Sunday, May 7, 2017

ICMP Covert Channels: pTunnel – the setup

In many organizations, while specific ports are blocked so as to disallow Internet access, ICMP is allowed for troubleshooting purposes. As in, can I ping securitynik.blogspot.com? If successful, then yes I have successful Internet connectivity.

This seemingly simple exercise and its use of the ICMP protocol could instead be used as an opportunity to exfiltrate data or to use ICMP as a covert channel.

In this example, we have “2” (I put the two in brackets because it is actually one host, but we are simulating two) hosts that we are responsible for. One with IP “127.0.0.1” (client)  and the other with “10.0.2.15” (proxy). “127.0.0.1” operates as the pTunnel server and the proxy at “10.0.2.15”.

To ensure we can analyze the traffic so as to perform network forensics, let setup tcpdump to capture the traffic “tcpdump -vnn -I any icmp or tcp port 80 or tcp port 8000 -w pTunnel.pcap”.


With this filter, we will capture ICMP traffic between the client and the proxy and the HTTP traffic between the proxy and the destination we are going to.

Now that let’s setup the ptunnel proxy with “ptunnel -x securityNik -c lo -v 4 -f ptunnel.log”.

-x securityNik – This is the password to ensure only hosts using this password can leverage the tunnel
-c lo – The listening interface of the proxy
-v 4 – The verbosity level
-f ptunnel.log – The log file to write the messages to

Now that we have our proxy setup, let’s look at setting up the client by using “ptunnel -p 127.0.0.1 -lp 8000 -da nba.com -dp 80 -v 4 -f pTunnel-c.log -x securityNik”

-p 127.0.0.1 – Sets the proxy IP
-lp 8000 – The port which will be used by the application
-da nba.com – The designation host we would like to connect to
-dp80 – The destination port on the host we would like to connect to
-v 4 – The verbosity level
-f ptunnel-c.log – The log file to write the messages to

Now that all of this is in place, let’s open a browser and connect to “10.0.2.15:8000”. If all goes well, this should open up “nba.com”



Looks like all went well.

Covert channels are obviously a big concern for most organizations. However, detecting some of these activities can prove difficult without proper baselines or knowing what normal vs abnormal looks like.

If we look at the ptunnel proxy log, we see the following as part of the setup process …


… and here we see from the client perspective


In the next post, we will look at analyzing this from the network forensics (packet analysis) perspective.

References:
Ping Tunnel
Ping Tunnel Manpage
Firewall Evasion with ICMP (Ping Tunnel)

No comments:

Post a Comment