The author of the infamous Samy MySpace worm has released a tool, which enables computers on separate LANs to establish a straightforward client-server type connection without any port forwarding or other special setup. Dubbed pwnat, the application employs some very creative use, or better said misuse, of features implemented by default in most routers.
"pwnat, pronounced 'poe-nat', is a tool that allows any number of clients behind NATs to communicate with a server behind a separate NAT with *no* port forwarding and *no* DMZ setup on any routers in order to directly communicate with each other. The server does not need to know anything about the clients trying to connect. There is no middle man, no proxy, no 3rd party, no UPnP/STUN/ICE required, no spoofing, and no DNS tricks," announces its creator, Samy Kamkar, who, in 2005, unleashed the father of all XSS social-networking worms.
All of us know - well most people capable of understanding home routers do - that in order for someone to connect to a service running on their desktop, laptop or other device on the internal LAN, a port forwarding rule needs to be set up. The router, as a local network's face to the Internet holding the publicly accessible IP address, requires express instructions to forward incoming requests on specific ports to certain computers inside the LAN. This is vital for popular peer-to-peer technologies such as BitTorrent, Direct Connect or Gnutella to function at their full potential.
And things only get more complicated when the client making the requests is also behind a NAT router itself. One of the most common situations of this sort is when trying to establish a Virtual Private Network (VPN) between two computers on separate LANs and usually requires an intermediary publicly accessible proxy or server (STUN or TURN).
However, pwnat can establish such a tunnel with barely any effort and requiring little to no changes being made by users. So, how is this possible? Well, first of all, a server needs to learn the client's public IP address, so that it knows where to send the responses. For this, the author used a very cool hack, which abuses the traceroute functionality.
"Specifically, when the server starts up, it begins sending fixed ICMP echo request packets to the fixed address 22.214.171.124. We expect that these packets won't be returned. Now, 126.96.36.199 is *not* a host we have any access to, nor will we end up spoofing it. Instead, when a client wants to connect, the client (which knows the server IP address) sends an ICMP Time Exceeded packet to the server. The ICMP packet includes the 'original' fixed packet that the server was sending to 188.8.131.52," Kamkar explains.
This technique allows the client to basically masquerade as an Internet hop in a traceroute-like response, which the router automatically sends back to the requester (the pwnat server), complete with the IP of the client. The router automatically matches the data in the response packet to the original request and determines where to send it in the LAN. This functionality permits a traceroute to be performed from inside local networks and is enabled by default in most routers.
Now that the server knows the IP of the client, a channel of communication needs to be established that will serve as a UDP tunnel for other future connections. This is achieved by having pwnat on the server continuously send UDP packets towards the client, which the client's router will initially not recognize and drop.
And here is where Kamkar's second trick lies. Normally, routers remember requests sent by clients on its network, so that if matching responses come back, it knows where to direct them, just as in the traceroute example above. This means that the pwnat server's router will keep track of packets sent to the pwnat client IP, in case a response comes back.
So, now, the pwnat client needs to act like a server and send predefined responses back. As soon as this starts, the client's router will begin tracking requests and listening for responses, which until now were dropped. Once both routers are tricked, the client and server exchange handshake packets and a full UDP "session" is established allowing other TCP-based protocols to tunnel through.
In 2007, Samy Kamkar was sentenced to three years on probation, 90 days of community service and was also ordered to pay an undisclosed amount of money to MySpace as restitution for the damages caused by the Samy worm. Since then, he has taken an interest in security, his motto being "think bad, do good," according to his Twitter profile.
pwnat has been tested on Linux and Mac OS X, but is expected to run well on all *nix-based systems. The latest version can be downloaded from here.