Full Disclosure: Re: NAT router inbound network traffic subversion

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: NAT router inbound network traffic subversion

From: "morning_wood" <se_cur_ity () hotmail com>
Date: Fri, 28 Jan 2005 03:32:20 -0800

scenario...

NAT client browses web...
NAT client initates a HTTP request to do this...
ROUTER returns the request to NAT client...
( normal activity )

attacker website exploits client browser...
exploit drops and executes "badfile.exe"
"badfile.exe" hooks iexplore.exe...

"badfile.exe" is 'reverse connecting trojan'...
"badfile.exe" initiates a HTTP  request to do this...
attacker's "badfile.exe"' 'client' is waiting with a HTTP server...

the new hooked browser initiates a HTTP request to the attacker.
NAT client is now connected to the attacker
through the ROUTER ( kinda like browsing the web huh? )
attacker now has unrestricted packet via the NAT client,
that is where ??? BEHIND YOUR ROUTER

atacker now can do a he wishes to the rest of your network
( GAME OVER )


Cheers,
m.w
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

NAT router inbound network traffic subversion Kristian Hermansen (Jan 28)
- Re: NAT router inbound network traffic subversion morning_wood (Jan 28)
- Re: NAT router inbound network traffic subversion Joe (Jan 28)
- Re: NAT router inbound network traffic subversion Darren Bounds (Jan 28)
- <Possible follow-ups>
- Re: NAT router inbound network traffic subversion Kristian Hermansen (Jan 28)
- Re: NAT router inbound network traffic subversion bart2k (Jan 28)
  - Re: NAT router inbound network traffic subversion Bart . Lansing (Jan 28)