Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Friday, April 25, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 20
Members Online: 2

Registered Members: 82909
Newest Member: awais
Latest Articles

Tunneling TCP traffic

Arrow Image THis article will giude you through tunneling TCP traffic over HTTP and ICMP with use of few tools



Tunneling TCP over HTTP, ICMP,

In this article, ill show you how to tunnel TCP packets over HTTP and ICMP. Classical case is when you are at work, and firewall is blockin your acess to mail server.

TCP over HTTP
We will need:
GNU HTTP tunnel [http://www.nocrew.org/software/httptunnel.html]
SSH [http://www.openssh.com]
One pc with opened target port [in our case, port 110]

Why not use GNU HTTP tunnel alone.
In fact, you will be able to tunnel connection only with GHt, but there is few reasons why not doing it:
1.Tunnel is public, anyone can use it.
2.Tunnel is cleartext, communication is not crypted.
3.Tunnel is not secured, anyone can change it
4.You will need new instance of GHt for every new tunnel u will want.

Advances of SSH
1.Its able to use authentification
2.It is crypting data
3.Integrity, noone will be able to play with data in tunnel
4.Easy setup, new instance of SSH can be run with one command on client.

//Both of these tools are distributed for Linux and Windows.

OK, here is the situation: We have one PC in work, what is behind Big Bad firewall, what is blocking our attempts to connect via mal client to mail server. port 110 [In fact, this will happen only rarely, because in most companies, this port is not blocked. SO, the only solution is to send data throught not blocked ports. Ok, lets scan it, try nmap or any other port scanner. Ok, we found, that port 3128 is not blocked. So we will tunnel all data through this port. But how to do it? How is possible to send data to port 110 via port 3128 ? For this, PC without blocking firewall will do good job, it will forward data from port 3128 to port 110 on mail server. It will work as redirector. [If the port is higher than 1024, we will even dont need root privilegies.]

How to do it?!
Redirector Pc [not blocked]
sshd //starts ssh server
hts --forward-port localhost:22 80 //starts HTTP tunel server

Job PC[Blocked]
htc --forward-port 900 --proxy <IP Proxy/gateway>:3128 <IP Host PC:800> //starts HTTP tunel server
ssh -L 800:pop3server:110 sshlogin@localhost -p 900 //starts ssh client

Then, configure your mail client to conect to localhost:800


Notes
If its authorization required by Proxy, add –proxy-authorization login:password to htc line
Sshlogin is username for ssh server on Redirector PC
You can add more tunnels with ssh -L localport: sshlogin@localhost -p 900, where localport is port on local machine, on what you want to bind destinationServer:destinationPort .

Warning!

This NOT works for UDP
This NOT works for programs acting as server
Forwarding can raise your ping.

Tunneling TCP over ICMP
We will need:
PTunnel [http://www.cs.uit.no/~daniels/PingTunnel/PingTunnel-0.61.tar.gz]
Not firewalled PC
SSH
Root access on both PCs

Ptunnel functions:
Tunneling TCP with ICMP echo and ICMP reply packets
More connections in one time
Authentification
Speed [150 kb/s down a 50 kb/s up]
How it works: http://nostur.xhosting.cz/pics/obrazek1.png
where Klient is client, and Cil is target

We will be talking about proxy, client and target, Proxy is ending way for our ping packets, client is PC in work, from client will led tunnel to ie. HTTP server. So, to do this, we will need to send and receive ping packets. Many OS can do it with so called Raw Sockets. Raw Socket is preferred mechanism for sending ICMP packets, and will be used with proxy and client. Unlucky, to use Raw sockets, you will need root privilegies, but there is a chance to use standard datagram sockets, if they are powered by OS, but linux will still need root privs. Client will do all of his communication via ICMP echo request [ping] packets[ [type 8], and proxy will use ICMP echo reply packets. [type 0]

Protocol
Proxy protocol uses different packets combines with sequence number and ack [acknowledgement] field. \'Magic number\' is used to differentiate our ping packets from normal. Packet type without IP and ICMP header:
nostur.xhosting.cz/pics/obrazek2.png

State codes:
kProxy_start = 0;
kProto_data = 1;
kProto_ack = 2;
kProto_close = 3;
kProto_authenticate = 4;

ID flags:
kUser_flag = 1 << 30;
kProxy_flag = 1 << 31;

Fields IP and port are used only in packets from client to proxy. They indicates if client wants to redirect these packets [used only once, when proxy receives packet with state code kProxy_start. State codes are used for two things:
First, they indicates what type of message will be received-commands for nw proxy session [kProxy_start], packet with data for redirecting [kProto_data] acknovledgement of received packet [kProto_ack], ending packet [kProto_close] or authentification request/reply [kProto_authenticate]
Second, it indicates from who the message came: Packet sent by client will have setter up kUser_flag. This is needed, because ping request will made the system to send its own ping reply, what will be identical to packet sent to proxy. Fields ACK and SEQ are tightly linked, modelled for use of ACK on TCP, PTunnel protocol inserts to every sent message seq number of previously received packet to its ACK field. SEQ field will be continuously raising 16-bit counter, what will be wrapped around. If the outgoing packet will be waiting for ACK too long, ptunnel will try to send last packet, what was not followed by ACK.
How to do it!
on client: $./ptunnel -p <proxy address> -lp <port to listen> -da <address of target> -dp <target\'s port> [-c <interface> -v <verbose mode> -f <logfile path> -u -x <password>]
//*in [] are wrapped otpional settings*//
on proxy: ./ptunnel [-c -v -f -u -x]
//*same as up*//

Example: sudo ./ptunnel -p proxy.lamaman.ec -lp 1337 -da login.Yomomma.ex -dp 22

now ssh: ssh -p 8000 localhost
no start proxy ./ptunnel on proxy PC

Switches
-u tries to run ptunnel in non root enviroment
-v verbosity

Copyright 2006 Nostur aka Tomas Kroupa
Under Gnu/FDL license [can be copied or used part of it, but authors name must be included]

Comments

Mr_Cheeseon March 22 2006 - 21:36:15
excellent article. by far the best i've seen in a while. nice work.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.