BNAT (Broken NAT) is namely defined as IP communication that is being improperly nat'd to create an inoperable communication channel. A common example of BNAT is found in asymmetric routing where we (intentionally or unintentionally) create a logical layer 3 loop in a TCP/IP session between a client and a server. This is commonly found in complex routing scenarios or situations where mistakes are "corrected" to make something work without understanding or caring about the actual flow of traffic.
Very Basic Example
.1 ----SYN-----> .2 (.1 is the client and starts a session w/ a syn to .2) .1 <--SYN/ACK--- .3 (.3 responds to .1 with the syn/ack) .1 ----RST-----> .3 (.1 responds to .3 with a rst)
Why Does BNAT Matter?
BNAT effectively hides TCP ports from being identified by modern TCP clients and port scanning utilities like NMAP. With the right tools, you can identify ports that would otherwise be considered as closed/filtered which can be converted into legitimate open ports. This opens the door for traditional exploitation vectors in a service that was previously unreachable.
- BNAT-Scan compared to NMAP -sS Scan
- BNAT-Router handling BNAT'd SSH Session
- Using Metaploit's BNAT auxmod's to exploit Tomcat
- Metasploit Blog - A Tale From Defcon and the Fun of BNAT
- Spiderlabs Blog - Advanced BNAT in the Wild
If you are interested in contributing to this project, please see CONTRIBUTING.md