Hi,

NAT boxes tend to drop unexpected traffic coming from WAN, by design.
Assuming there are no implementation flaws, I don't think you can
penetrate into LAN without involving a user sitting there.

Apart from social engineering attacks mentioned, DNS rebinding might be
relevant. The attack does not require any actions from the victim beyond
opening a rogue page in their browser. It works against web admin
interfaces and UPnP listeners. I played with both in the past, mileage
varies depending on victims's browser and peculiarities of webadmin
interface. I .had attack against UPnP service working for Firefox
sitting behind NetGear router. You may find some more details here
http://www.gremwell.com/dns-rebinding-checklist.

Best regards,
Alex Bezroutchko
Gremwell
www.gremwell.com

On 08/16/2011 08:09 PM, Todd Haverkos wrote:
> "Turamarth"<admin (at) turamarth (dot) com [email concealed]> writes:
>
>> There is any way to enter a lan interface through a wan interface ( in
>> a normal router ) without a nat forwarding rule, or admin account of
>> the router?
>>
>> maybe a variance of routing tables, o something like this, any idea or
>> documentation about it ?
> Reading between the lines and given that we're in a penetration
> testing mailing list, would it be fair to assume that your goal is to
> penetrate a client that employs a nat router?
>
> Assuming it's part of the scope (and hopefuly it is since the
> attackers are certainly using it), client-side exploitation would be
> the easiest way to go here. One way or another (be it through a email
> phishing campaign or phone social engineering), provide your payload
> that does a call back on traffic from their LAN connected machine to
> your waiting web server. This leverages the "hiding in plain sight"
> approach of leveraging traffic that everyone needs to let out of their
> environment: outbound tcp/80 and tcp/44. The Social Engineering
> Toolkit (SET) makes pretty quick work of such.
> http://www.secmaniac.com/movies/ for demos of what that looks like.
>
> This may be something you already know, but as network perimeters have
> gotten pretty hard and crunchy, client side is the method that's
> making the most hay for the bad guys.
>
> If client side or SE is not in scope, you'd have go hunting for an
> overlooked nat forward rule or a VPN listening somehow. Wireless is
> another path of lower resistance if that's in scope to get behind that
> router. Also don't forget last year's gem from HD Moore about the UDP
> port that a frightening number of VxWorks based routers are listening
> on.
> http://www.darkreading.com/blog/227700848/vxworks-vulnerability-tools-re
leased.html
>
>
> Best Regards,
> --
> Todd Haverkos, LPT MsCompE
> http://haverkos.com/
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?"0?ã0?Ë 

D¥ß10
 *?H?÷


0W10 UBE10U
GlobalSign nv-sa10URoot CA10UGlobalSign Root CA0
990128130000Z
170127120000Z0m10 UBE10U
GlobalSign nv-sa10UPrimary Class 2 CA1&0$UGlobalSign Primary Class 2 CA0?
"0
 *?H?÷



?
0?

?

??þïôE?AnüØ¿!o«RÁ,???¸J½ c*ÊI'®Z?ôtâU?ÿÂѪy¢¶ú՝?OƲÆ^c§:ºØîë
?o?¶»(AÀ"ûNH?׿×Ϲٽ8O;
DnUAþü ÛØ¿ó?!ñèµö¥ÓÆL?"°ÿîĨkOuhVèÜ(P÷¨$.$9û Þå£dI!Ðh~q0?±`à9ôPøzM?k|yºNÎJâº6·Å6??dBê_ĺõ@¾á:Y½?§¸ÞMSPÎÑÒQÓï
læçmË]|?|ÌìO?'%ÿpPö?Yu?fX,Þ?¦Iù¥Cw

£?0?0U

ÿ
0U


ÿ0

ÿ0U|ç²±,Þ±§kévá£ýNlǹö03U,0*0( & $?"http://crl.globalsign.net/Root.crl0U#0
?`{fE
?Ê?P/}Í4¨ÿüýK0
 *?H?÷


?

h?:<SÄçÊ U*ä+¢?9^W¿(¨¥;¡(ë\8Zül?ïñ ?R<95EFE·ìÁzÖé?3¬7Ük?»cßýZ?MÜ[WW2qN)QÕTѶ×N\®L·ýy?é9ÏÅxÑ­'}Ë?|Q9
e0·¤ %ß|¢äÖë{~?ݪ)Â¥lL@ÏÀò?×ÓÏ?ÆÍ`|%÷ò?@v¿³þÝ2è«?Òà?Ú?g%1§?ª??¢y`ÅUW°¥g
îJHy.ÀvàAnW!¾æéK$,m¡?¬?ã?gÚ2a[?ÛÄ×at?¹4øPûw½z?ø?PX s!Ôõ0?90?! 


%­T?0
 *?H?÷


0w10 UBE10U
GlobalSign nv-sa1 0UPersonalSign Class 2 CA1+0)U"GlobalSign PersonalSign Class 2 CA0
091120170312Z
121120170308Z0K10 UBE10UAlexandre Bezroutchko10 *?H?÷



abb (at) scanit (dot) be0 [email concealed]?0
 *?H?÷



0?êE°§Fã!Ð?­¯fÍm2.´ÝºQP?t?dÞ:)<´6T¶ÿ?DE3>H%d|Ðé?¡éÙY?gÖÁA
??ÃZ
H%©c»¶Æã=ð¦l!z?:¼¶Ý¢Ö¡è?'
¤×8v??ãÛ)?
NÌ9%¶Qý,?'$I÷m³¸ò3

£?
t0?
p0U#0?mÄ+Á}? ù
U+º6L!10V+


J0H0F+
0?:http://secure.globalsign.net/cacer
t/PersonalSignClass2.crt0AU:0806 4 2?0http://crl.globalsign.net/Per
sonalSignClass2.crl0U0
abb (at) scanit (dot) be0 [email concealed] U00U

ÿð0U%0+
+
0KU D0B0@ +

 2
(0301+

%http://www.globalsign.net/repository/0 `?H
?øB

 0
 *?H?÷


?

ºÈz¤??L4óîÎÊG£?µ??KÁ_²SO@$??`ÐÌya?»â´/?ÅÄyJò´i$?ú=R¸~H
?
ÚLZ:¶áÃجs?ϤÌü[ç1¥X©à?´+nâͧWö®?ÅÒC'ہãd5²zWÕÆÄè¶D_¦«NHiº8?
7#©?Û??³Wqüç??Á??æ
ʱûæw
öJÏc?QwÑ´xiþ"6E2®¹#è;O£CìlµÓ¹?¬(Ý쵨ãv4yç]hà1«ü9ӏP*¬ï?iM·ái?ôÚ¼¢
DØ??þO{?å0?90?! 


%­T?0
 *?H?÷


0w10 UBE10U
GlobalSign nv-sa1 0UPersonalSign Class 2 CA1+0)U"GlobalSign PersonalSign Class 2 CA0
091120170312Z
121120170308Z0K10 UBE10UAlexandre Bezroutchko10 *?H?÷



abb (at) scanit (dot) be0 [email concealed]?0
 *?H?÷



0?êE°§Fã!Ð?­¯fÍm2.´ÝºQP?t?dÞ:)<´6T¶ÿ?DE3>H%d|Ðé?¡éÙY?gÖÁA
??ÃZ
H%©c»¶Æã=ð¦l!z?:¼¶Ý¢Ö¡è?'
¤×8v??ãÛ)?
NÌ9%¶Qý,?'$I÷m³¸ò3

£?
t0?
p0U#0?mÄ+Á}? ù
U+º6L!10V+


J0H0F+
0?:http://secure.globalsign.net/cacer
t/PersonalSignClass2.crt0AU:0806 4 2?0http://crl.globalsign.net/Per
sonalSignClass2.crl0U0
abb (at) scanit (dot) be0 [email concealed] U00U

ÿð0U%0+
+
0KU D0B0@ +

 2
(0301+

%http://www.globalsign.net/repository/0 `?H
?øB

 0
 *?H?÷


?

ºÈz¤??L4óîÎÊG£?µ??KÁ_²SO@$??`ÐÌya?»â´/?ÅÄyJò´i$?ú=R¸~H
?
ÚLZ:¶áÃجs?ϤÌü[ç1¥X©à?´+nâͧWö®?ÅÒC'ہãd5²zWÕÆÄè¶D_¦«NHiº8?
7#©?Û??³Wqüç??Á??æ
ʱûæw
öJÏc?QwÑ´xiþ"6E2®¹#è;O£CìlµÓ¹?¬(Ý쵨ãv4yç]hà1«ü9ӏP*¬ï?iM·ái?ôÚ¼¢
DØ??þO{?å0?½0?¥ 

D¥è*0
 *?H?÷


0m10 UBE10U
GlobalSign nv-sa10UPrimary Class 2 CA1&0$UGlobalSign Primary Class 2 CA0
040122100000Z
170127110000Z0w10 UBE10U
GlobalSign nv-sa1 0UPersonalSign Class 2 CA1+0)U"GlobalSign PersonalSign Class 2 CA0?
"0
 *?H?÷



?
0?

?

©?x6??¤t9Üî'ËêiWÇ®M¨£7ÛoÕn½G[yÃ_ÿ׺¼,¡RÅÍY?i?ü_g÷q.ÿ²÷ã
Ì×Ý?¦$Ã$Dض??N¨@
, \Uòáv?8?z_dñ.ø^?xNW
äQx*³èù$»I^E)?ñ7µ©?C7q?Ä2«á*3½?j÷I[Ý)³Cîj«x¸??é2P1¾jÿ÷î?2è4qÀ]?$
©
?YÍõaäÄb??+?
È?øèì®òFý¥Ü91Å?v?9HqK\???$¥d
?ôôd)Ò^ÃÂÇs&Û?G*æ5Nröt¥Ù6
£

£?
R0?
N0U

ÿ
0U

ÿ0

ÿ
0UmÄ+Á}? ù
U+º6L!10JU C0A0? +

 2
(0200+

$http://www.globalsign.net/repository09U200
0. , *?(http://crl.globalsign.net/primclass2.crl0N+


B0@0>+

0?2http://secure.globalsign.net/cacert/PrimClass2.crt0 `?H
?øB


0U#0?|ç²±,Þ±§kévá£ýNlǹö0
 *?H?÷


?

!è?^?Dqô$ùùxµí²Ð??X}@?~{é?|ãÐp7ÒµÎ#ó80Ê?Å
Ë ?ÿȏiê§ê®ç[òn^G?ÿN@Apa¼4^?K´{²~dÜN`ð=½Zo Ú?HÒ.?æòS?rcnÚ_×xN3#³m/@?qøäv«â)br¹¿.¥©ô?©]!åøºà?²p??íà3ñ+ð¥Ë~
nv$?°Ù-ÜlÜÛ?Ìk.òÛõì?¯*0¢2¾ùÁ-¢
ìØUͲ á¦ØÙ?¢ì??
[3ðoBÐ?ýû?8Pð¿¿7áôïÛö.??aïÙa*Èo1?%0?!

0?0
w10 UBE10U
GlobalSign nv-sa1 0UPersonalSign Class 2 CA1+0)U"GlobalSign PersonalSign Class 2 CA

%­T?0 + ?
ô0 *?H?÷

1 *?H?÷


0 *?H?÷

1
110817101116Z0# *?H?÷

1á?3zP·YZßæíÃ^7;·
(0_ *?H?÷

1R0P0 `?H
e
0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0? +

?71?0?0w10 UBE10U
GlobalSign nv-sa1 0UPersonalSign Class 2 CA1+0)U"GlobalSign PersonalSign Class 2 CA

%­T?0?*?H?÷

1? ?0w10 UBE10U
GlobalSign nv-sa1 0UPersonalSign Class 2 CA1+0)U"GlobalSign PersonalSign Class 2 CA

%­T?0
 *?H?÷



??1É'¯
« ? {óù'¾ê°¸k?µ¡vWJ[i'ªvHR?ÏH)®?Ã?ÕN?ð?TIarGXS
£ë4»?$!þ,#??Nób> Í?b÷Ø`È×MIl?´¡ÜÙÅAmâ«æÀX»ÔênZGEµB¯`pÌËk?[?ýæ

[ reply ]