Yes. As we know a router works in layer 3 of OSI-model. It only knows what is in layer 3 and below, such as IP, Port and MAC address, that is it.
Before jumping on how the attack is done, let us know the basics.
Every time you access a server such as google, a three way handshake is done to create a session.
- The client sends a Syn (Synchronize number) request to the server, meaning: I want to talk to you, Here is my Syn number
- The server then sends back a Syn and Ack (Acknowledge) number in response, meaning: I acknowledge your Syn number and here is my Syn number or I want to talk to you too.
- The client sends back an Ack to server, meaning: I acknowledge your Syn number too, So lets talk.
With above steps the 3-way handshake is completed. Afterwards, every-time they send data between each other, the sender uses TCP Push and Ack flag and the receiver sends back and ack, which states that I have received you data.
While above is OSI Layer 4 stuff and not required for this attack, but it is Basics. So, why shouldn’t you know it?
How does a router route?
Although there is a lot to say but long story short. Every time a packet wants to go outside from a private network. The router says STOP! and asks below questions:
- Where are you coming from? (Source IP, Source port)
- Where are you going to? (Destination IP, Destination port)
After knowing these four components, the router saves a note to itself, that a user has gone from THIS_PRIVATE_IP on PORT to EXTERNAL_IP on PORT. Then the router changes the packet’s source tag to its public IP and send it to its destination. Once the response is sent back to the client on the public IP, the router looks on his notes and if it found an entry, then the router automatically redirect the traffic back to its original requester or the private host.
So, what if a client from a private network send a request to google.com on port 443 and an attacker figure that out at the very moment the victim made the request? Will, they can just craft a packet which would have the source IP of the google.com and port 443 and destined to requester’s public IP on the port the request were sent from.
Look at line green first and then red:
As you can see in step #1 the victim is making a request to google.com and in step #2 the attacker in response have crafted a packet with source of google and destination of victim. Since the router have an allow entry for google.com. The router have no option but to redirect the traffic to victim or the private host.
Note: the step #1 is not even required do be done by victim, it could be a zombie in the same network that would spoof victim’s IP and open a hole.
You can use this technique to perform various types of attacks against a private network such as DoS, DDoS and etc.
Proof of Concept
You can use Eve-NG to create a virtual lab.
The network diagram doesn’t matter very much, you can add either one router or as many as you wish. But I suggest that you use at least two routers and 3 VMs (Client, Server, Attacker). Make sure your server is reachable from anywhere of the network. Then place your client in a private network, in which the default gateway router would have NAT configured. Lastly, the Attacker could be anywhere outside of the private network. Just like a casual home network.
Once you are done creating your lab environment, I suggest you use wireshark on each VM to monitor the traffic and understand what is going where. Then create a listener using netcat to listen on port 443 on server. Connect to server from client/victim using telnet. And in attacking machine, craft a packet and send it to victim’s public IP. This could be achieved as simple as below:
Step #1: Create a listener on server:
root@Kali:/# nc -lnvp 443
Step #2: Connect to server using telnet:
root@kali:/# telnet server_ip 443
If you have configured NAT correctly in your private network. After connecting to server from client, you shall see the client’s public IP and not private IP on the server.
Step #3: Craft a packet destined to victims public IP and the port which were used to create a session with server..
Although, you can use your favourite tool to craft a packet, but I used TCPF from https://github.com/MrMindKeeper/tcpf/blob/master/tcpf.c
Using TCPF you can do below to craft a packet:
root@kali:/# tcpf -s google.com_IP -d Victim_public_IP -sp 8080 -dp 500 -pd "Packet Data" -sn 1 -an 1 -w 256 -c 1 -v -4 -5
"-s" is the source IP you wish to set on packet, in this case it is the server/google.com"-d" is the destination IP you wish to send the packet to or client’s public IP"-sp" is the source port, in this case, it would be the server's receiving port or 443"-dp" is the destination port or the client's port the request were sent from"-pd" is the data you wish to include in packet"-sn" is the sequence number, this value is not required for this attack so we just set it as 1"-an" is the acknowledgement number, this is also not required so we just set it as 1"-w" is the window size, not required but set it as 256"-c" is the count of packet you wish to send to victim e.g if you wish to sent 5 packets, you do "-c 5" or set "-c 0" to DoS the victim."-v" is for verbose or print the packet on screen before sending"-4" is to set push flag"-5" is to set Ack flag
There are only four components important in above:
- Source IP (which is server’s IP)
- Destination IP (Which is the client/Victim’s IP)
- Source port (server’s port or 443)
- Destination port or the client’s port that the request were sent from(Assuming that you are watching wireshark and would have the accurate number)
If you have executed everything correctly, in your victim machines wireshark, there should be a packet with the content of “Packet Data”.
Imagine how many times does your PC visits Microsoft domains to get windows updates? or visiting 22.214.171.124 to get DNS resolution and etc. As an attacker if to catch that time frame, then you are in bypassing almost all of network firewalls. I call this attack PipePass.
Here is how I did it: https://www.youtube.com/watch?v=eWZcy8laPEk
That concludes our attack.
If you are have issues creating your virtual lab, let me know. my socials is in my Bio :)