samy kamkar - NAT Slipstreaming v2.0
NAT Slipstreaming v2.0
NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to any system behind a victim's NAT, bypassing the victim's NAT/firewall (remote arbitrary firewall pinhole control), just by the victim visiting a website.
v1 developed by : @samykamkar // https://sa.my
v2 developed by : samy kamkar && (Ben Seri && Gregory Vishnipolsky of Armis).
Read Ben & Gregory's excellent technical writeup on v2 here which goes deep into their updates of v2 with plenty of additional details.
v1 released : October 31 👻 2020
v2 released : January 26, 2021
Source code : https://github.com/samyk/slipstream
animation generated with my fork of draw.io, allowing exportable edge context flow & control in animations
--><br>Table of Contents
Summary
The deets
Network Address Translation (NAT)
Connection Tracking
Application Level Gateway
Router Investigation / Firmware Dumping
Reverse Engineering Firmware
Finding Interesting Files
Exploring Interesting Functions
Ports / Services to Investigate
Reversing the Kernel Object
Attempting SIP Packet in HTTP POST
Continue Reversing Kernel Object Further
Connection Tracking / Application Level Gateway Investigation
Linux Netfilter
Packet Boundary / Fragmentation Control
TCP Timing Attack / Internal Subnet & IP Discovery
Timing Attack
Browser Protocol Confusion
Live Browser Packet Alteration
Other Findings
Example / Download
Contact
Summary
NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse. As it's the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions.
This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet injection technique across all major modern (and older) browsers, and is a modernized version to my original NAT Pinning technique from 2010 (presented at DEFCON 18 + Black Hat 2010). Additionally, new techniques for local IP address discovery are included.
This attack requires the NAT/firewall to support ALG (Application Level Gateways), which are mandatory for protocols that can use multiple ports (control channel + data channel) such as SIP and H323 (VoIP protocols), FTP, IRC DCC, etc.
At a high level, NAT Slipstreaming works like so:
victim visits malicious site (or site with malicious advertisement)https://sa.my/slipstream/server-->
internal IP of victim first must be extracted by browser and sent to server
internal IP attempted to be extracted via WebRTC data channel over https
some browsers (Chrome) only divulge the local IP via WebRTC over HTTPS but some of our attacks require HTTP so we first redirect to the HTTPS version of the attack software to extract the local IP
we then redirect to the HTTP version with the local IP included in the URL if we were able to obtain it to bypass other cross-origin protection mechanisms (the .local mDNS/Bonjour address presented will not be useful for the attack)
if internal IP not divulged by WebRTC (Safari) or no WebRTC (<br>hidden img tags to all common gateways (eg 192.168.0.1) are loaded in background
onerror/onsuccess events attached to img tags
if any TCP RST (onerror) returned by gateway, or SYN + HTTP response (onsuccess), within a few seconds (before TCP timeout triggers onerror), we've detected valid subnet
re-perform timing attack across all IPs on detected subnets (/24), measuring time to onerror/onsuccess firing
fastest response is likely internal IP, though all responses are considered victim internal IP candidates and attacked
large TCP beacon sent via hidden form and automatic HTTP POST to attacker "HTTP server" bound to a non-standard port to force TCP segmentation and maximum MTU size discovery of the victim's IP stack
attacker TCP server sends Maximum Segment Size TCP Option to massage victim outbound packet sizes (RFC 793 x3.1), allowing control of how large browser TCP packets will be
large UDP beacon sent from browser via WebRTC TURN authentication mechanism to non-standard port to attacker's server to force IP fragmentation with TURN username field stuffed
we perform a similar attack as our TCP segmentation, but over UDP as IP fragmentation will occur and provide different values than TCP segmentation
victim MTU size, IP header size, IP packet size, TCP header size, TCP segment sizes detected by server and sent back to victim's browser, used later for packet stuffing
(v1) "SIP packet" in new hidden form generated, containing internal IP to trigger Application Level...