Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:  | reply to rgillis70
Re: NAT Challenge
Can we have you surf and such while we try? I've wanted to do some of this testing for quite a while anyway.
--
dmiessler.com -- grep understanding knowledge |
|
Gelroos
Mad Mage
Premium
join:2003-05-23
Wilmington, DE
| Bahh, Daniel that's cheatin' 
Seriously while I would agree that some outbound traffic would be classified as "typical", this "mythical" NAT-transversal attack (sounds nice at least) should work whether someone is sending packets outbound (hence having at least "something" in the tables) or the connect is idle. I've "heard" that people can do this, I've never seen proof...I'd like to see some of the people who have said it is possible do this, and then explain to me HTH they did it.
--
The tree of liberty must be refreshed from time to time with the blood of patriots & tyrants. It is it's natural manure.The "Tree of Liberty" letter From Thomas Jefferson to William Smith |
|
B
Premium,MVM
join:2000-10-28
|
Well yeah, but the cool part of the challenge should be that the leet hackerz don't have to reveal how they did it -- all they have to do is... do it!
We don't want to give them any excuse not to demonstrate their leetitude.
-- B
--
In a realm outside causality and function |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Daniel
said by Daniel  :Can we have you surf and such while we try? I've wanted to do some of this testing for quite a while anyway. When do you want to do it and do you have a preference as to which NAT device? Would I be surfing to your site, or just surfing in general?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to B
said by B :Well yeah, but the cool part of the challenge should be that the leet hackerz don't have to reveal how they did it -- all they have to do is... do it! If requested I would be happy to keep the attack technique confidential except for the fact that it worked, what ever it takes to prove or disprove how safe NAT devices are, as that is ultimate goal of this challenge.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Gelroos
Mad Mage
Premium
join:2003-05-23
Wilmington, DE | Well if you are going to be so considerate LL, All you have to do is go to a specified URL running a specified browser and click on a specified link...Then click the run button |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| said by Gelroos :Well if you are going to be so considerate LL, All you have to do is go to a specified URL running a specified browser and click on a specified link...Then click the run button Is that all you want me to do?? I'm at a client site right now (largest bank in the world) but I'd gladly do that for you right now as I'm logged on to the top level domain server which has all the transfer accounts and such on it so it shouldn't be a problem to do your quick test right away 
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to Link Logger
said by Link Logger :said by Daniel :Can we have you surf and such while we try? I've wanted to do some of this testing for quite a while anyway. When do you want to do it and do you have a preference as to which NAT device? Would I be surfing to your site, or just surfing in general? I'm not sure what they paramaters would be, but no, it wouldn't be to a site I own. The idea would be to try and ride back through entries in your NAT table. I'm not saying I could do this, or that it can be done, but I don't see it as impossible.
As for whether or not someone could get packets into a modern SOHO router that doesn't have anything in the NAT table -- that I'd rate as highly unlikely.
But yeah, I think we should explore this for real this time. Many of us here have wanted to for a while now; we should just go ahead and do it. Let's set up a time to meet in #ATU or something.
--
dmiessler.com -- grep understanding knowledge |
|
B
Premium,MVM
join:2000-10-28
|
A variation to a site you own would probably be good too -- the attack could involve an HTML e-mail message with links back to an image at your site -- the image retrieval would alert you to the target's presence (and presumably NAT table state).
Stretching the definition of "unsolicited" I realize, but...
-- B
--
In a realm outside causality and function |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Daniel
That sounds fair. Try scanning the 'El Cheapo NAT Router' and see if you can determine what ports are being used and if that doesn't work I'll tell you what ports are being used so we don't waste too much time on detection and can focus on exploitation.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
ntguru911
join:2001-03-26
Powell, OH
| reply to Link Logger
I'm not sure if you're serious about working for a very large bank or not but if you are shouldn't we be using the correct terminology--PAT (port address translation)which is what all these devices are, at least in default out-of-the-box configuration? |
|
