Penetration Testing mailing list archives
Re: Inverse NAT?
From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 16 Aug 2011 13:09:49 -0500
"Turamarth" <admin () turamarth com> writes:
There is any way to enter a lan interface through a wan interface ( in a normal router ) without a nat forwarding rule, or admin account of the router? maybe a variance of routing tables, o something like this, any idea or documentation about it ?
Reading between the lines and given that we're in a penetration testing mailing list, would it be fair to assume that your goal is to penetrate a client that employs a nat router? Assuming it's part of the scope (and hopefuly it is since the attackers are certainly using it), client-side exploitation would be the easiest way to go here. One way or another (be it through a email phishing campaign or phone social engineering), provide your payload that does a call back on traffic from their LAN connected machine to your waiting web server. This leverages the "hiding in plain sight" approach of leveraging traffic that everyone needs to let out of their environment: outbound tcp/80 and tcp/44. The Social Engineering Toolkit (SET) makes pretty quick work of such. http://www.secmaniac.com/movies/ for demos of what that looks like. This may be something you already know, but as network perimeters have gotten pretty hard and crunchy, client side is the method that's making the most hay for the bad guys. If client side or SE is not in scope, you'd have go hunting for an overlooked nat forward rule or a VPN listening somehow. Wireless is another path of lower resistance if that's in scope to get behind that router. Also don't forget last year's gem from HD Moore about the UDP port that a frightening number of VxWorks based routers are listening on. http://www.darkreading.com/blog/227700848/vxworks-vulnerability-tools-released.html Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Inverse NAT? Turamarth (Aug 16)
- Re: Inverse NAT? John C Borkowski III (Aug 17)
- Re: Inverse NAT? Jerry (Aug 17)
- Re: Inverse NAT? Todd Haverkos (Aug 17)
- Re: Inverse NAT? Alexandre Bezroutchko (Aug 17)
- Re: Inverse NAT? Marcelo Soria (Aug 17)
- Re: Inverse NAT? John C Borkowski III (Aug 17)