Welcome. Here is a proof of concept in what I'm calling NAT Pinning ("hacking gibsons" was already taken). The idea is an attacker lures a victim to a web page. The web page forces the user's router or firewall, unbeknownst to them, to port forward any port number back to the user's machine. If the user had FTP/ssh/etc open but it was blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.

My method works like this:

1. Attacker lures victim to a URL by convincing them that there are pictures of cute kittens on the page.

2. Victim clicks on URL and opens the page.

3. The page has a hidden form connecting to http://attacker.com:6667 (IRC port).

4. The client (victim) submits the form without knowing. An HTTP connection is created to the (fake) IRC server.

5. The fake IRC server, run by the attacker, simply listens, unlike me according to former girlfriends.

6. The form also has a hidden value that sends: "PRIVMSG samy :\1DCC CHAT samy [ip in decimal] [port]\1

"

7. Your router, doing you a favor, sees an "IRC connection" (even though your client is speaking in HTTP) and an attempt at a "DCC chat". DCC chats require opening a local port on the client for the remote chatter to connect back to you.

8. Since the router is blocking all inbound connections, it decides to forward any traffic to the port in the "DCC chat" back to you to allow NAT traversal for the friendly attacker to connect back and "chat" with you. However, the attacker specified the port to be, for example, port 21 (FTP). The router port forwards 21 back to the victim's internal system. The attacker now has a clear route to connect to the victim on port 21 and launch an attack, downloading the victim's highly classified cute kitten pictures.

Want to test? After you click the button below, try telnet 176.9.113.70 [port] on a system that is not on your network.

