An interesting thing happened to me this year while at Defcon 19. I was in the shwag line waiting for some friends to pick out some items for their order when all of a sudden I saw a rather familiar face. At first I had no idea who he was but we both just looked at each other for a second and finally he came up to me and said "You look very familiar do I know you?". After talking for a minute I realized this was one of my friends from back home in Upstate NY, Jonathan Claudius. I actually used to ride the school bus with him and he lived about half a mile away from my house. I lived in a small town so this chance encounter was pretty mind blowing. In fact the population of the area I grew up in was roughly 12,000 according to a survey in 2009. Pretty small compared to the nearest city which had a population of 200,000 according to the same survey in 2009.
What does all this have to do with Metasploit? Well Jonathan was giving a Skytalk at Defcon and wanted me to come see his presentation. I made sure I went to the talk to see what he had been up to. It turns out his talk really impressed me. He had come up with a way of dealing with broken NAT implementations which will sometimes reply to a request with a different IP address rather than the original destination IP. This causes the communication channel to be dropped because the client does not expect this reply to come from another IP address and just sends a RST(reset) packet to the host that replied.
When you run into one of these broken implementations nmap will usually show the port your trying to reach as "filtered". Most people simply think this means the port is firewalled off and unreachable. But Jonathan, came up with a set of tools which can detect BNAT(broken NAT) implementations, and repair the communications. The tools basically listen for replies to the initial request made to detect if another IP address replies. Fixing up the communication is the next step, he wrote a tool which will fix up the source IP address of the incoming replies so that the client can handle the communications as normal.
Originally, the BNAT tools were written in ruby and using todb's PacketFu. The tools were standalone and sitting in a GIT repository. When I saw Jonathan's talk I asked him why not make the tools into modules for Metasploit. We already include the needed library, PacketFu, so porting the tools over was just a matter of cleaning up the code a little and throwing it into a module template. Jonathan wanted to port the tools over but he had never developed for Metasploit before so he needed some help. So, one night I called him up on the phone and we worked on porting the tools over for a few hours. A few days later the tools were in the Metasploit SVN repository ready for use by everyone!
The following video demos the tools and shows how a "filtered" port might actually lead to gaining access to a network:
Hopefully, after seeing the demo you can see the full potential these modules might bring to external pentests. We started out with a nmap scan which just showed the port as "filtered" and we managed to fix up the communication channel, and finally exploit a vulnerability. The purpose of this demo was to show that in networking, sometimes things are not always as they seem. A filtered/closed port can sometimes be really be open you just need to know how to communicate with it.
There are however, some caveats you need to consider when performing BNAT scanning and hijacking that make it a little harder than your normal everyday symmetric TCP communication exploit.
- You need IPTables or a host-based firewall to selectively suppress reset packets or your BNAT sessions can be prematurely reset. In IPTables it can be done as follows as a preliminary setup on the Router host.
- iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
- In order to perform scanning activities over the public Internet, you need to be bridged to the Internet and not behind any firewall/nat service that would enforce state or you will not even notice when you trigger BNAT because that service will prevent us from completing the session.