# samyk on GitHub - pwnat (Highlights) ![rw-book-cover|256](https://opengraph.githubassets.com/e8b2be85aaf84f3fb33bafc2ee7d94763e3e0a04b26545d5f0b53276ad196e2f/samyk/pwnat) ## Metadata **Review**:: [readwise.io](https://readwise.io/bookreview/26738560) **Source**:: #from/readwise **Zettel**:: #zettel/fleeting **Status**:: #x **Authors**:: [[samyk on GitHub]] **Full Title**:: pwnat **Category**:: #articles #readwise/articles **Category Icon**:: 📰 **URL**:: [github.com](https://github.com/samyk/pwnat) **Host**:: [[github.com]] **Highlighted**:: [[2023-04-22]] **Created**:: [[2023-04-24]] ## Highlights - Specifically, when the server starts up, it begins sending fixed ICMP echo request packets to the fixed address 3.3.3.3. We expect that these packets won't be returned. ([View Highlight](https://read.readwise.io/read/01gynmqmb825zz6m6naay8k2hp)) ^513330004 - Now, 3.3.3.3 is *not* a host we have any access to, nor will we end up spoofing it. Instead, when a client wants to connect, the client (which knows the server IP address) sends an ICMP Time Exceeded packet to the server. The ICMP packet includes the "original" fixed packet that the server was sending to 3.3.3.3. ([View Highlight](https://read.readwise.io/read/01gynmr44sg134f5agayv0qjzm)) ^513331032 - Well, we're pretending to be a hop on the Internet, politely telling the server that its original "ICMP echo request" packet couldn't be delivered. Your NAT, being the gapingly open device it is, is nice enough to notice that the packet *inside* the ICMP time exceeded packet matches the packet the server sent out. It then forwards the ICMP time exceeded back to the server behind the NAT, *including* the full IP header from the client, thus allowing the server to know what the client IP address is! ([View Highlight](https://read.readwise.io/read/01gynmrhzxkgrpbjycysxnbyzb)) ^513331613