13 - ICMP Tunneling with SOCKS

# Introduction - ICMP tunneling encapsulates traffic within ICP packets such as echo requests and responses - Only works when FW does not restrict ICMP/ping traffic - `ptunnel-ng` can be used to tunnel between pivot and Kali hosts # Sequence for `ptunnel-ng` forward pivot - Clone `ptunnel-ng` ```bach git clone https://github.com/utoni/ptunnel-ng.git ``` - Build `ptunnel-ng` with `autogen.sh` - `autogen.sh` comes in the root directory of the `ptunnel-ng` repo ```bash sudo ./autogen.sh ``` - Alternative building of `autogen.sh` ```bash sudo apt install automake autoconf -y cd ptunnel-ng/ sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh ./autogen.sh ``` - Transfer `ptunnel-ng` to pivot host with `scp` - Use `-r` flag to move whole repo ```bash scp -r ptunnel-ng/ ubuntu@<external_ip_pivot_host>:~/ ``` - Start `ptunnel-ng` server on pivot host ```bash cd ptunnel-nr/src sudo ./ptunnel-ng -r<external_ip_pivot_host> -R22 ``` - Connect to `ptunnel-ng` server on pivot host from Kali host ```bash ./ptunnel-ng -p<external_ip_pivot_host> -l2222 -r<external_ip_pivot_host> -R22 # -l flag specifies local port on Kali host for connectivity ``` - Tunnel SSH connection through ICMP tunnel - `ptunnel-ng` provides session logs that we can use to confirm that our traffic is passing from client to server utilizing ICMP ```bash ssh -p2222 -lubuntu 127.0.0.1 ``` - Alternative: Enable dynamic port forwarding similar to [[5 - CPTS Notes/8 - Pivoting/2 - Dynamic Port Forwarding with SSH & SOCKS|2 - Dynamic Port Forwarding with SSH & SOCKS]] but through the ICMP tunnel ```bash ssh -D 9050 -p2222 -lubuntu 127.0.0.1 ``` - Now use `proxychains4` to scan the internal subnet ```bash proxychains4 nmap -sV -sT <internal_ip_target> -p3389 ``` # Exercise ## Attempt A - First, clone `ptunnel-ng` repo ![[images/Pasted image 20251023120009.png]] - Second, build `ptunnel-ng` with `autogen.sh` - Errors using `autogen.sh`![[images/Pasted image 20251023120035.png]] - Looks like we need to build `autogen.sh` and run again due to missing `automake` and `autoreconf` tools ![[images/Pasted image 20251023120215.png]] - Third, move `ptunnel-ng` repo to pivot host with `scp` ![[images/Pasted image 20251023120458.png]]![[images/Pasted image 20251023120503.png]] - Fourth, setup `ptunel-ng` server on pivot host ![[images/Pasted image 20251023120927.png]] - Fifth, connect to `ptunel-ng` server Kali host ![[images/Pasted image 20251023120938.png]] - Sixth, setup dynamic port forwarding through the `ptunnel-ng` server ![[images/Pasted image 20251023120950.png]] - Seventh, test connection to downstream Windows target ![[images/Pasted image 20251023121054.png]] - Finally, RDP connection to downstream Windows target - running into issues ![[images/Pasted image 20251023121701.png]] - Don't think `ptunnel-ng` is operating correctly ## Attempt B - Start over - Clone `ptunnel-ng`repo ![[images/Pasted image 20251023122530.png]] - Manually build `autogen.sh` and run ![[images/Pasted image 20251023123301.png]] - Move `ptunnel-ng` to pivot host with `scp` ![[images/Pasted image 20251023122847.png]] - Setup `ptunnel-ng` server on pivot host ![[images/Pasted image 20251023123537.png]] - Connect from Kali host ![[images/Pasted image 20251023124027.png]] - Setup dynamic port forwarding ![[images/Pasted image 20251023124016.png]] - Attempt RDP connection - Still errors ![[images/Pasted image 20251023123957.png]] ## Attempt C - Let's try with an older version of `ptunnel-ng` - Download v1.42 ![[images/Pasted image 20251023124336.png]] - Decompress ![[images/Pasted image 20251023124351.png]] - Manually build `autogen.sh` and run - Major errors ![[images/Pasted image 20251023124653.png]] # Attempt D - Let's reset the target and try again - Clone repo ![[images/Pasted image 20251023130543.png]] - Configure `autogen.ssh` and execute script ![[images/Pasted image 20251023130621.png]] - Move repo to pivot host with `scp` ![[images/Pasted image 20251023130754.png]] - SSH into pivot host ![[images/Pasted image 20251023130837.png]] - Setup `ptunnel-ng` server on pivot host ![[images/Pasted image 20251023130947.png]] - Connect to `ptunnel-ng` server from Kali host ![[images/Pasted image 20251023131035.png]] - Setup dynamic port forwarding through `ptunnel-ng` ![[images/Pasted image 20251023131136.png]] - Test connection to downstream Windows target ![[images/Pasted image 20251023131229.png]] - Attempt RDP connection with `proxychains4` - More errors ![[images/Pasted image 20251023131336.png]]![[images/Pasted image 20251023131345.png]] ## Attempt E - Use `ligolo-ng` - Start proxy on Kali host ![[images/Pasted image 20251023132208.png]] - Move agent to pivot host ![[images/Pasted image 20251023132019.png]]![[images/Pasted image 20251023132026.png]] - Connect to proxy from pivot host ![[images/Pasted image 20251023132224.png]] - Attach to session and autoroute ![[images/Pasted image 20251023132259.png]] - RDP connect into downstream Windows target ![[images/Pasted image 20251023132405.png]] - Thanks again `ligolo-ng` - Kind of went outside the lines of this exercise but `ptunnel-ng` seems busted