[olug] Tunneling Over ICMP packets with PingTunnel

Rob Townley rob.townley at gmail.com
Tue Jan 30 04:11:41 UTC 2007 

Interesting and Scary stuff.  PingTunnel allows you to tunnel over ICMP
packets when UDP and TCP are turned off.

http://www.cs.uit.no/~dani <http://www.cs.uit.no/%7Edaniels/PingTunnel/>
els/PingTunnel/ <http://www.cs.uit.no/%7Edaniels/PingTunnel/>


---------- Forwarded message ----------
From: Rob Townley <rob.townley at gmail.com>
Date: Jan 29, 2007 10:05 PM
Subject: Re: [Hardhats] Re: Networking question: turning on PING...
To: Hardhats at googlegroups.com


Thanks for confirming my paranoia about ICMP!   Now i will really not
sleep at night.  Well i don't sleep at night anyway, but that is another
story.

1.) True ping is done at the ICMP layer, but there is such a thing as
a UDP Ping and TCP ping.   We'll assume you are using ICMP ping.
Ethereal would provide proof however.

2.) The term "DMZ" has different meanings when it comes to consumer
firewalls vs. corporate firewalls.  With a Linksys Router / Firewall,
the packets have to go through the router to reach the DMZ.  In a
large corporate setting, the term DMZ means literally outside the
firewall on the internet side.

3.) It appears here you are talking about a Linksys consumer class
type DMZ.   Most of these types of firewalls have a configuration to
respond to pings from the outside. Of course, this has to be on.

4.) Some firewalls have a "loopback" option that would explain why you
can ping from the inside windows box to the external IP and then back
to the Linux box.  The ICMP never crossed to the outside of the
router.

Can you run ethereal on your Linux box?

If you can run an alternative firmware on the firewall such as
dd-wrt.com, you have a great deal more options.  There is a good
chance you could run ptunnel directly on the firewall with dd-wrt.
Then your linux box could go back inside.

This is scary stuff, but at least they have you setup SSH first over
the ptunnel.

On 1/29/07, kdtop3 at gmail.com <kdtop3 at gmail.com> wrote:
>
> Greg,
>
> Would you suspect that a hardware firewall would not forward ICMP
> packets to a DMZ server?  And is the Ping handler something that is
> handled by an application, or is a integral part of the stack that one
> can not turn on and off at will?
>
> Thanks
> Kevin
>
>
>
>
> On Jan 29, 1:09 pm, gregory.woodho... at sbcglobal.net wrote:
> > ICMP (or Internet Control Message Protocol) is actually considered a
layer 3 protocol (same layer as IP, not TCP or UDP), but that's a trivial
point.
> >
> > Ping works by sending an ICMP echo request, and these packets are
allowed to have a payload (see, for example, the -s flag in the man page for
ping). So yes, in principle, I suppose you could use echo requests to
communicate with a host behind a firewall. This is just my opinion, but
disabling every protocol or message type that could potentially be misused
isn't really feasible because you'll soon end up with a non-functional
network connection. An alternative would be to scan echco requests for
suspicious payloads or activity patterns.
> >
> > ===
> > Gregory Woodhouse
> >
> > "Mathematics is the science of patterns."
> > --Lynn Arthur Steen, 1988
> >
> > ----- Original Message ----
> > From: "kdt... at gmail.com" <kdt... at gmail.com>
> > To: Hardhats <Hardhats at googlegroups.com>
> > Sent: Monday, January 29, 2007 9:46:34 AM
> > Subject: [Hardhats] Networking question: turning on PING...
> >
> > I have a networking question.  I am wanting to get ptunnel working.
> > See here:http://www.cs.uit.no/~daniels/PingTunnel/
> > In short, it is a method of sometimes getting around firewalls that
> > block outgoing traffic.  It tunnels information in the ping packets
> > back to one's home server.  Often a ping can get out when nothing else
> > can...
> >
> > I have done some research and found that ping signals are not TCP nor
> > UDP and thus do not use "ports".  It apparently uses ICMP, which I
> > think is at same level in the network stack as TCP/UDP.  As such, I
> > can not use port forwarding from my server firewall.  Instead, I had
> > to specify my server as the DMZ (i.e. default) server for all
> > unexpected incoming traffic.
> >
> > Now, when I set up my linux server, I specified "server" settings, and
> > as such the default configuration was to have almost everything locked
> > down.  I have done some port scans and found that the port for
> > handling email was open.  I closed that.  And portmapper (used for
> > linux RPCs) was open, and I closed that too as I did not need to do
> > any NFS etc.  So the only port I have open is SSH, and it is patched
> > up to the latest version and uses secure passwords.
> >
> > My problem is that my server is not responding to pings.  I know that
> > normally this is a good thing because it is better to not announce
> > one's presence to the open internet.  But I will need to enable it for
> > this ptunnel to work.
> >
> > I have looked in my iptables, and there is nothing there that would
> > specify for droping icmp traffic.
> >
> > So my question is, what is the mechanism for responding to a ping?
> > With other network communication, I think that applications "open a
> > port", i.e. register for handling incoming traffic on that channel/
> > port.  But who handles these ICMP packets?  I have looked in the
> > "services" GUI that specifies all the daemons the linux runs, and I
> > can't see anything about ping handling.
> >
> > I should mention that ping IS working in some situations, but not
> > others.
> > --from the linux server, ping localhost gets a response.
> > --If I ping from a windows machine on my local network at work, using
> > it's local IP address, then I get a ping response.
> > --And when I ping our external IP address from this same windows
> > machine, I also get a response.
> > --But when I did a ping from home, I got no response.  It timed out.
> > I tried this from my mac and from a windows machine on my network at
> > home.
> > --When I run a server scan from the "Shield's Up" website  (
https://www.grc.com/x/ne.dll?bh0bkyd2), scanning for "common ports", it
> > indicates that attempts to ping my system failed to return a response
> > (to them, a good thing).
> >
> > I did a traceroute from home, and the IP addresses given for the
> > packet paths ended at my external IP address--which to me means that
> > the packets were getting to my server's address.
> >
> > This makes me think that iptables is the problem.  But I just looked
> > again, and that's clean.
> >
> > So why does this not respond to some pings and not others?  And how
> > can I get ping to respond to computer on the internet?
> >
> > Thanks
> > Kevin
>
>
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google Groups
"Hardhats" group.
> To post to this group, send email to Hardhats at googlegroups.com
> To unsubscribe from this group, send email to
Hardhats-unsubscribe at googlegroups.com
> For more options, visit this group at
http://groups-beta.google.com/group/Hardhats?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
>

More information about the OLUG mailing list