Weakness in routers

[compaq]

[QUOTE]There is a vulnerability in level one and dse wireless router that allows a remote attack to bypass NAT, opening up the computers behind to attack. The only variable for this to work is that the computers on the target network have visit a site that you can guess. A min of one packet can achive this, but more likely a for loop would need to be run.

target computer ------- BB router(theres) --------internet---------bbrouter(my)-----router(a)-----router(b)----your computer

command:
nemesis tcp -x 80 -y <any port,139> -s 4 -fA -S google.co.nz -D -D <there bb router> -H router(b) mac -M <router(a,or any on path)


Send the above packet until wireshark recives a syn,ack to port 139. All packs that you send with your source ip and mac will get forwarded to the computer that was browseing google.co.nz, up till about a min. With a source port of 80 it should all go throught the firewall.

[Virchanza]

OK let me see if I've got this straight:

Let's say the NAT-enabled router receives a packet on the WAN side, and let's say that the destination port is 139. The NAT-enabled router will do the following:
1) Check its list of "inward pinholes" to see if the packet should be forwarded to a specified IP address on the LAN.
2) Check its list of "currently open sockets" to see if the packet should be forwarded to a particular IP address on the LAN.

So let's say, out of the blue, we randomly send a packet destined for port 139 to the WAN side of a NAT-enabled router. The router will check its "inward pinhole" list and then check its "currently open socket" list, and having found no match for port 139, it won't forward the packet onto the LAN. The packet will never reach the "victim computer".

What you're saying, if I understand you correctly, is as follows:
1) From the victim computer, you send a packet with source port 139 to the "malicious computer". When the NAT-enabled router sees this packet arrive on its LAN side, it will add an entry to its "currently open socket" list.
2) Now that there's an entry in the "currently open socket" list, we can communicate with port 139 on the victim computer.

Do I understand correctly?

One thing I just want to add, and I don't know whether you've considered this yet:
When the NAT-enabled router receives the packet on its LAN side with a source address of 139, it might forward on the packet giving it a different source address. For instance, it might receive a packet with source port of 139, and then forward it on as a packet with source port 1027. Then your malicious computer will have to send a packet to port 1027 on the WAN side of the NAT-enabled router, and this packet will be forwarded on to port 139 of the victim computer. This shouldn't be a problem so long as your malicious computer knows to respond on the same port number.

[compaq]

This is what i belive happens.
As the victum search like google.co.nz the router records the mac and ip of google.co.nz for the repley. The mac and ip are both used to allow access but they are set induval from each other, mean that say google.co.nz changes to a back up server the ip should stay the same but the mac will be different so the router needs to let the traffic through.
You send an update to the router say google.co.nz has a mac(my mac), so any packet you send the router will think that you are google, even though your ip is different.

will add an entry to its "currently open socket" list.

, so the router will think that all comunaction you send will allready be authroized by the computer behind the nat.Nat normal changes the port, like if you send a packet out with a source of 50, nat might change that to 51(don't know with that has any part in this thought. It worked with nmap ,and that didn't have a source port of 80, meaning that the router complete lost its mind.
The forwarding shouldn't be a problem as its just passing it down the chain, and back(but you wouldn't know what ip behind the router the computer uses, unless you got into the computer(ifconfig eth0)), if you had two routers one after the other, it should get by both(if both can be exploitable), but not tested(only have two lan routers to test with.)

If the packet has a port dest of 50, you can send packets to dest port of any.

[Virchanza]

This is what i belive happens.
As the victum search like google.co.nz the router records the mac and ip of google.co.nz for the repley.

Let's say the public IP address of the "malicious machine" is 15.16.17.18

Let's say that the WAN IP address of the NAT-enabled router is 22.23.24.25

Let's say that the private IP address of the "victim machine" is 10.10.10.5 (this victim machine is hidden behind the NAT-enabled router)

We'll start off with a packet originating from the victim machine, and it will be sent to the LAN MAC address of the NAT-enabled router. The packet will be as follows:
Source = 10.10.10.5 via port 139
Destination = 15.16.17.18 via port 80

When the NAT-enabled router receives this packet on its LAN side, it will change the source address (and perhaps the source port also), so that the packet that goes out on the internet is:
Source = 22.23.24.25 via port 139 (this could be port 1027, who knows)
Destination = 15.16.17.18 via port 80

Before the NAT-enabled router sends this packet out over the internet, it will make a new entry in its "currently open socket" list as follows:
Packets coming from the internet with a destination port of 1027 will get forwarded on to port 139 of 10.10.10.5

After that, all the malicious machine has to do is open up Windows Explorer and type in "\\22.23.24.25:1027\". This will result in the following packet being sent out to the internet:
Source = 15.16.17.18 via port 1065 (this can be anything you like)
Destination = 22.23.24.25 via port 1027

When the NAT-enabled router receives this packet from the internet, it will consult its "currently open socket" table to see that traffic for port 1027 should be forwarded on to port 139 of 10.10.10.5, so the packet will be changed as follows:
Source = 15.16.17.18 via port 1065
Destination = 10.10.10.5 via port 139

So there you go, when you type "\\22.23.24.25:1027\" into Windows Explorer, you'll be able to access files shares (or whatever is shared over port 139).

The only problem you need to address is how you're going to get the victim computer to send out a packet with source port of 139. Also you might have some NAT-enabled routers that don't play fair with port numbers less than 1024.

Looks like you're on to a winner though. Have you tried it out?

[compaq]

The thing works on my routers.

You shouldn't have to worry about the target sending out a packet on port 139, just use the command on the first post with dst port of anything, then fire up the browser and type in 22.23.24.25:139, it will send it to 10.0.0.5:139, or do nmap 22.23.24.25 -p 139 , it will repley open service name with 139.

nemesis tcp -x 80 -y <any port> -s 4 -fA -S google.co.nz -D <22.23.24.25> -H my router connected to this computer "mac" -M my router connected to "my router connected to this computer" mac

nmap 222.23.24.25 -p 80 -p 139 -p 445
open http
filtered netbios(ithing)
filtered microsft-mc(something or rather)

[thorin]

Side note

Code:

nmap 222.23.24.25 -p 80 -p 139 -p 445

You can comma delimit the port list, like so:

Code:

nmap 222.23.24.25 -p80,139,445

[compaq]

You can comma delimit the port list, like so:

Code:
nmap 222.23.24.25 -p80,139,445

Thanks, future note.