Penetration Testing mailing list archives
attack on a computer behind a nat.
From: "Michael Kitange" <michaelkitange () gmail com>
Date: Tue, 9 Sep 2008 23:43:36 +0300
thanks for all the info. the router is the nat box itself. the kind of packet crafting that i was talking about is sending a packet to the nat and put inside that packet another packet to the target and make the nat strip off the outer packet and send my packet to the target. and here's the main question. is it possible to craft such a packet? On 9/9/08, Mark Owen <mr.markowen () gmail com> wrote:
On Tue, Sep 9, 2008 at 3:05 PM, Alex Eden <Alex.Eden () senet-int com> wrote:Hypothetically it is possible, even though difficult in reality. Try to scan it with nmap first using "-g" switch - let's say firewall is not very good at maintaining sessions, and you can fool it into thinking that your traffic is response to that desktop's DNS query, or response to desktop's http request.... Once you able to scan, think of a way to send your payload/exploit using same approach. Eventually you will need a reverse shell.Only problem with that is the firewall/router/nat won't be expecting a result from your IP address and will drop it as it would have no idea what computer behind the nat to forward it to. If there is no underlying session, there is no communication. You can circumvent this by hijacking an existing session; create a malicious packet with the source address spoofed to match the queried DNS server, but you would have to know what DNS server the victim machine is using, what site they are asking for, and when they are communicating with that server - a man-in-the-middle attack essentially. Additionally, this will only 'easily' work for applications using UDP as TCP is sequentially tracked. All of this to hopefully convince an application to redirect to your malicious site and download your content instead, something that is easily preventable with certified certificates on SSL. Then again, not everyone runs SSL. For the most part, it is a myth to be able to circumvent a properly configured nat device to directly access a machine UNLESS that machine is configured by the nat to receive such traffic (HTTP servers, mail servers, game servers.) If the target is a single computer behind a factory set Linksys router, MITM attacks or social engineering is the best angle for compromising as nothing is set to automatically forward to that machine without an existing session. -- Mark Owen
-- Sent from Gmail for mobile | mobile.google.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- attack on a computer behind a nat. Michael Kitange (Sep 09)
- Re: attack on a computer behind a nat. fleetscribbler () socket net (Sep 09)
- RE: attack on a computer behind a nat. Alex Eden (Sep 09)
- Re: attack on a computer behind a nat. Mark Owen (Sep 09)
- attack on a computer behind a nat. Michael Kitange (Sep 09)
- Re: attack on a computer behind a nat. Krugger (Sep 10)
- Re: attack on a computer behind a nat. David Howe (Sep 10)
- Re: attack on a computer behind a nat. Shreyas Zare (Sep 12)
- Re: attack on a computer behind a nat. David Howe (Sep 12)
- Re: attack on a computer behind a nat. Mark Owen (Sep 09)
- <Possible follow-ups>
- Re: attack on a computer behind a nat. Christian Eric EDJENGUELE (Sep 09)
- Re: attack on a computer behind a nat. publists (Sep 12)