0

I know the victim's public ip of his router, and also the victim runs a program that is vuln to a remote buffer overflow.

How does an attacker attack this victim computer with just an exploit that needs IP and port?

For example:

  • public ip of the router: 1.1.1.1
  • vulnerable program is listening to port 5511
  • local ip of victim: 192.168.1.9
  • attacker IP: 2.2.2.2 (connected directly to the internet or behind a router)

Tested locally, the exploit works fine because we are in the same network. The problem is when the victim is outside the network and behind a router.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Dzinosky
  • 11
  • 3

1 Answers1

0

You can't directly access the victim from outside since it is not directly reachable due to the NAT router. You also cannot trick the router into giving you some special access to the internal device. This means that you first need to find a way into the internal network first. How to do this depends on the specific environment, i.e. you might be able to trick the user into opening a malicious attachment, you might be able to attack some internal IoT device which is accessible from outside due to port forwardings etc.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • so i can't consider victim's computer like an internal device although using a program that listening to a port ? but how the exploit spread over internet like WannaCry , all the infected computer are not behind NAT or what ? – Dzinosky May 07 '20 at 14:14
  • another point : the victim has an open port 5511 on his router for the programe that is listening on that port. – Dzinosky May 07 '20 at 14:45
  • @Dzinosky please do some reading on how WannaCry was propagated. As for the port *on the router*, what do you mean by that? The router is port forwarding that port? – schroeder May 07 '20 at 15:43
  • @schroeder Yes the router is port forwarding that port – Dzinosky May 07 '20 at 15:46
  • @Dzinosky that's the only relevant detail in this whole situation. And no, this answer now is not what you are looking for .... – schroeder May 07 '20 at 15:47
  • @Dzinosky this is basic networking: you point the exploit at 1.1.1.1:5511 – schroeder May 07 '20 at 15:47
  • @schroeder when i point the exploit at 1.1.1.1:5511 so this is the ip public of router not a victime, the exploit failed ; – Dzinosky May 07 '20 at 15:50
  • @Dzinosky how do you know? – schroeder May 07 '20 at 15:51
  • @schroeder when i do that localy and point the exploit at 192.168.1.9:5511 works fine, because we are in same network – Dzinosky May 07 '20 at 15:51
  • @schroeder i have a vm with bridged network in setting so i try to exploit it by my machine and i point the exploit at 1.1.1.1:5511 and failed – Dzinosky May 07 '20 at 15:56
  • @Dzinosky ok, so many questions as with each detail it gets more confusing not more clear. 1. How do you know it failed? 2. What is the networking between these machines? Are they over the internet or in your own virtual network? 3. Have you done packet captures? This sounds more like you don't understand the networking/routing than a security question. – schroeder May 07 '20 at 15:58
  • @schroeder i try tested to my own virtual network – Dzinosky May 07 '20 at 16:00
  • @schroeder sorry i know that is not clear anyway thank you for your time , i want just know is this possible to attack someone behind NAT using a remote buffer overflow with his router ip – Dzinosky May 07 '20 at 16:07