leveraging traffic that everyone needs to let out of their
environment: outbound tcp/80 and tcp/44. The Social Engineering
Toolkit (SET) makes pretty quick work of such.
http://www.secmaniac.com/movies/ for demos of what that looks like.

This may be something you already know, but as network perimeters have
gotten pretty hard and crunchy, client side is the method that's
making the most hay for the bad guys.

If client side or SE is not in scope, you'd have go hunting for an
overlooked nat forward rule or a VPN listening somehow. Wireless is
another path of lower resistance if that's in scope to get behind that
router. Also don't forget last year's gem from HD Moore about the UDP
port that a frightening number of VxWorks based routers are listening
on.
http://www.darkreading.com/blog/227700848/vxworks-vulnerability-tools-released.html

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Inverse NAT? Turamarth (Aug 16)
- Re: Inverse NAT? John C Borkowski III (Aug 17)
  - Re: Inverse NAT? Jerry (Aug 17)
- Re: Inverse NAT? Todd Haverkos (Aug 17)
  - Re: Inverse NAT? Alexandre Bezroutchko (Aug 17)
- Re: Inverse NAT? Marcelo Soria (Aug 17)