Opening closed ports on NAT device and bypassing stateful firewalls with BeEF

EncryptedBytes · #1 July 14th, 2012, 09:45 PM

-http://blog.beefproject.com/2012/07/opening-closed-ports-on-nat-device-and.html-

Quote:

In 2010 Samy Kamkar discovered a method that he called "NAT Pinning." The idea was, an attacker lures a victim to a web page and that web page forces the victim's router or firewall to forward any port number back to the user's machine.

#2 July 15th, 2012, 12:54 AM

Eww, nasty. I cannot wait until malicious sites start using remote exploits, instead of tired old drive-by downloads.

Anyway... How would UFW's default configuration for iptables fair against such an attack? And what about Windows software firewalls? Would I be wrong in suspecting an interactive firewall might be safer in this case?

Hungry Man · #3 July 15th, 2012, 01:27 AM

Quote:

Originally Posted by Gullible Jones

Eww, nasty. I cannot wait until malicious sites start using remote exploits, instead of tired old drive-by downloads.

Anyway... How would UFW's default configuration for iptables fair against such an attack? And what about Windows software firewalls? Would I be wrong in suspecting an interactive firewall might be safer in this case?

AppArmor can limit your program and resitrct them from being able to use protocols like IRC, which are necessary for protocol spoofing (haven't read it yet, assuming that's what this is.)

An outbound Firewall would prevent this as well by locking the program to specific ports.

JRViejo · #4 July 15th, 2012, 03:24 AM

Merged Threads, Eliminating Redundant Posts.

#5 July 15th, 2012, 07:19 PM

Quote:

If the user had FTP/ssh/etc open but it was blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world.

So the key there is that the user has some kind of server (FTP, ssh, etc) running. If you don't there's nothing to forward.

http://samy.pl/natpin/

xxJackxx · #6 July 16th, 2012, 09:07 AM

Quote:

Originally Posted by BrandiCandi

So the key there is that the user has some kind of server (FTP, ssh, etc) running. If you don't there's nothing to forward.

http://samy.pl/natpin/

I'd probably want to make sure 135-139 and 445 were closed as well. I've found internet accessible shares that were meant to be private because those ports were open.

#7 July 16th, 2012, 12:16 PM

Quote:

Originally Posted by BrandiCandi

So the key there is that the user has some kind of server (FTP, ssh, etc) running. If you don't there's nothing to forward.

http://samy.pl/natpin/

Doesn't Windows, by default, keep ports open beneath its firewall though?

Hungry Man · #8 July 16th, 2012, 12:37 PM

There are at least 3 open ports on Windows by default for the NetBIOS or something else.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search