NAT Slipstream allows an attacker outside the firewall to remotely access any TCP or UDP services running on a local machine, behind a NAT firewall, simply by tricking the victim into visiting a malicious website.
To understand how this is possible, we first need to understand how NAT routers work.
How do NAT routers work?
NAT stands for Network Address Translation, which is a mechanism for mapping between two different ranges of IP addresses – such as those on the public internet and those on a private network in your office. The NAT function is provided by a router or firewall that sits on the perimeter of the network and it protects the private network by blocking, by default, all unexpected incoming traffic. The NAT router modifies the TCP/IP packets as they pass through the router so that all traffic appears to originate from the router itself when it is forwarded onto the Internet. When a response is received to a transmitted request, the NAT router maps the response back to the original internal TCP/IP address and port that made the request and forwards it to that device on the internal network.
For some protocols, such as FTP, SIP or IRC – there are two ports open – one outbound and one inbound. This presents a problem for the NAT router as incoming traffic is blocked because the router has no idea which internal IP address and port the incoming data should be forwarded to. This problem is solved with the Application Layer Gateway (ALG) which is a logical function added to all NAT routers.
The ALG monitors outbound traffic and when it spots an attempt to establish a connection using a protocol that requires an inbound port as well, it adjust the contents of the TCP/IP request header so that the remote server makes the connection back to the IP address of NAT router itself. When this expected incoming connection is then received, the NAT router can forward the traffic to the IP address and port on the internal network that made the original request. This occurs automatically and transparently to both ends of the communication.
NAT Slipstream works by abusing the ALG to trick it into opening ports and mapping them to internal IP addresses and ports which the external attacker can then use to target that device.
How does NAT Slipstream work?
A web browser is designed to open HTTP(S) ports and send HTTP(S) packets. In order to trick it into sending a valid SIP request, a specially crafted large HTTP request is created which is so large it will be segmented into several packets before transmission. The SIP request is embedded within the data body of the HTTP request. By noticing where the packet boundaries fall, the HTTP data can be constructed so that one of the segmented packets starts exactly with the SIP request. The ALG code is not smart enough to realise the SIP request is actually a part of a larger segmented HTTP message – it simply sees a packet which starts with a byte-stream that matches what it is looking for and processes it accordingly as an outbound SIP request.
For now, the NAT Slipstream attacks works across almost all NAT routers that support SIP (and almost all do) and all modern web browsers.
The NAT Slipstream technique was developed by security researcher Samy Kamkar who summarises it like this in his detailed GitHub project documentation:
Once the SIP packet lands on the packet boundary, the NAT will be deceived, believing this is a legitimate SIP registration and from a SIP client on the victim’s machine. Once our server responds with a proper SIP response (nested inside of a proper HTTP response to allow the browser to not detect anything fishy), the NAT will open up the port in the original packet we had the victim send and the router will now forward any port the attacker chooses back to the internal victim, all from simply browsing to a website.