attack on a computer behind a nat.

["Michael Kitange" <michaelkitange () gmail com>]

thanks for all the info. the router is the nat box itself. the kind of
packet crafting that i was talking about is sending a packet to the
nat and put inside that packet another packet to the target and make
the nat strip off the outer packet and send my packet to the target.
and here's the main question. is it possible to craft such a packet?

On 9/9/08, Mark Owen <mr.markowen () gmail com> wrote:
> On Tue, Sep 9, 2008 at 3:05 PM, Alex Eden <Alex.Eden () senet-int com> wrote:
> > Hypothetically it is possible, even though difficult in reality.
> >
> > Try to scan it with nmap first using "-g" switch - let's say firewall is
> > not
> > very good at maintaining sessions, and you can fool it into thinking that
> > your traffic is response to that desktop's DNS query, or response to
> > desktop's http request....
> >
> > Once you able to scan, think of a way to send your payload/exploit using
> > same
> > approach.
> >
> > Eventually you will need a reverse shell.
>
> Only problem with that is the firewall/router/nat won't be expecting a
> result from your IP address and will drop it as it would have no idea
> what computer behind the nat to forward it to.  If there is no
> underlying session, there is no communication.  You can circumvent
> this by hijacking an existing session; create a malicious packet with
> the source address spoofed to match the queried DNS server, but you
> would have to know what DNS server the victim machine is using, what
> site they are asking for, and when they are communicating with that
> server - a man-in-the-middle attack essentially.  Additionally, this
> will only 'easily' work for applications using UDP as TCP is
> sequentially tracked.
>
> All of this to hopefully convince an application to redirect to your
> malicious site and download your content instead, something that is
> easily preventable with certified certificates on SSL.  Then again,
> not everyone runs SSL.
>
> For the most part, it is a myth to be able to circumvent a properly
> configured nat device to directly access a machine UNLESS that machine
> is configured by the nat to receive such traffic (HTTP servers, mail
> servers, game servers.) If the target is a single computer behind a
> factory set Linksys router, MITM attacks or social engineering is the
> best angle for compromising as nothing is set to automatically forward
> to that machine without an existing session.
>
> --
> Mark Owen

-- 
Sent from Gmail for mobile | mobile.google.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------