Monday, November 23, 2009

PingTunnel: Tunnel your tcp traffic through ICMP echo/ reply packets or UDP 53(DNS) packets

So you are at a local coffee shop with your laptop and see an open access point that you want to connect to. You connect to the AP and open up your favorite webrowser, only to find that you are presented with a page that asks for a code for you to proceed with your internet cravings. WTF !! Many places such as coffee shops provide you with wireless internet connectiviy at a small cost (usually more than the coffee you purchased). You recieve a code when you purchase the coupon for wireless access and then you go onto your webrowser, enter that in and the you're good to go. Well for almost everything digital, there is most likely a walkaround to do things and in this case there is. Enter the world of protocol tunneling. The basic idea behind this is to transfer data from one protocol or port number, using another protocol (or port number). So in essence, you can be browsing the internet that uses port 80, via another port, such as ftp port 21. This method most of the time involves a proxy(a computer in the middle that does something on your behalf).Whats the point of doing this you might ask? For example, your high school may block the use of internet (outbound port 80 connections) during school hours at the proxy firewall. Its unfortunate for you the student but its not the end to a long boring lecture for 2 hours behind a computer that has no internet. Picture this. you want to get from point A to B, through C. Thats the idea behind tunneling in a nutshell. We let C do the job for us. The key thing to keep in mind here is when a talks to C, its doing it on a port thats allowed, for instance 22 and then C would communicate with B on port 80 on A's behalf. Thats all there is to theory of tunnelling in a nutshell.
In some cases, we may not be so fortunate to have much to work with. What if all ports appeared to be closed, like port 22 in the example above? What do we do then? First lets do some thinking. If this business offers internet access to the public, there must be something open allowing internet connectivity, meaning not everything is blocked. There is an opening somewhere that we need to uncloak. There is a build in windows tool that aid in this discovery, Ping. When at the coffee shop and you are presented with the login/enter your code screen, open up a command prompt and ping a public address such as If you get replies and it resolves the DNS name to its IP address, then that means that coffee shop is allowing DNS and ICMP traffic through its gateway. If you havent guessed it already, then let me enlighten you; we can now tunnel our internet traffic (port 80) using port 53(DNS traffic) or ICMP traffic (Ping, echo, reply). From this point onwards you should be breathing a sigh of relief or nudging your head just knowing stuff like this is possible.

PingTunnel (ptunnel)
An app, both for windows and linux (MAC OS as well i believe), that allows you to tunnel TCP traffic through an ICMP or DNS packet's payload. It uses a server/client structure.

Demo: ICMP tunneling of

Server, command: ./ptunnel
Client, command: ptunnel -p -lp 5555 -da -dp 80

After these commands have been executed, on the client machine open up a webrowser and type If all went well, you should be presented with the google homepage. Great success.

No comments:

Post a Comment