Category Archives: Security

BNAT

BNAT stands for “Broken NAT“. In the scope of Jonathan Claudius work, a NAT is considered broken when the client receives a reply from a server behind a NAT with a different IP than the one it sent the request to.

It happens with bad implementations where the DNAT (destination NAT) and the SNAT (source NAT) use a different IP because of a wrong rule or because the outbound and inbound interfaces are separated.

As a result, the operating system of the client will discard right away such a reply (with a TCP RST), because it does not match an existing TCP session.

The idea is that a pentester auditing such an infrastructure with a classic scanner will miss some entry points. A typical scanner relies on the network stack of the system : it will not receive the reply and will consider the port as filtered.

So Jonathan came with a proof-of-concept to illustrate his purpose.

It is composed of a B-Router and a client. The B-Router will intercept the reply and maintain the session by sending an ACK. This way, it handles an asymetric routing scheme for the client. Just add a filtering rule to block your system’s RST (iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP ), and you are good to go.

Simple but brilliant, isn’t it ? The great thing is that the code has now been included in Metasploit, so it is even more straightforward.

Check the slides of Jonathan at DEFCON for more info. You can download the source there (or just update your Metasploit and look for it in auxiliaries).

EMET, pretty weak ALSR

Didier Stevens “benchmarked” the efficiency of ALSR as implemented by the EMET tool.

The conclusion is that it is pretty weak, whereas I thought it was on pair with true ALSR (as advertised). Very instructive.

Security Mind Map

I recently attended to the 2011 edition of the SSTIC conference (a major security conference in France), where I had a good time and where the slides of Joanna Rutkowska somehow inspired me.

I shamelessly decided to reuse and extend her mind-map style diagram from a system security centric view into something more generic and operational on IT security.

Then, I came with this first version of the diagram:

A the moment it is probably quite incomplete and incoherent on some aspects, but I am quite satisfied of the shape it is taking. I will certainly update it quite often, as soon as I think about something new.

I find it convenient as a memo summarizing goals, steps and tools to achieve security. It may also help clarifying some points during a presentation.

Feel free to use it (as long as you keep the credit to this website). I am waiting for your comments and suggestions on how to improve it.

Vulnerabilities in software from Schneider Electric

I found multiple vulnerabilities in software from Schneider Electric, used to monitor industrial monitoring devices. It reveals a very poor security design.

The editor was informed and I am waiting for its acknowledgement. I will disclose more details once the issues are patched.

FFFjacking

FFFjacking is new web browser hacking technique discovered by Roman Kümmel (aka .cCuMiNn.).

Even though it requires a little of social engineering, it is quite dangerous. Yet another string to add to the bow.

Phocean.net

Computer Security Blog

Category Archives: Security

BNAT

EMET, pretty weak ALSR

Security Mind Map

Vulnerabilities in software from Schneider Electric