Re: [Full-Disclosure] NAT router inbound network traffic subversion
You should probably clarify exactly what type of NAT implemenation you're speaking about. After all, it's perfectly common to leverage dedicated static NATs to support inbound connections for internal (and typically non-routed) hosts. Thank you, Darren Bounds Intrusense, LLC. On Jan 28, 2005, at 1:12 AM, Kristian Hermansen wrote: I have Googled around and asked a highly-respected Professor at my University whether it is possible to direct packets behind a NAT router without the internal 192.168.x.x clients first requesting a connection to the specific host outside. The answer I received is "not possible". I also asked if this can be thought of as a security feature, to which the reply was again "yes". Now, I wouldn't place all my bets on his answer and I am calling on someone out there to clear up my question. If NAT really does only allow inbound connections with a preliminary request as he suggests, it seems that the only way to get an "unauthorized" packet behind the router is by some flaw in the firmware of the device. How about if the client has requested a connection to Google.com from behind his Linksys home NAT router: would it be possible for an outside attacker to spoof packets from Google's IP to get packets into the network? Or do we need to know the sequence numbers as well? Or is there an even more devious way to get packets on the inside without a client's initiative? Has there been any research into this? Are there statistics on worm propagation and exploited network hosts in relation to those individuals that did not own routers (and instead connected directly to their modem)? If *all* home users on the Internet had NAT routers during the summer of 2003, would we have significantly slowed the spread of Blaster? I believe these all to be very important questions and the security aspects of the ability to route packets behind NAT really interests me...maybe some of you can elaborate :-) -- Kristian Hermansen <[EMAIL PROTECTED]> ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NAT router inbound network traffic subversion
Actually...if you bothered to read the whole work, and did not just skim it, you would see that the team at Columbia very specificially states that their analytic techniques can be easily confused, and that there are basic steps for NAT use/configuration that render their techniques basically useless. Also, as intranet traffic fogs their results considerably, they state that this technique is not at all valid where such traffic occurs. There are more caveats, such as proximity to the source NAT device, etc...as well as the process missing multiple machines...in the paper, but enough...you get my point. No offense, but their work does not say what you said it says. Bart Lansing Manager, Desktop Services/Lotus Notes Kohl's IT [EMAIL PROTECTED] wrote on 01/28/2005 10:26:40 AM: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Check it here -> http://www1.cs.columbia.edu/~smb/papers/fnat.pdf > > This should help clarify why NAT can not be considered a security > feature. > > > On Thu, 27 Jan 2005 22:12:19 -0800 Kristian Hermansen > <[EMAIL PROTECTED]> wrote: > >I have Googled around and asked a highly-respected Professor at my > >University whether it is possible to direct packets behind a NAT > >router > >without the internal 192.168.x.x clients first requesting a > >connection > >to the specific host outside. The answer I received is "not > >possible". > >I also asked if this can be thought of as a security feature, to > >which > >the reply was again "yes". > > > >Now, I wouldn't place all my bets on his answer and I am calling > >on > >someone out there to clear up my question. If NAT really does > >only > >allow inbound connections with a preliminary request as he > >suggests, it > >seems that the only way to get an "unauthorized" packet behind the > >router is by some flaw in the firmware of the device. > > > >How about if the client has requested a connection to Google.com > >from > >behind his Linksys home NAT router: would it be possible for an > >outside > >attacker to spoof packets from Google's IP to get packets into the > >network? Or do we need to know the sequence numbers as well? Or > >is > >there an even more devious way to get packets on the inside > >without a > >client's initiative? > > > >Has there been any research into this? Are there statistics on > >worm > >propagation and exploited network hosts in relation to those > >individuals > >that did not own routers (and instead connected directly to their > >modem)? If *all* home users on the Internet had NAT routers > >during the > >summer of 2003, would we have significantly slowed the spread of > >Blaster? I believe these all to be very important questions and > >the > >security aspects of the ability to route packets behind NAT really > >interests me...maybe some of you can elaborate :-) > >-- > >Kristian Hermansen <[EMAIL PROTECTED]> > -BEGIN PGP SIGNATURE- > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 2.4 > > wkYEARECAAYFAkH6Z/UACgkQ1kZ6e0Djf6zn3wCgiIb4yUWKP82hge9Oml7Qp75lOR0A > oK4bjNPHtARambOFA4IallqA/b8C > =Z8vB > -END PGP SIGNATURE- > > > > > Concerned about your privacy? Follow this link to get > secure FREE email: http://www.hushmail.com/?l=2 > > Free, ultra-private instant messaging with Hush Messenger > http://www.hushmail.com/services-messenger?l=434 > > Promote security and make money with the Hushmail Affiliate Program: > http://www.hushmail.com/about-affiliate?l=427 > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] NAT router inbound network traffic subversion
See http://www.phrack.org/show.php?p=62&a=3 "The Impact of RFC Guidelines on DNS Spoofing Attacks" by have2Banonymous The short version - Windows sends DNS queries from a consistent source port - 1026 in the author's tests, and with predictable request IDs - the first request after boot up is 1, then 2,3,4... (like an idiot's luggage combination) You can predict what DNS server an home ISP user will query; it's the ISP's DNS server. Using source port 53, and destination port 1026, you have everything you need to get phoney DNS replies past the NAT router. If you brute-force the lower hundred or so request IDs, you're reasonably likely to hit a request ID the DNS client just sent, assuming the computer was booted recently. And, here's the kicker - Windows doesn't check if the answer matches the question it asked - if you look up www.good.org, and an attacker manages to sneak in a phoney reply packet telling you that www.evil.com has address 6.6.6.6, that will be good enough. And your browser will be directed to the evil server, but show the good one's name in the address bar. Cheers Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kristian Hermansen Sent: January 27, 2005 23:12 To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] NAT router inbound network traffic subversion I have Googled around and asked a highly-respected Professor at my University whether it is possible to direct packets behind a NAT router without the internal 192.168.x.x clients first requesting a connection to the specific host outside. The answer I received is "not possible". I also asked if this can be thought of as a security feature, to which the reply was again "yes". Now, I wouldn't place all my bets on his answer and I am calling on someone out there to clear up my question. If NAT really does only allow inbound connections with a preliminary request as he suggests, it seems that the only way to get an "unauthorized" packet behind the router is by some flaw in the firmware of the device. How about if the client has requested a connection to Google.com from behind his Linksys home NAT router: would it be possible for an outside attacker to spoof packets from Google's IP to get packets into the network? Or do we need to know the sequence numbers as well? Or is there an even more devious way to get packets on the inside without a client's initiative? Has there been any research into this? Are there statistics on worm propagation and exploited network hosts in relation to those individuals that did not own routers (and instead connected directly to their modem)? If *all* home users on the Internet had NAT routers during the summer of 2003, would we have significantly slowed the spread of Blaster? I believe these all to be very important questions and the security aspects of the ability to route packets behind NAT really interests me...maybe some of you can elaborate :-) -- Kristian Hermansen <[EMAIL PROTECTED]> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NAT router inbound network traffic subversion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Check it here -> http://www1.cs.columbia.edu/~smb/papers/fnat.pdf This should help clarify why NAT can not be considered a security feature. On Thu, 27 Jan 2005 22:12:19 -0800 Kristian Hermansen <[EMAIL PROTECTED]> wrote: >I have Googled around and asked a highly-respected Professor at my >University whether it is possible to direct packets behind a NAT >router >without the internal 192.168.x.x clients first requesting a >connection >to the specific host outside. The answer I received is "not >possible". >I also asked if this can be thought of as a security feature, to >which >the reply was again "yes". > >Now, I wouldn't place all my bets on his answer and I am calling >on >someone out there to clear up my question. If NAT really does >only >allow inbound connections with a preliminary request as he >suggests, it >seems that the only way to get an "unauthorized" packet behind the >router is by some flaw in the firmware of the device. > >How about if the client has requested a connection to Google.com >from >behind his Linksys home NAT router: would it be possible for an >outside >attacker to spoof packets from Google's IP to get packets into the >network? Or do we need to know the sequence numbers as well? Or >is >there an even more devious way to get packets on the inside >without a >client's initiative? > >Has there been any research into this? Are there statistics on >worm >propagation and exploited network hosts in relation to those >individuals >that did not own routers (and instead connected directly to their >modem)? If *all* home users on the Internet had NAT routers >during the >summer of 2003, would we have significantly slowed the spread of >Blaster? I believe these all to be very important questions and >the >security aspects of the ability to route packets behind NAT really >interests me...maybe some of you can elaborate :-) >-- >Kristian Hermansen <[EMAIL PROTECTED]> -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkH6Z/UACgkQ1kZ6e0Djf6zn3wCgiIb4yUWKP82hge9Oml7Qp75lOR0A oK4bjNPHtARambOFA4IallqA/b8C =Z8vB -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NAT router inbound network traffic subversion
In message <[EMAIL PROTECTED]>, Kristian Hermansen <[EMAIL PROTECTED]> writes I have Googled around and asked a highly-respected Professor at my University whether it is possible to direct packets behind a NAT router without the internal 192.168.x.x clients first requesting a connection to the specific host outside. The answer I received is "not possible". I also asked if this can be thought of as a security feature, to which the reply was again "yes". Yes. But see later. Now, I wouldn't place all my bets on his answer and I am calling on someone out there to clear up my question. If NAT really does only allow inbound connections with a preliminary request as he suggests, it seems that the only way to get an "unauthorized" packet behind the router is by some flaw in the firmware of the device. If you are not offering any services to the Internet, yes. If you are, then you have ports open on the router, redirecting to real machines, which may be running software which can be exploited. This is how worms spread. the home user is unlikely to be hit by a worm, unless they are running a Windows NT-derived operating system, such as XP, without a firewall and/or NAT device. Commercial installations such as web servers are the main targets for worms. How about if the client has requested a connection to Google.com from behind his Linksys home NAT router: would it be possible for an outside attacker to spoof packets from Google's IP to get packets into the network? Or do we need to know the sequence numbers as well? Or is there an even more devious way to get packets on the inside without a client's initiative? Google for "man in the middle" attack. Has there been any research into this? Are there statistics on worm propagation and exploited network hosts in relation to those individuals that did not own routers (and instead connected directly to their modem)? If *all* home users on the Internet had NAT routers during the summer of 2003, would we have significantly slowed the spread of Blaster? I believe these all to be very important questions and the security aspects of the ability to route packets behind NAT really interests me...maybe some of you can elaborate :-) Worms are not usually an issue for home users, except when someone sells an operating system with ports open to the Internet by default. XP pre-service pack 2 is such an operating system. Its users were duly hammered by worms, and would not have been if they used the built-in firewall, which was not enabled by default. I'm not sure how much a NAT device would have helped on its own. Modern versions of Windows are extremely talkative, and it may well have invited the bad guys in of its own accord. But widespread use of the firewall would have stopped it. More troublesome for home users are viruses spread by email, which initiate connections through the firewall, router or other device from the inside. The security device cannot generally tell whether the user or a virus has made the request, though third-part 'personal' firewalls, running on the user's workstation, are becoming quite good at this. I don't think Internet Explorer currently runs any code in an incoming email automatically, as it once did, but it's not hard to persuade many users to click on a button and run the virus themselves. Most viruses are now also worms, they will attempt to spread both by email and by direct contact with unprotected machines. -- Joe ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NAT router inbound network traffic subversion
scenario... NAT client browses web... NAT client initates a HTTP request to do this... ROUTER returns the request to NAT client... ( normal activity ) attacker website exploits client browser... exploit drops and executes "badfile.exe" "badfile.exe" hooks iexplore.exe... "badfile.exe" is 'reverse connecting trojan'... "badfile.exe" initiates a HTTP request to do this... attacker's "badfile.exe"' 'client' is waiting with a HTTP server... the new hooked browser initiates a HTTP request to the attacker. NAT client is now connected to the attacker through the ROUTER ( kinda like browsing the web huh? ) attacker now has unrestricted packet via the NAT client, that is where ??? BEHIND YOUR ROUTER atacker now can do a he wishes to the rest of your network ( GAME OVER ) Cheers, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] NAT router inbound network traffic subversion
I have Googled around and asked a highly-respected Professor at my University whether it is possible to direct packets behind a NAT router without the internal 192.168.x.x clients first requesting a connection to the specific host outside. The answer I received is "not possible". I also asked if this can be thought of as a security feature, to which the reply was again "yes". Now, I wouldn't place all my bets on his answer and I am calling on someone out there to clear up my question. If NAT really does only allow inbound connections with a preliminary request as he suggests, it seems that the only way to get an "unauthorized" packet behind the router is by some flaw in the firmware of the device. How about if the client has requested a connection to Google.com from behind his Linksys home NAT router: would it be possible for an outside attacker to spoof packets from Google's IP to get packets into the network? Or do we need to know the sequence numbers as well? Or is there an even more devious way to get packets on the inside without a client's initiative? Has there been any research into this? Are there statistics on worm propagation and exploited network hosts in relation to those individuals that did not own routers (and instead connected directly to their modem)? If *all* home users on the Internet had NAT routers during the summer of 2003, would we have significantly slowed the spread of Blaster? I believe these all to be very important questions and the security aspects of the ability to route packets behind NAT really interests me...maybe some of you can elaborate :-) -- Kristian Hermansen <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html