HeadlinesBriefing favicon HeadlinesBriefing.com

NAT Slipstreaming v2.0 Bypasses Firewalls via Browser Exploit

Hacker News •
×

NAT Slipstreaming v2.0, developed by Samy Kamkar, Ben Seri, and Gregory Vishnipolsky of Armis, allows attackers to remotely access any TCP/UDP service behind a victim's NAT by simply having the victim visit a malicious website. The technique exploits the browser and the Application Level Gateway (ALG) connection tracking in NATs, routers, and firewalls.

The attack chains internal IP extraction via WebRTC or TCP timing attacks, automated MTU/IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, and protocol confusion. By abusing SIP (port 5060) and H.323 (port 1720) ALGs, the attacker forces the NAT to open arbitrary ports back to any host on the network, bypassing browser port restrictions.

This modernizes Kamkar's 2010 NAT Pinning technique (presented at DEFCON 18 and Black Hat 2010). v2 uses H.323 call forwarding via WebRTC STUN to evade patches and port blocks, enabling redirection to any internal IP. The NAT rewrites packets, revealing the exploit's success, and the attacker gains direct access to previously hidden services.

Non-malicious usage could give browsers full TCP/UDP socket capability for local protocol communication. The research highlights risks in ALG implementations and browser network stack interactions.