Use ICMP tunneling technology for ICMP encapsulation and penetration Firewall

Use ICMP tunneling technology for ICMP encapsulation and penetration Firewall

0x00 icmp Tunneling Technology

ICMP tunneling technology, also known as Ping tunneling technology, we know that the ping protocol is icmp. When the firewall receives a protocol package, it is released by default.

0x01 utilization principle and process

We use the ICMP tunneling technology to hide data through ICMP headers, so that we can transmit data in a bright and upright manner.

Before encapsulation, We can ping or use tracert to determine whether the target network is blocked by icmp protocol.

Using this technology requires stepping stone and clients.

We need to create backdoors on the stepping stone host, and then use the ping tunnel to penetrate various firewalls that do not prohibit icmp.

Remember: this technology is only used for networks with specific structures.

0x02 tunnel implementation

We need to use the ptunnel tool.

Let's create an icmp channel, which will be explained in detail along with the Establishment

1. Ensure that the two hosts are in the same broadcast domain or both are in the Internet status. Bt5 is the server kali as the client

 

2. Start the ptunnel tool on the stepping stone host.

3. Configure on the client:

1. Ptunnel-p 192.168.1.13-lp 2012-da 192.168.1.13-dp 22

-P: The target address of the stepping stone host.

 

-Lp is the local port of localport.

 

-Da: the connection address.

-Dp his port

Note-da can be followed by another host. When we connect to the local port 2012 on the client, the host after-da is connected to 192.168.1.13 by default and encapsulated in icmp and then returned to the client, of course, after-da, it can be any other host.

Here, I only set up the ssh service on 1.13. When there is FW between bt5 kali, we can penetrate the firewall through the ping tunnel.

4. Connect to the local port

1. Ssh-p 2012 127.0.0.1

We can see that the ssh request password has been successfully connected at this time, and the pingtunnel of the two machines has obvious information above. From the terminal in the lower right corner, we can see that the local machine has not enabled the ssh service, therefore, the connection 127.0.0.1 is not a host, but is encapsulated into icmp and returned to kali after port 22 of bt5 connects to the ssh host.

For example, we can use the following command to view the ssh service status

 

1. Service ssh status

0x03FW traversal successful

So far, we have successfully encapsulated icmp and transmitted data across the firewall through the icmp tunnel. Suppose our network is like this:

[GW] ---------- [bt5] ----- (FW) ---- [kali]

(FW: Firewall, GW: Invalid Wey)

Then we need to use the ping tunnel technology.