Security News > 2020 > November > New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service
"NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse," Kamkar said in an analysis.
NAT Slipstreaming works by taking advantage of TCP and IP packet segmentation to remotely adjust the packet boundaries and using it to create a TCP/UDP packet starting with a SIP method such as REGISTER or INVITE. SIP is a communications protocol used for initiating, maintaining, and terminating real-time multimedia sessions for voice, video, and messaging applications.
The idea, in a nutshell, is to overflow a TCP or UDP packet by padding and force it to split into two so that the SIP data packet is at the very start of the second packet boundary.
Just as the packets reach the attack server and it's determined that the SIP packet isn't rewritten with the public IP address, an automatic message is sent back to the client, asking it to adjust its packet size to a new boundary based on the data previously gleaned from the sniffer.
Armed with the right packet boundary, the NAT is deceived into thinking, "This is a legitimate SIP registration and from a SIP client on the victim's machine," eventually causing the NAT to open up the port in the original packet sent by the victim.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/P8N5EKhmrZs/new-natfirewall-bypass-attack-lets.html
Related news
- North Korean govt hackers linked to Play ransomware attack (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)
- North Korean hackers create Flutter apps to bypass macOS security (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465) (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Palo Alto Networks patches two firewall zero-days used in attacks (source)
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)