NAT hacking.

[blackglasspirate]

Can anyone point me to some info about hacking through a NAT?
I've always been interested in how it would work, but haven't really seen much info on it.
Is tricking the user to come to you(exploited website, downloaded file, etc.) the only way to get in?

Yes, this is for personal testing on my own network(whether you believe it or not).

[trustme]

As I understand it you need to have a host on the inside initiate the connection back to you. Otherwise you would need to be able to exploit the firewall between the two host.

You could, for example, have a remote host inside the firewall run a script that creates a shell bound to a port. Then have another script that makes an outbound connection on an allowed outbound port, like http/80 to your machine. Your machine listens on port 80 and pipes that port to an other on your machine which you can connect to.

I quickly found the following it's about using netcat and telnet to reverse shell.

onlamp.com/pub/a/onlamp/2003/05/29/netcat.html

It's not the best tutorial I have ever read on it but should help you figure out what to search for next.

[thorin]

Google is your friend, try search strings like "How NAT works", "How ARP works", etc.

[blackglasspirate]

Thanks for the netcat tut, trustme. I'll look into it.

On the other hand, I know how NAT and ARP work, I'm just having to get my mind to think on the offensive side.

[CloseCall]

Well unless they have services exposed to the internet via port forwarding there is little you can do to the machines behind it.

To use netcat you would already need to have access to the host. Netcat will not help you the get access the first time but once the perimeter is breached its allows for easy access back in without having to preform the same actions. So yes to "defeat" NAT you would have to trick the computer/User to initiate a connection or to execute software.

NAT also provides problems for VOIP (service) provider like for example skype. They use technique's called UDP hole punching. More info:

en.wikipedia.org/wiki/UDP_hole_punching (cant post urls yet so please c/p )

But this also requires that you already have access on the host behind the devices that does the NAT.

To give you some advice. normally an attack will take place against computers/servers that have public services running like webservers, mail servers, routers, etc. Once the bad guys are in the will try to hop further into the network. Thats why its a good idea to implement a Demilitarized zone (DMZ) for servers running public services. You can find more information on Demilitarized zones on wikipedia

en.wikipedia.org/wiki/Demilitarized_zone_%28computing%29 (cant post urls yet so please c/p )

[dlink]

I don't know if this would work but if you send a syn/ack and you have guesssed a sevice behind the nat like web browser and you send a exploit in the has data, you might beable to open up a port. Try testing it on your network. I don't know if it will work has i don't have a router

[imported_spankdidly]

I have Nats. Usually in the summer time if fruit is left out on the counter.