Flutterby™! : pwnat

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics


2010-03-29 18:18:00.495481+00 by Dan Lyke 3 comments

pwnat - NAT to NAT client-server communication, port tunneling between machines when both computers are behind NAT firewalls. Cool!

comments in descending chronological order (reverse):

#Comment Re: made: 2010-03-30 22:46:18.117631+00 by: meuon

I think I'll be configuring for a different address. used to be an AT&T "BGP Looking Glass" for example, that is now offline but routes fairly well from lots of places. I just would not start off using an address that might be jump-on-able by others using the same technique.

#Comment Re: made: 2010-03-30 18:03:00.334545+00 by: Dan Lyke belongs to GE (3/8 is a class A address space assigned to GE). They most likely filter ICMP packets at their firewall, so the most that would happen is they'd see a few extra UDP packets. You'd have to be running a hell of a lot of these things before that'd be distinguishable from the gazillion probes that botnets around the world are hurling at them.

If you imagine using the same technique for traceroute, you could see that the response to the timeout of the ICMP packet could come from anything along the chain to, so if you have a random IP address saying "yeah, that packet died with me!" there's no particular way for the NAT box to vet that response given that it didn't originate the packet which is being responded to, it's just passing it along. Networking is cool and contains unanticipated complexities.

#Comment Re: made: 2010-03-30 00:22:58.586923+00 by: Shawn

It looks pretty clever, but I don't know that I'd want to actually use it. I still have some unanswered questions after reading the How it Works section:

IP is owned by *somebody* - you're still sending packets to a 3rd party. I'd actually feel better about it if this IP was under the author's control.

So... the client spoofs IP when it sends the "response"? (How else does it tell the NAT box that the "response" is for the ICMP that went out earlier?)