Nat Slipstreaming v2.0 allows an attacker to remotely access any TCP/UDP service

_____k2 pts1 comments

samy kamkar - NAT Slipstreaming v2.0

NAT Slipstreaming v2.0

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to any system behind a victim's NAT, bypassing the victim's NAT/firewall (remote arbitrary firewall pinhole control), just by the victim visiting a website.

v1 developed by : @samykamkar // https://sa.my

v2 developed by : samy kamkar && (Ben Seri && Gregory Vishnipolsky of Armis).

Read Ben & Gregory's excellent technical writeup on v2 here which goes deep into their updates of v2 with plenty of additional details.

v1 released : October 31 👻 2020

v2 released : January 26, 2021

Source code : https://github.com/samyk/slipstream

animation generated with my fork of draw.io, allowing exportable edge context flow & control in animations

--><br>Table of Contents

Summary

The deets

Network Address Translation (NAT)

Connection Tracking

Application Level Gateway

Router Investigation / Firmware Dumping

Reverse Engineering Firmware

Finding Interesting Files

Exploring Interesting Functions

Ports / Services to Investigate

Reversing the Kernel Object

Attempting SIP Packet in HTTP POST

Continue Reversing Kernel Object Further

Connection Tracking / Application Level Gateway Investigation

Linux Netfilter

Packet Boundary / Fragmentation Control

TCP Timing Attack / Internal Subnet & IP Discovery

Timing Attack

Browser Protocol Confusion

Live Browser Packet Alteration

Other Findings

Example / Download

Contact

Summary

NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse. As it's the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions.

This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet injection technique across all major modern (and older) browsers, and is a modernized version to my original NAT Pinning technique from 2010 (presented at DEFCON 18 + Black Hat 2010). Additionally, new techniques for local IP address discovery are included.

This attack requires the NAT/firewall to support ALG (Application Level Gateways), which are mandatory for protocols that can use multiple ports (control channel + data channel) such as SIP and H323 (VoIP protocols), FTP, IRC DCC, etc.

At a high level, NAT Slipstreaming works like so:

victim visits malicious site (or site with malicious advertisement)https://sa.my/slipstream/server-->

internal IP of victim first must be extracted by browser and sent to server

internal IP attempted to be extracted via WebRTC data channel over https

some browsers (Chrome) only divulge the local IP via WebRTC over HTTPS but some of our attacks require HTTP so we first redirect to the HTTPS version of the attack software to extract the local IP

we then redirect to the HTTP version with the local IP included in the URL if we were able to obtain it to bypass other cross-origin protection mechanisms (the .local mDNS/Bonjour address presented will not be useful for the attack)

if internal IP not divulged by WebRTC (Safari) or no WebRTC (<br>hidden img tags to all common gateways (eg 192.168.0.1) are loaded in background

onerror/onsuccess events attached to img tags

if any TCP RST (onerror) returned by gateway, or SYN + HTTP response (onsuccess), within a few seconds (before TCP timeout triggers onerror), we've detected valid subnet

re-perform timing attack across all IPs on detected subnets (/24), measuring time to onerror/onsuccess firing

fastest response is likely internal IP, though all responses are considered victim internal IP candidates and attacked

large TCP beacon sent via hidden form and automatic HTTP POST to attacker "HTTP server" bound to a non-standard port to force TCP segmentation and maximum MTU size discovery of the victim's IP stack

attacker TCP server sends Maximum Segment Size TCP Option to massage victim outbound packet sizes (RFC 793 x3.1), allowing control of how large browser TCP packets will be

large UDP beacon sent from browser via WebRTC TURN authentication mechanism to non-standard port to attacker's server to force IP fragmentation with TURN username field stuffed

we perform a similar attack as our TCP segmentation, but over UDP as IP fragmentation will occur and provide different values than TCP segmentation

victim MTU size, IP header size, IP packet size, TCP header size, TCP segment sizes detected by server and sent back to victim's browser, used later for packet stuffing

(v1) "SIP packet" in new hidden form generated, containing internal IP to trigger Application Level...

victim packet attack browser internal control

Related Articles