4. ICMP TUNNELING
• Begin to analyze the traffic/protocols that are running on your network- and why!
• Main objective:
• Provide an example of how a benign protocol like ICMP can be used for exfiltration of
data from your network without detection (Encapsulation)
5. START WITH 2 VMS RUNNING KALI
Test by pinging between each
6. SETUP SSHD ON AT LEAST ONE OF THE
MACHINES
• This will allow remote login via ssh
• What’s ssh? secure shell – tcp port 22
• Provides an RSA encrypted communication channel
7. CAPTURE AN SSH LOGIN SESSION
BETWEEN THE TWO HOSTS
• Using wireshark on host hans, begin capturing to a file with the –w option
• Then, login to the host from franz.
• BEFORE you do this, you’ll need to initialize the sshd daemon on hans
• This is the same process for any new Backtrack install – issue an ‘sshd-generate’
and it will create a unique key for encrypting the session
8. INSTALL HANS ON BOTH MACHINES
• The source code is on my website.
• wget from http://www.dtcc.edu/~fsciallo/stuff/hans-0.4.4.tar.gz
• If you get a 404, you’ve typed something wrong
• Once downloaded, unpack and compile. Use the resource in Blackboard for tar/gzip
if needed
9. BEFORE YOU FIRE IT UP…
• Perform another packet capture of a ping between hans and franz
• We’ll use this for comparison later
10. STARTUP THE TUNNEL
• On hans, startup the tunnel server. This process will listen for connections. Provide
an IP for the server, something like 10.1.1.1
• On franz, startup the tunnel client and connect to hans - hans –c 10.1.1.1
• You should be able to ping 10.1.1.1 from franz once the tunnel is setup
• You should also see the connection message on hans the server
11. CAPTURE AN SSH CONNECTION TO HANS
AGAIN
• This time, ssh to the tunnel IP address while capturing the packets in tcpdump
• Save your capture to a unique file
• When you open this dump in wireshark, you should see something different
• The connection that should be using TCP port 22 is now using ICMP
12. COMPARE YOUR CAPTURES
• Compare the captures of a ping between the two hosts with the capture of an ssh
session over the tunnel
• What’s different?
• How would you identify this traffic?
Editor's Notes
TCP/IP (Transmission Control Protocol/Internet Protocol) is the basic communication language or protocol of the Internet. It can also be used as a communications protocol in a private network (either an intranet or an extranet). When you are set up with direct access to the Internet, your computer is provided with a copy of the TCP/IP program just as every other computer that you may send messages to or get information from also has a copy of TCP/IP. TCP/IP is a two-layer program. The higher layer, Transmission Control Protocol (TCP), manages the assembling of a message or file into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. The lower layer, Internet Protocol (IP), handles the address part of each packet so that it gets to the right destination.
TCP packs, breaks apart and sets up transport while IP addresses and resolves it.
Packets are the basis of information traversing the wire. The protocol dictates the format and data in it.
TCP – data exchange
UDP – data exchange
ICMP – host is alive, and ask it to reply to our echo request, If TTL exhausted the router will generate and transmit error,NO DATA
SNMP
In this activity we'll experiment with a technique used to bypass firewalls.
As you should remember from your networking course, ICMP is one of the internet protocols used to exchange error conditions between nodes on a network. We 'ping' a host to see if it is alive asking it to return a reply to our echo request. If any packet exhausts its TTL, the receiving router will generate the appropriate TTL expired in transit error and this is returned via ICMP to the originating host.
It wasn't designed to carry data (packets are generally small) and no port numbers are assigned to ICMP packets, only a protocol Type. Sounds harmless and useful right?
Think about this situation....have you ever gone to a hotel or public WiFi hotspot and found that internet access isn't [gulp] free? You associate with the open WiFi access point, you have been assigned an IP address via DHCP, you can even perform DNS lookups, but your HTTP requests all return a 'please pay and login' page.
Often, these are configured to intercept most TCP and UDP traffic but ICMP traffic is sometimes permitted. Even a default install of a Comcast cable modem will allow you to 'ping www.yahoo.com' although you won't be able to open any web pages.
Many firewalls are configured to pass ICMP traffic because it's useful to know if a host is up or down when troubleshooting other connection problems.
So....if ICMP traffic is unrestricted, do you think attackers might use it as a means for establishing a covert communication channel? Enter.... Hans http://code.gerade.org/hans/ or ICMPTX http://thomer.com/icmptx/ or even ptunnel http://www.cs.uit.no/~daniels/PingTunnel/