How did they get past my NAT?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
[this is a repost, I also sent to alt.computer.security]

Sorry I'm new here, not sure this is the right newsgroup to post to -
I have a question that is about routers, security, and connectivity
all rolled into one.

Yesterday while I was working on my desktop all of a sudden a session
kicked in on my VNC server - my desktop background image disappeared
and the RealVNC system tray icon turned black to indicate a session in
progress. Within a couple of seconds, something hit my start menu, run
dialog, "cmd", and typed "TFT" in the new command prompt window. At
this point I panicked and shutdown the VNC service ASAP.

This post is not actually about the VNC problem, I found out today
that the version I used had a known security flaw that allowed
bypassing the password prompt. That is clearly what happened there,
and could be easily fixed with upgrading to the newest version.

My question is how the attacker got to my VNC port!

Here's all the background I can muster:

 - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
seems to run a "GlobespanVirata" chipset. This was provided to me by
my previous ADSL provider, Telefonica Spain.
 - I have a standard NAT lan, with a variety of devices connecting to
the internet through the router.
 - I have certain very specific ports forwarded to my desktop for
remote access, peer-to-peer connectivity, etc. \\
 - I am NOT forwarding either of the VNC ports (standard ports 5900
and 5800), so to my limited knowledge the VNC service should not be
accessible from the internet. I have of course tested this, and found
that to be correct. The VNC service is not publically accessible.
 - I do not have the firewall enabled on the router, because I assumed
the NAT basically made it safe. I tried enabling the router firewall
today but it also seems to block the services that I need to be able
to access from the internet (eg HTTP, I run a small webserver), so
that does not work for me.
 - I WAS running uTorrent at the time of the attack (and had been for
a few hours)
 - I did get the IP address of the attacker from my VNC log, it was
"85.239.126.86", an address in germany. I have not looked for or found
any further information. I guess I could try a port scan but I assume
it's a zombie computer so what's the point.

Now my understanding is that "85.239.126.86" being an internet
address, for the VNC session to work that address would need to be
routable - the only way that that address could be routed on my
network is through the ADLS router / gateway (I think). In theory I
guess there could have been some sort of local tunnel set up, but I
assume that would have required a virtual network adapter to have been
set up on my computer? (I saw nothing like that, and virus and spyware
scans have come up clean).

If it was routed through my router, how could the attacker have
convinced the router to initiate the communication to my internal port
5900 on that particular machine??? The safety of a NAT, as I
understand it, is that remote hosts cannot access an internal address
unless there is explicit port forwarding enabled, or the session is
initiated by a host behind the NAT, is that not correct?

I guess I'm only coming to the real point of my post now - assuming
that I'm on the right track, and that this communication on port 5900
was happily handled by my router, could it have been initiated my
another program on my desktop, specifically the uTorrent client? I've
been logging sessions on my router since this morning, and I see that
client connections are opened by the uTorrent client (very frequently,
thousands per hour) with random local port numbers, that slowly seem
to increase / cycle. It is possible that the uTorrent client made a
client connection using local port number 5900 (which was also being
used by the VNC server), and the computer/remote host that the
uTorrent client was connecting to took advantage of this situation to
test / probe / attack the VNC server on that port?

I guess the questions are:
 - it it possible for a client TCP connection to be initiated by a
local "client" program from a port that is already being used by a
"server" program, like VNC server?
 - what are the chances, statistically speaking, that this would
happen? Would it be worth a hacker's time to set up servers as
bittorrent participants / seeds in the hopes that some client computer
makes a connection using a special port (eg VNC), which could then
allow the computer's VNC server to be probed / tested for the known
VNC vulnerability? It's the only explanation that I can think of, but
I just can't see how it would be worth a hacker's time!

Final blurb: I set up a syslog server on my desktop and have been
logging all incoming and outgoing sessions from my router (generating
a nasty amount of log data, but I'll put up with it). This way I'll be
able to see how the session gets set up, if I ever become aware of
another similar situation. I will upgrade my VNC server of course, so
the attack would need to use another vector.  My concern of course is
that I may NOT be aware of it next time. My desktop is not hardened as
a public server with all ports exposed - I'm very much counting on the
fact that only specific selected ports should be accessible from
outside. In theory, if any port on the desktop can be exposed, then my
windows filesharing setup is just one of the things that would be
vulnerable to brute-force attack. Is there anything else I can do to
investigate this or help prevent future issues? Does anyone have any
experience with the Xavi router or GlobespanVirata chipset that could
help me get it set up to prevent this from happening again? For now I
will probably install a local firewall on the desktop allowing only
the servers I need to work, but that of course makes all sorts of
things more complicated - file and printer sharing, VPN client
software setup, HTTP proxy setup, etc etc. I just wish I could feel
safe in my own network again!

Sorry about the monster first post, I would appreciate any and all
feedback.

Thanks,
Tao


Re: How did they get past my NAT?
Maniaque wrote:


Quoted text here. Click to load it


NAT doesn't make it safe.

Quoted text here. Click to load it


Simply ask for it? Wait until it comes up?

Quoted text here. Click to load it


What about implicit forwarding, for example by protocol helper implementations?

 > It is possible that the uTorrent client made a

Quoted text here. Click to load it


No.



No, but using a protocol helper you can do this for a different port.

Quoted text here. Click to load it


Assuming that the timeout for the NAT table entries is five minutes, it
could be a completely different source.

Quoted text here. Click to load it


Then implement this concept.

Quoted text here. Click to load it


Or DoS attacks.

Quoted text here. Click to load it


Maybe, but unless you know the implementation....

Re: How did they get past my NAT?
OK, thanks very much for the reply, although now I feel like I've been
made to wear the donkey hat and stand in the corner of the
classroom... :)






Quoted text here. Click to load it

What do you mean by "Ask for it"? If I do that (from outside the
network), I get no response, because there is no "Default host" set up
behind my NAT, and no port forwarding for that port - if an explicit
port forwarding has not been set up, how can a remote host "Ask for"
that server? Is this something that is allowed by the average NAT but
requires extra network programming skills?


Quoted text here. Click to load it

But why would it ever come up? Why would that port ever be opened to
the outside from that machine? The port is bound to the VNC server (so
no other program on the desktop should be able to do anything with it,
as I understand?), and not forwarded on the router, so there should be
no reason for a NAT session entry pointing that port to the outside
ever to be opened, right? (I certainly don't open VNC connections to
the internet, despite my limited knowledge I am very aware that basic
VNC communication is totally unprotected, both authentication and
data)

Quoted text here. Click to load it

Sounds interesting, what is this? Is this the sort of thing that can
sometimes make regular "Active" FTP work from behind a NAT, where the
firewall automatically sees the FTP control port communication and
opens up/forwards the data port as required? If so, how could the
router be convinced to do this for an arbitrary port? Is there some
sort of standard for triggering this behaviour?

I have just tested Active FTP from behind my NAT and it did not work
(to an FTP server where passive FTP is working without issues) - does
that say anything about this possibility?

Quoted text here. Click to load it

I've searched online for any information about "protocol helper", it
seems to be synonymous with "IP helper" - I see a windows API, but
that looks like it would reuire the attacker to be running arbitrary C/
C++ code on the desktop (or other device on the network?). Do you know
where I could find any information about what this is, how it works
etc?

Quoted text here. Click to load it

OK, I'm going to show my complete lack of understanding about how NAT
works here (if I haven't already :)), but it's the NAT device keeping
track of the ip addresses (and some additional "magic" session
information?) at both ends of the communication? What happens if two
client machines try to open a connection from the same client-side
port at the same time, does the NAT simply refuse one of them? I was
under the impression that there could be multiple machines
communicating to/from the same port from behind a NAT without
problems. For that to be true, the NAT device would need to be looking
at each incoming packet and sending it to the correct internal host
based on some filtering logic, right (rather than a simple temporary
port-to-host mapping table)? Are you saying that some arbitrary third-
party IP address can send in a packet and have it be routed to a
specific host behind the NAT, as long as the attacker has seen one of
the packets of the communication between the legitimate remote host
and the local host behind the NAT?

If I understand what you are saying correctly, and a remote attacker
can actually direct arbitrary packets into any Existing NAT session by
spying on a legitimate packet destined to/from the NAT-ed host, that
still doesn't explain how the port session could be opened on the NAT
device in the first place - is this where you are saying that the
"Protocol Helper" comes in?


Quoted text here. Click to load it

So... given that my ADSL connection uses PPPoA (which is non-
bridgeable I believe, as opposed to PPPoE), I would need to set up a
second router/firewall/NAT device like a linksys wrt54G to sit behind
the telecoms-operator-provided Xavi router, forward the appropriate
ports through both devices, and make sure that the firewall is turned
on on the wrt54g? I can only assume that what was "missing" in my
original setup was a firewall (which my adsl router claims to have,
but when I turn it on all the port forwarding stops working, which
sort of defeats the purpose). Or do you have any other suggestions on
how this can be done using home equipment?


Quoted text here. Click to load it

Meh, I'm not so concerned. Why would anyone bother? I'm a home user,
I'm running a silly little website with 10 pageviews/month, my only
concern is that someone gets into my machine / network and installs
malicious code, spies on me, enlists my computer into a botnet of some
sort, turns me into an infection vector for some or other virus /
worm / trojan, etc. That would suck. It is incredibly unpleasant to
have your desktop suddenly taken over via VNC, too, although I don't
think that can happen again in quite the same way, I did upgrade away
from the defective RealVNC version.

Quoted text here. Click to load it

Not sure what you meant here - I know exactly how I have everything
set up, but I don't know much about the workings / functionality of
the router itself. There are no configuration manuals online or
anything. In fact, I was able to get it to forward logging info to a
syslog server on my desktop by browsing through and editing the
"configuration backup" file, but afterwards remembered what I'd read a
few months ago on some forum - you have to turn logging off on this
router, because otherwise it hangs when it runs out of log space. No
cycling, no "forward to syslog server but do not store locally", it
simply hangs.

So it looks like at an absolute minimum I'm going to need to set up
the second-level linksys wrt54g firewall/router, but I guess I'd like
your criticism if you have any thoughts on the sensibleness of this
idea, and whether it helps to "implement this concept" as you
suggested above :)

Thanks so much for the feedback!
Tao



Re: How did they get past my NAT?
maniaque27@gmail.com says...
Quoted text here. Click to load it

A NAT is not a firewall at all, it's basic routing - Most non-technical
types call NAT Routers firewalls, they are not.

a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
inbound traffic, that's all.

No, port forwarding is what your problem is - if you forward ports then
you expose your computer/network and that's how people reach your
computer to do things you don't want.

You should learn to post in one group or to cross post so that your
thread is easy to work with for multiple groups that you've done this
in.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: How did they get past my NAT?
Quoted text here. Click to load it

That I understand, but I'm always a little confused about what the
difference Exactly is... a firewall is a device that only allows
connections that you want to allow - a NAT is a device that allows
outgoing connections arbitrarily, but normally (or only sometimes? see
the STUN information Chris mentioned) prevents arbitrary incoming
connections. Most home routers additionally claim to have a "firewall"
function that you can turn on / off (including the WRT54G) - when do
you decide what is and what is not a ffirewall? I really would like to
know, it's something that's puzled me for years. Some things are
clearly not a firewall at all, like a "Full-cone" NAT router. Some
things are clearly a firewall first, and anything else after, like one
of those Cisco devices. But aren't most home routers somewhere in-
between?

Quoted text here. Click to load it

not true. the WRT54G can block outgoing connections  based on any
number of specified parameters, and then it has all those extra fancy
features that I don't understand ;)

  Firewall Protection:  Enable Disable
Additional Filters
       Filter Proxy     Filter Cookies
        Filter Java Applets     Filter ActiveX
        Block Portscans     Filter P2P Applications
Block WAN Requests
      Block Anonymous Internet Requests
      Filter Multicast
      Filter Internet NAT Redirection
      Filter IDENT(Port 113)

Quoted text here. Click to load it

Only if they get past the intended security of the service in
question, right?

Quoted text here. Click to load it

Yep, thanks.

Tao



Re: How did they get past my NAT?
maniaque27@gmail.com says...
Quoted text here. Click to load it

it's a NAT device that can block outbound ports - it has no clue what
those ports are and doesn't know the difference between HTTP and SMTP
except that they use different ports.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Re: How did they get past my NAT?
Leythos wrote:
Quoted text here. Click to load it

just some questions with as goal to learn more

so you call a firewall something with complex heuristics ?
really does iptables provide more than filtering between protocol, port
and state information, and do people actually use it. Because in essence
iirc
a nat router does the same it opens up a connection if somebody on the
inside requests it
and  after that allows the connection untill it's broken down (FIN or RST)
do i have a point here or not ?

Re: How did they get past my NAT?
DOT paulus AT skynet DOT be"> says...
Quoted text here. Click to load it

Does the device, in the standard/default mode, block traffic in both
directions?

Does the device know the difference between HTTP and SMTP or only TCP 80
and TCP 25?

Does the device understand being attacked and auto-block sources of
attacks or unauthorized traffic?

Does the device use NAT or can it be setup with rules without using NAT?
If it forces NAT then I don't consider it a firewall unless it can do
all the others - since MOST of the devices that force NAT are
residential device (yea, not all inclusive, but you should get the idea
without us going off the deep end).

 

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Re: How did they get past my NAT?
Leythos wrote:
Quoted text here. Click to load it

no ok you got me here, it only does this for INBOUND traffic but i myself
don't block outbound traffic on my box (slackware) as well
because i consider myself knowledgeable enough to be trusted :D

Quoted text here. Click to load it
do you consider netfilter to be a firewall (well in essence it's a
statefull packet filter)
because iirc there is no smtp or http netfilter module
and it does its filtering mostly on the data link and transport
protocol's headers
like most firewalls do. it would be very costly performance wise to
implement
application protocol filters into firewalls and i've yet to see one that
does
also implementing complex heuristics because let's face it the higher
you go up in
the tcp/ip stack the more complex the headers and payload become, the
more bugs you'll get
in the code that does the heuristics --> the more flaws there are to be
exploited!

Re: How did they get past my NAT?
DOT paulus AT skynet DOT be"> says...
Quoted text here. Click to load it

Sorry, but I don't consider NAT Routers to be firewalls, they are
routers with some fancy features, not firewalls.

Many "Firewalls" do know the difference between SMTP and traffic over
TCP 25 - so, while you've yet to see one, you just are not working with
the better hardware out there.

As for Bugs, yes, but I only purchase certified appliances, ones from
vendors that have a proven record of staying secure and clean, so I
trust that a LOT more than what most people use in their homes.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Re: How did they get past my NAT?
Leythos wrote:
Quoted text here. Click to load it

If the router closes all ports and conceals LAN IP addresses
then it's just as good, and in one respect better than, any
software firewall.


Re: How did they get past my NAT?

Quoted text here. Click to load it

Uh oh.  Someone said "software firewall."    

Brace for the impending ranting about how they aren't firewalls
either.  

--
Todd H.
http://www.toddh.net /

Re: How did they get past my NAT?
Todd H. wrote:
Quoted text here. Click to load it

opps, I didn't expect to get off scott free.


Re: How did they get past my NAT?

Quoted text here. Click to load it



IF it closes all ports (nat is irrelevant). But the hypothesis of the
thread was that ports were being punched through the router. Note that a
router which refuses to pass on ports IS a firewall. And since it operates
on software loaded on the router, it is a software firewall.


Re: How did they get past my NAT?
rick0.merrill@NOSPAM.gmail.com says...
Quoted text here. Click to load it

Actually, a NAT Router is better than any PERSONAL firewall solution
installed on a non-dedicated computer.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Re: How did they get past my NAT?
Leythos wrote:
Quoted text here. Click to load it
what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
distribution (iptables)
and is there such a big difference between a firewall that has its code
burned in flash (firmware)
and a firewall that hooks into the tcp/ip stack of a a general purpose OS

Re: How did they get past my NAT?
DOT paulus AT skynet DOT be"> says...
Quoted text here. Click to load it

As long as it a dedicated computer and not one that users are
playing/working on, then it can easily be a firewall. Checkpoint running
on a Nix OS is a great example of a dedicated server class firewall -
notice the dedicated.

With all that is available at a reasonable cost today, a firewall that
is just a router is not really a firewall. The appliances I install can
tell the difference between SMTP and HTTP or FTP and do a lot more,
that's the least I would install.

This still goes back to these cheap residential units called firewalls
by the marketing department - if you look up NAT, it's routing, simple
and plain, not Firewalling.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Re: How did they get past my NAT?
Quoted text here. Click to load it

Firewalls can route, routers are not firewalls.

Quoted text here. Click to load it

I'll give you that, but people seem to think a firewall will protect
them from many things that these NAT Routers don't protect them from,
and a firewall appliance can and does protect them from.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Re: How did they get past my NAT?

Quoted text here. Click to load it




And now you are going to tell us what the difference is between a NAT
router that rejects all incoming unsolicited connections, and a firewall
that rejects all unsolicited incoming connections.
It is certainly true that a firewall can be a slightly less blunt
instrument, and can reject or accept more subtly that a NAT router can, but
IF that router is set up not to do any port forwarding, then it is also a
firewall set up to reject all incoming connections.



Re: How did they get past my NAT?
 > It is certainly true that a firewall can be a slightly less blunt

Quoted text here. Click to load it

There are two major differences:

1. NAT is not designed to work as a security solution.
2. Depending on the implementation, it might forward the connection anyway
without any explicit rule.

Site Timeline