• Stars
    star
    2,846
  • Rank 15,978 (Top 0.4 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created over 12 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The only tool/technique to punch holes through firewalls/NATs where multiple clients & server can be behind separate NATs without any 3rd party involvement. Pwnat is a newly developed technique, exploiting a property of NAT translation tables, with no 3rd party, port forwarding, DMZ, DNS, router admin requirements, STUN/TURN/UPnP/ICE, or spoofing.

pwnat - http://samy.pl/pwnat

pwnat, by Samy Kamkar, is a tool that allows any client behind a NAT to communicate with a server behind a separate NAT with no port forwarding and no DMZ setup on any routers in order to directly communicate with each other.

There is no middle man, no proxy, no third party, no UPnP required, no spoofing, no DNS tricks. The server does not need to know the client's IP address before connecting.

More importantly, the client can then connect to any host or port on any remote host or to a fixed host and port decided by the server.

Simply put, this is a proxy server that works behind a NAT, even when the client is also behind a NAT.

You can read the paper published in IEEE and presented at the IEEE P2P'10 Conference here

usage: ./pwnat <-s | -c> <args>

  -c    client mode
        <args>: [local ip] <local port> <proxy host> [proxy port (def:2222)] <remote host> <remote port>

  -s    server mode
        <args>: [local ip] [proxy port (def:2222)] [[allowed host]:[allowed port] ...]

  -6    use IPv6
  -v    show debug output (up to 2)
  -h    show this help and exit

EXAMPLE

Server side allowing anyone to proxy:

./pwnat -s

Client wanting to connect to google.com:80:

./pwnat -c 8000 pwnat.server.com google.com 80

Then, browse to http://localhost:8000 to visit google!

FAQ

  • Ok, so does this really work?

Yes. Try it!

  • I'm confused. This can't work.

You should be, and it does work.

  • But it can't. My NAT blocks incoming packets and so will the other. I know. But how?!

Great question! I thought you'd never ask. Look below at HOW DOES IT WORK?

  • Does this use DNS for anything?

No.

  • Do I need to setup port forwarding or a DMZ on either end?

No.

  • Is there some sort of proxy or 3rd party that tunnels information between the two NATs?

No. The connection is direct, client to server.

  • Will this work behind my corporate NAT and firewall?

This will work behind many NATs and firewalls, but not all.

  • What uses does this have?

This will allow you to tunnel any service that you want to run (http, ssh, quake server, IRC, ftp, etc.) through your NAT, or proxy into other remote servers.

  • What if one or both ends aren't behind a NAT?

Everything will work just as well. You can use pwnat to tunnel TCP payload over UDP if you wish; no NATs are necessary.

  • Does the server have to specify the client host?

No! The server doesn't know the client IP address until the client attempts to connect, penetrating the NAT using this unique method.

HOW DOES IT WORK?

My method of penetrating NATs is two-fold which I will describe below.

In order for the full tunnel to be established, the client side needs to know the public IP address of the server, and the server needs to learn the public IP address of the client.

However, in a true client-server model, the server doesn't know the client IP until the client connects, and NATs will normally drop unknown incoming packets. In pwnat, the server also does not need to know the client IP address.

Here is how the pwnat server learns the IP address of the client: I get around this by having the client "pretend" to be a random hop on the Internet. I'm essentially using the same technology a traceroute uses to detect hops on the Internet, but I'm doing the reverse in order to penetrate the NAT.

Specifically, when the server starts up, it begins sending fixed ICMP echo request packets to the fixed address 3.3.3.3. We expect that these packets won't be returned.

Now, 3.3.3.3 is not a host we have any access to, nor will we end up spoofing it. Instead, when a client wants to connect, the client (which knows the server IP address) sends an ICMP Time Exceeded packet to the server. The ICMP packet includes the "original" fixed packet that the server was sending to 3.3.3.3.

Why? Well, we're pretending to be a hop on the Internet, politely telling the server that its original "ICMP echo request" packet couldn't be delivered. Your NAT, being the gapingly open device it is, is nice enough to notice that the packet inside the ICMP time exceeded packet matches the packet the server sent out. It then forwards the ICMP time exceeded back to the server behind the NAT, including the full IP header from the client, thus allowing the server to know what the client IP address is!

Server (1.2.3.4): ICMP Echo Request -> 3.3.3.3 ... Server (1.2.3.4): ICMP Echo Request -> 3.3.3.3 ... Server (1.2.3.4): ICMP Echo Request -> 3.3.3.3 ... Client (6.7.8.9): ICMP Time Exceeded (includes ICMP Echo Request to 3.3.3.3) -> 1.2.3.4 Server's NAT: Sees server's Echo Request in client's Time Exceeded packet, sends entire packet to server because it matches server's outgoing packet

Don't believe me? Just traceroute any host behind your NAT. You'll notice incoming packets coming in from random IP addresses your router knows nothing about. Your router knows to send those back to you, rather than another client on your network, based off of the data inside the ICMP time exceeded packet.

Now, the server has only learned the client IP address. We still have no method to send any additional data. For the full communication, we use the same method used in my previous software, chownat, to penetrate both NATs.

Example of a client behind a NAT talking to a machine NOT behind a NAT: Machine A -> NAT A -> net -> quake server

Machine A sends a UDP packet to quake server, opening a "session". NAT A sees this and says: "If any UDP packets come back soon with the same host and port info, I'm routing it to machine A." Quake server sends UDP packets back, hits NAT A, and NAT A seeing the right hosts and ports, sends it to machine A. Machine A and quake server are now able to communicate without any problem.

Now here is how pwnat works now that client and server know each others IP. Goal is: Machine A (ssh client) -> NAT A -> net -> NAT B -> Machine B (ssh server)

When you start up the pwnat server on machine B, it slowly fires off UDP packets to machine A. Of course, NAT A is not expecting these so it drops every one of them. Machine B does not stop.

Once you begin the pwnat client on machine A, it begins sending UDP packets to machine B. Note: pwnat defaults source and destination ports to 2222. Any unprivileged user can set UDP source and destination ports. Normally the UDP packets that machine A is sending to NAT B would get dropped. However, since machine B is sending similar packets OUT, NAT B assumes these are responses and lets them back in. Once machine B sees these packets, it sends handshake packets back to machine A. These packets will not get dropped by NAT A because of the same reason: NAT A sees packets going out, and the packets coming back to the NAT look like responses to the ones going out.

Finally, both sides are fully communicating over UDP, allowing protocols that run over TCP to tunnel through. Note: There is a keep-alive process on the pwnat server and client that always keeps the UDP "session" active. The packets it sends have a 0 byte payload and are only sent when the client is not sending data out. Otherwise, the fastest it will possibly send the keep-alive packets is one packet every 5 seconds. If any other type of data is travelling through the tunnel, no keep-alive packets will be transmitted.

by Samy Kamkar

pwnat is based off of udptunnel by Daniel Meekins here

More Repositories

1

poisontap

Exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js.
JavaScript
6,195
star
2

evercookie

Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.
JavaScript
4,320
star
3

magspoof

A portable device that can spoof/emulate any magnetic stripe, credit card or hotel card "wirelessly", even on standard magstripe (non-NFC/RFID) readers. It can disable Chip&PIN and predict AMEX card numbers with 100% accuracy.
C
3,888
star
4

slipstream

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victimโ€™s NAT/firewall, just by anyone on the victim's network visiting a website
Perl
1,887
star
5

skyjack

A drone engineered to autonomously seek out, hack, and wirelessly take full control over any other Parrot or 3DR drones within wireless or flying distance, creating an army of zombie drones under your control.
JavaScript
1,636
star
6

usbdriveby

USBdriveby exploits the trust of USB devices by emulating an HID keyboard and mouse, installing a cross-platform firewall-evading backdoor, and rerouting DNS within seconds of plugging it in.
Arduino
1,230
star
7

keysweeper

KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
Eagle
1,084
star
8

opensesame

OpenSesame attacks wireless garages and can open most fixed-code garages and gates in seconds using a Mattel toy
C
833
star
9

samytools

Simple tools to make reverse engineering and console cowboying easier, primarily by data translation and manipulation + file handle piping. Mostly *nix tools with an emphasis on macOS.
Perl
555
star
10

webscan

Browser-based network scanner & local-IP detection
JavaScript
418
star
11

proxygambit

Anonymize and fracture network traffic/Internet access over a point-to-point wireless link or through TCP->GSM->wifi tunnel (advanced resurrection of ProxyHam)
Arduino
352
star
12

combobreaker

Motorized, portable, 3D printed, Arduino-based combination lock cracker
C++
231
star
13

dingdong

Digital Ding Dong Ditch -- RTL-SDR + Arduino + GSM/SMS/FONA + RF + GQRX to hack a wireless doorbell from a text message
C++
229
star
14

quickjack

Quickjack is a point-and-click tool for intuitively producing advanced clickjacking and frame slicing attacks.
JavaScript
227
star
15

frisky

Instruments to assist in binary application reversing and augmentation, geared towards walled gardens like iOS and macOS
C++
198
star
16

glitchsink

Voltage glitcher to bypass instructions/bootloader protections *without* target modification
C++
115
star
17

jiagra

Javascript/Website Performance Enhancement
JavaScript
108
star
18

easel-driver

Easel driver for Linux, Mac, Windows, ARM, Raspberry Pi, Intel, FTDI, CH340, CH341, CP210x, FTDI clones, local, and remote access to GRBL-based CNC controllers
Shell
93
star
19

myo-osc

OSC bridge for the Thalmic Myo gesture control armband (cross-platform)
C++
80
star
20

BPL

The Blind Public License is a restrictive license that does not allow any person to read, view, interpret, emulate, debug, disassemble, reverse engineer, or execute ("Observing") any included code, schematics or engineering diagrams (the "Technology").
56
star
21

samyk

54
star
22

sqlpp

feature-rich, multi-database interfacing, multi-connection, colorful console-based SQL client
Perl
53
star
23

bgrid

wireless balloon LED network w/ATtiny24 + nRF24L01+ (PCB + firmware + TouchDesigner)
C++
46
star
24

buspirate

Bus Pirate (cross-platform, cleaned up for OS X)
C
42
star
25

crak

Crash Royale Attack Kit
JavaScript
39
star
26

openrTMS

Open rTMS (Transcranial Magnetic Stimulation)
C++
26
star
27

amazonshelper

TamperMonkey script (browser extension) for Amazon to add price by volume for materials and to hide useless UI elements
JavaScript
24
star
28

lcventilator

Low cost ventilator based on Dr. Jeffrey Ebin's design
C++
21
star
29

specs

Public specifications for easy accessibility
19
star
30

pinning

#PINNING is a browser extension (currently TamperMonkey script) to improve Pinterest's desktop browsing UX
JavaScript
15
star
31

glitchisnk

Voltage glitcher to bypass instructions/bootloader protections without target modification
14
star
32

microscopy

files for (ฮผ)scope projects
11
star
33

motoaudio

Inspecting the Moto Audio application running on Motorola Android devices
9
star
34

testimg

chrome blocks downloading images from my github :(
9
star
35

openraman

Low cost, high performance open source Raman spectrometer
C++
6
star
36

mains-logs

log files for mains project
2
star
37

mains

monitoring mains line voltage
Perl
1
star