What kind of attacks against home router's NAT do exist?

There are some good lists of security issues here already. However I have not seen anyone mention NAT Pinning yet.

Quoted from Samy Kamkar's site on how NAT pinning work:

  1. Attacker lures victim to a URL by convincing them that there are pictures of cute kittens on the page.
  2. Victim clicks on URL and opens the page.
  3. The page has a hidden form connecting to http://attacker.com:6667 (IRC port).
  4. The client (victim) submits the form without knowing. An HTTP connection is created to the (fake) IRC server.
  5. The fake IRC server, run by the attacker, simply listens, unlike me according to former girlfriends.
  6. The form also has a hidden value that sends: "PRIVMSG samy :\1DCC CHAT samy [ip in decimal] [port]\1\n"
  7. Your router, doing you a favor, sees an "IRC connection" (even though your client is speaking in HTTP) and an attempt at a "DCC chat". DCC chats require opening a local port on the client for the remote chatter to connect back to you.
  8. Since the router is blocking all inbound connections, it decides to forward any traffic to the port in the "DCC chat" back to you to allow NAT traversal for the friendly attacker to connect back and "chat" with you. However, the attacker specified the port to be, for example, port 21 (FTP). The router port forwards 21 back to the victim's internal system. The attacker now has a clear route to connect to the victim on port 21 and launch an attack, downloading the victim's highly classified cute kitten pictures.

Assuming your home router is configured to deny all inbound connections, the easiest attacks to gain remote access to the LAN leverage the LAN itself.

  1. Open WiFi: If the LAN is accessible via unsecured WiFi, and the router has a default password, it's trivial to log into the router and enable some inbound ports. Obviously requires physical proximity.

    • Or if you have RJ-45s that a (malicious) visitor could use to get on your LAN, you have the same vulnerability.
    • Or if you let visitors use your computer.
  2. "Drive by pharming" -- trick a user on the LAN into running code (java applet) that logs into the router (again assuming default or easily crackable password) and enables some inbound ports.

  3. If the attacker can MITM your web connection, he could modify pages while you surf to inject the pharming attack listed in #2 to open ports on your router.

  4. For certain vulnerable routers: with access to your LAN -- even if you have a secure admin password configured -- an attacker can use creative hostnames when registering DHCP to poison your DNS cache or possibly inject XSS into the router's admin interface.

  5. Again, for certain vulnerable routers: with access to your LAN an attacker may be able to sniff your authentication session to get the router password.

  6. CSRF attacks: you visit a malicious web page that attempts CSRF to your router's admin area. (For certain vulnerable routers with the default password set, or if you are already authenticated to the router in that browser session.)

  7. CSRF combined with authentication bypass vulnerability. Some routers have bugs in the web admin interface that process unauthenticated requests.

See this paper (web archive) for details on some of the attacks in the list above.

There may be attacks against the router's NAT that cause DoS but not remote access to the LAN. I haven't listed any of these.


NAT on home routers typically allow all outbound connections initiated by the user from the LAN. NAT is typically paired with UPnP to allow users/hosts/services to open required ports outbound as required.

Typically, there is no restriction on initiating outbound connections to make the connection as user-friendly as possible.

If you consider the following factors common to home router deployments:

  • lack of monitoring
  • poor or default configuration (default passwords)
  • users (even technical users will click on
  • poor security of hosts on the LAN (A/V, patching)

An attack which exploits the way NAT works on home routers, rather than a direct attack on NAT itself, is simply a (spear)phishing attack against a user on the LAN.

Example: A packed PDF which the user is likely to click on, and subsequently executes code to call home, will be able to initiate a connection outbound allowing the attacker to utilise the reverse channel to further exploit the LAN host, as required.

Note: This comes from my experience with home routers (Billion, Linksys) running default firmware. If a home user deploys a Cisco 877 or Linksys running custom firmware, additional security controls could be applied.