Security Basics mailing list archives

Re: Inverse NAT?

From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 16 Aug 2011 13:09:49 -0500

"Turamarth" <admin () turamarth com> writes:

There is any way to enter a lan interface through a wan interface ( in
a normal router ) without a nat forwarding rule, or admin account of
the router?

maybe a variance of routing tables, o something like this, any idea or
documentation about it ?

Reading between the lines and given that we're in a penetration
testing mailing list, would it be fair to assume that your goal is to
penetrate a client that employs a nat router?

Assuming it's part of the scope (and hopefuly it is since the
attackers are certainly using it), client-side exploitation would be
the easiest way to go here. One way or another (be it through a email
phishing campaign or phone social engineering), provide your payload
that does a call back on traffic from their LAN connected machine to
your waiting web server. This leverages the "hiding in plain sight"
approach of leveraging traffic that everyone needs to let out of their
environment: outbound tcp/80 and tcp/44. The Social Engineering
Toolkit (SET) makes pretty quick work of such.
http://www.secmaniac.com/movies/ for demos of what that looks like.

This may be something you already know, but as network perimeters have
gotten pretty hard and crunchy, client side is the method that's
making the most hay for the bad guys.

If client side or SE is not in scope, you'd have go hunting for an
overlooked nat forward rule or a VPN listening somehow. Wireless is
another path of lower resistance if that's in scope to get behind that
router. Also don't forget last year's gem from HD Moore about the UDP
port that a frightening number of VxWorks based routers are listening
on.
http://www.darkreading.com/blog/227700848/vxworks-vulnerability-tools-released.html

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Inverse NAT? Turamarth (Aug 16)
- RE: Inverse NAT? Groves, Daniel (Aug 16)
- Re: Inverse NAT? Marcelo Soria (Aug 16)
- Re: Inverse NAT? John C Borkowski III (Aug 16)
  - Re: Inverse NAT? Jerry (Aug 17)
- Re: Inverse NAT? Abuse007 (Aug 16)
- Re: Inverse NAT? Todd Haverkos (Aug 16)