A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


BNAT Hijacking: Repairing Broken Communication Channels Jonathan Claudius AIDE 2012 (Hacking Illustrated Series InfoSec Tutorial Videos)

BNAT Hijacking: Repairing Broken Communication Channels
Jonathan Claudius

AIDE 2012


NAT “just works” – sometimes in ways we don’t expect. Thanks to broken vendor implementations and subtle configuration problems, it’s not uncommon to see a router leaking packets. As it turns out, these packets, even in mangled form, often represent a missed opportunity. In this presentation we are going demonstrate how broken communication channels can be repaired to give an attacker an entirely different functional view of your public facing infrastructure. If you’re planning on attending this talk, expect to check your understanding of an "open port” at the door and be ready to discover what your last penetration test probably missed. A suite of open source tools will also be released during this presentation that will allow you to identify, weaponize and exploit communications channels that "never existed", but have been there all along!

Detailed description: A common example of Broken NAT (BNAT) is found in asymmetric routing. Asymmetric routing is basically the concept of creating a logical layer 3 loop in a TCP/IP session between a client and a server. This is commonly found in complex routing scenarios or situations where mistakes are "corrected" to make something work without understanding or caring about the actual flow of traffic.

In many cases, what can happen during asymmetric communication initiation is that the response traffic can get mangled/nat'd by egress devices to the point where the connection becomes inoperable but the traffic still makes it back to the initiator. What I'm doing is taking this inoperable communication channel and designing a fully usable connection that an attacker could leverage to gain access to the hidden service which responded but your client failed to understand the response.



Bio:
Jonathan Claudius is a Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has ten years of experience in the IT industry with the last eight years specializing in Security. At Trustwave, Jonathan works in the SpiderLabs Research Division where he focuses on vulnerability research, network exploitation and is the creator of the BNAT-Suite. Before joining SpiderLabs, Jonathan ran Trustwave¹s Global Security Operations Center.

Before joining Trustwave, Jonathan was a Network Penetration Tester for a Top 10 Consulting and Accounting firm and worked for a US Department of Defense contractor in their Communications Electronics Warfare Division. Jonathan holds a Bachelor of Science in Applied Networking and System Administration from the Rochester Institute of Technology and is a Certified Information Systems Security Professional (CISSP).
 

Recorded at AIDE 2012

Download from:
http://archive.org/download/Aide2012/BnatHijackingRepairingBrokenCommunicationChannels-JonathanClaudius.avi

Back to AIDE 2012 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast