BNAT (Broken NAT) is namely defined as IP communication that is being improperly nat'd to create an inoperable communication channel. A common example of BNAT is found in asymmetric routing where we (intentionally or unintentionally) create a logical layer 3 loop in a TCP/IP session between a client and a server. This is commonly found in complex routing scenarios or situations where mistakes are "corrected" to make something work without understanding or caring about the actual flow of traffic.

.1 ----SYN-----> .2 (.1 is the client and starts a session w/ a syn to .2)
.1 <--SYN/ACK--- .3 (.3 responds to .1 with the syn/ack)
.1 ----RST-----> .3 (.1 responds to .3 with a RST)

BNAT effectively hides TCP ports from being identified by modern TCP clients and port scanning utilities like NMAP. With the right tools, you can identify ports that would otherwise be considered as closed/filtered which can be converted into legitimate open ports.

DEFCON Skytalks: http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels

BNAT-Scan: http://www.youtube.com/watch?v=8Um1cJswCeM (BNAT-Scan compared to NMAP -sS Scan)

BNAT-Router: http://www.youtube.com/watch?v=C8zv10VHyUg (BNAT-Router handling BNAT'd SSH Session)

BNAT in Metasploit: http://www.youtube.com/watch?v=FS_cg1PVhkI (Using BNAT msf auxmod's to exploit Tomcat)

Metasploit Blog - A Tale From Defcon and the Fun of BNAT

https://community.rapid7.com/community/metasploit/blog/2011/08/26/a-tale-from-defcon-and-the-fun-of-bnat

Spiderlabs Blog - Advanced BNAT in the Wild

http://blog.spiderlabs.com/2011/09/advanced-bnat-broken-network-address-translation-in-the-wild.html

Phocean Blog - BNAT

http://www.phocean.net/2011/09/13/bnat.html

gem install pcaprub packetfu netaddr progressbar
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

git clone https://github.com/claudijd/BNAT-Suite.git

iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

cd /pentest/exploits/framework3/
svn update