2 min read

NAT Slipstreaming v2 opens TCP and UDP services remotely

Samy Kamkar and Armis researchers detail a browser-based attack that can punch through NAT and firewalls to reach internal TCP or UDP services.

Image: Hacker News

A new version of NAT Slipstreaming shows how a victim merely visiting a website can expose any TCP or UDP service on systems behind the victim’s NAT or firewall. The technique, described by Samy Kamkar with Ben Seri and Gregory Vishnipolsky of Armis, abuses the browser and Application Level Gateway (ALG) behavior in routers and firewalls to create what the researchers call remote arbitrary firewall pinhole control.

According to the write-up, v2.0 expands on Kamkar’s original NAT Pinning work from 2010, which was presented at DEFCON 18 and Black Hat 2010. The attack chains together several components: internal IP discovery through WebRTC or timing attacks, remote MTU and fragmentation detection, packet-size manipulation, and protocol confusion. The key idea is to make the NAT or firewall itself open a destination port, sidestepping browser port restrictions.

The researchers say the attack works across major modern and older browsers, provided the target NAT or firewall supports ALG for protocols such as SIP, H.323, FTP, or IRC DCC. In v1, the attack relied on a crafted SIP REGISTER flow on port 5060. In v2, it moves to an H.323 call forwarding approach on port 1720, using TCP-based STUN through WebRTC to bypass earlier patches and restricted browser port lists.

Recommended reading

AI won’t replace penetration testers just yet

That matters because, as described, the attacker can direct port forwarding not just to the victim machine but to any internal IP on the victim’s network. If successful, the attacker can then connect back directly to previously hidden services.

successful packet broken into valid SIP packet
successful packet broken into valid SIP packet

The post also walks through the networking mechanics behind the attack. NAT lets multiple systems share one public IP by rewriting outbound and inbound packets, while connection tracking keeps state so replies get routed back to the right internal host. ALGs extend that logic for multi-port protocols, inspecting control traffic and dynamically opening pinholes for related data connections.

NAT
NAT

Kamkar also began examining router firmware to see how common gateways handle these protocols, using a Netgear Nighthawk R7000 as one example. The post shows a downloaded firmware image, R7000-V1.0.9.64_10.2.64.chk, sized at about 30MB, then uses binwalk to identify embedded firmware structures including LZMA data and a Squashfs filesystem.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Hacker News

// Keep reading