Once it executes things on the host, it can reopen and repeat the process if that were the case.
[ https://www.wavedirect.net/ | ] [ https://www.facebook.com/ruralhighspeed ] [ https://www.instagram.com/wave.direct/ ] [ https://www.linkedin.com/company/wavedirect-telecommunication/ ] [ https://twitter.com/wavedirect1 ] [ https://www.youtube.com/user/WaveDirect ] STEVEN KENNEY DIRECTOR OF GLOBAL CONNECTIVITY & CONTINUITY A: 158 Erie St. N | Leamington ON E: st...@wavedirect.org | P: 519-737-9283 W: www.wavedirect.net From: "Ken Hohhof" <af...@kwisp.com> To: "af" <af@af.afmug.com> Sent: Monday, November 2, 2020 9:22:18 AM Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any internal host behind NAT Wouldn’t there be a short window of opportunity like 5 or 10 minutes before the TCP connection ages out in the NAT connections table? Or does this also rely on a flaw in some ALG? I worry more about UPnP which can program permanent port forwards in the router. There are even flawed routers that expose UPnP on the WAN side. From: AF <af-boun...@af.afmug.com> On Behalf Of Steven Kenney Sent: Monday, November 2, 2020 8:03 AM To: af <af@af.afmug.com> Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any internal host behind NAT I wondered when someone would exploit this. I knew the possibility existed because most firewalls and nat base their packet forwarding on the origin. If it is a new connection and it wasn't established internally it drops it. So when we establish a connection outside we open an arbitrary source port and the router holds this port open. This is where the clever javascript comes into play where the browser can be exploited and malformed packets can do their little dance. Quite a cool concept actually. [ https://www.wavedirect.net/ ] [ https://www.facebook.com/ruralhighspeed ] [ https://www.instagram.com/wave.direct/ ] [ https://www.linkedin.com/company/wavedirect-telecommunication/ ] [ https://twitter.com/wavedirect1 ] [ https://www.youtube.com/user/WaveDirect ] STEVEN KENNEY DIRECTOR OF GLOBAL CONNECTIVITY & CONTINUITY A: 158 Erie St. N | Leamington ON E: [ mailto:st...@wavedirect.org | st...@wavedirect.org ] | P: 519-737-9283 W: [ http://www.wavedirect.net/ | www.wavedirect.net ] From: [ mailto:fiber...@mail.com | fiber...@mail.com ] To: "af" < [ mailto:af@af.afmug.com | af@af.afmug.com ] > Sent: Sunday, November 1, 2020 8:39:30 AM Subject: [AFMUG] NAT Slipstreaming - or how to attack any internal host behind NAT Synopsis: NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. [ https://samy.pl/slipstream/ | https://samy.pl/slipstream/ ] -- AF mailing list [ mailto:AF@af.afmug.com | AF@af.afmug.com ] [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
