ICMP Tunneling using ptunnel-ng
When ICMP traffic is allowed on a compromised host, we might want to use this protocol to exfiltrate data using encapsulated SSH traffic over ICMP. The tool ptunnel-ng can help us achieve this. What the tool does is to encapsulate the SSH traffic into ICMP packets. This way our traffic might looks more legitimate from a defender point of view.
Installation
We will need ptunnel-ng tool on both our attacker and target machine. We cloned the git repo on our attacker machine and uploaded the content of the entire directory on the target machine using scp
and the -r
flag.
ptunnel-ng server on the target host
Configuring the ptunnel-ng server
We can start the ptunnel-ng server on the target host using the following command:
The command above will listen on port 22 for any SSH connection. The IP address specified after the -r
flag is the pivot IP address that our attacker box can reach from the outside.
Connecting the client
From our attack box, we ran the following command for our client to connect to the ptunnel-ng server on port 22. The port 2222 is used to send the SSH traffic over the ICMP tunnel.
Connecting to the target using SSH and the ICMP tunnel
From our attack box, we can run the following command to establish a SSH session with the target machine, but sending all the traffic into the ICMP tunnel created. The SSH connection is established specifying the use of port 2222.
As it can be seen below, establishing a SSH session with the target is possible:
Dynamic Port Forwarding
The Ubuntu server (10.129.47.1) has another interface on the 172.16.5.0/23 network. Thus, the Ubuntu server can be used as a pivot to access another subnet.
Port forwarding is also possible over the ICMP tunnel. We can specify the -D
flag to enable dynamic port forwarding. All our traffic will be forwarded to the 172.16.5.0/23 network.
Using proxychains with the /etc/proxychains.conf
file configured on port 9050, we've been able to scan the Windows target with the IP 172.16.5.19 with our traffic all going through the ICMP tunnel. We confirmed that the port 3389 was open on the target Windows system.
Then, we used xfreerdp
and proxychains to establish a RDP session with the 172.16.5.19 Windows system using the ICMP tunnel.
Last updated