Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Tunneling TCP traffic


Tunneling TCP traffic

By ghostghost | 6900 Reads |
0     0

Tunneling TCP over HTTP, ICMP,

In this article, ill show you how to tunnel TCP packets over HTTP and ICMP. Classical case is when you are at work, and firewall is blockin your acess to mail server.

TCP over HTTP We will need: GNU HTTP tunnel [http://www.nocrew.org/software/httptunnel.html] SSH [http://www.openssh.com] One pc with opened target port [in our case, port 110]

Why not use GNU HTTP tunnel alone. In fact, you will be able to tunnel connection only with GHt, but there is few reasons why not doing it: 1.Tunnel is public, anyone can use it. 2.Tunnel is cleartext, communication is not crypted. 3.Tunnel is not secured, anyone can change it 4.You will need new instance of GHt for every new tunnel u will want.

Advances of SSH 1.Its able to use authentification 2.It is crypting data 3.Integrity, noone will be able to play with data in tunnel 4.Easy setup, new instance of SSH can be run with one command on client.

//Both of these tools are distributed for Linux and Windows.

OK, here is the situation: We have one PC in work, what is behind Big Bad firewall, what is blocking our attempts to connect via mal client to mail server. port 110 [In fact, this will happen only rarely, because in most companies, this port is not blocked. SO, the only solution is to send data throught not blocked ports. Ok, lets scan it, try nmap or any other port scanner. Ok, we found, that port 3128 is not blocked. So we will tunnel all data through this port. But how to do it? How is possible to send data to port 110 via port 3128 ? For this, PC without blocking firewall will do good job, it will forward data from port 3128 to port 110 on mail server. It will work as redirector. [If the port is higher than 1024, we will even dont need root privilegies.]

How to do it?! Redirector Pc [not blocked] sshd //starts ssh server hts –forward-port localhost:22 80 //starts HTTP tunel server

Job PC[Blocked] htc –forward-port 900 –proxy <IP Proxy/gateway>:3128 <IP Host PC:800> //starts HTTP tunel server ssh -L 800:pop3server:110 sshlogin@localhost -p 900 //starts ssh client

Then, configure your mail client to conect to localhost:800

Notes If its authorization required by Proxy, add –proxy-authorization login:password to htc line Sshlogin is username for ssh server on Redirector PC You can add more tunnels with ssh -L localport: sshlogin@localhost -p 900, where localport is port on local machine, on what you want to bind destinationServer:destinationPort .

Warning!

This NOT works for UDP This NOT works for programs acting as server Forwarding can raise your ping.

Tunneling TCP over ICMP We will need: PTunnel [http://www.cs.uit.no/~daniels/PingTunnel/PingTunnel-0.61.tar.gz] Not firewalled PC SSH Root access on both PCs

Ptunnel functions: Tunneling TCP with ICMP echo and ICMP reply packets More connections in one time Authentification Speed [150 kb/s down a 50 kb/s up] How it works: http://nostur.xhosting.cz/pics/obrazek1.png where Klient is client, and Cil is target

We will be talking about proxy, client and target, Proxy is ending way for our ping packets, client is PC in work, from client will led tunnel to ie. HTTP server. So, to do this, we will need to send and receive ping packets. Many OS can do it with so called Raw Sockets. Raw Socket is preferred mechanism for sending ICMP packets, and will be used with proxy and client. Unlucky, to use Raw sockets, you will need root privilegies, but there is a chance to use standard datagram sockets, if they are powered by OS, but linux will still need root privs. Client will do all of his communication via ICMP echo request [ping] packets[ [type 8], and proxy will use ICMP echo reply packets. [type 0]

Protocol Proxy protocol uses different packets combines with sequence number and ack [acknowledgement] field. 'Magic number' is used to differentiate our ping packets from normal. Packet type without IP and ICMP header: nostur.xhosting.cz/pics/obrazek2.png

State codes: kProxy_start = 0; kProto_data = 1; kProto_ack = 2; kProto_close = 3; kProto_authenticate = 4;

ID flags: kUser_flag = 1 << 30; kProxy_flag = 1 << 31;

Fields IP and port are used only in packets from client to proxy. They indicates if client wants to redirect these packets [used only once, when proxy receives packet with state code kProxy_start. State codes are used for two things: First, they indicates what type of message will be received-commands for nw proxy session [kProxy_start], packet with data for redirecting [kProto_data] acknovledgement of received packet [kProto_ack], ending packet [kProto_close] or authentification request/reply [kProto_authenticate] Second, it indicates from who the message came: Packet sent by client will have setter up kUser_flag. This is needed, because ping request will made the system to send its own ping reply, what will be identical to packet sent to proxy. Fields ACK and SEQ are tightly linked, modelled for use of ACK on TCP, PTunnel protocol inserts to every sent message seq number of previously received packet to its ACK field. SEQ field will be continuously raising 16-bit counter, what will be wrapped around. If the outgoing packet will be waiting for ACK too long, ptunnel will try to send last packet, what was not followed by ACK. How to do it! on client: $./ptunnel -p -lp -da -dp <target's port> [-c -v -f -u -x ] //in [] are wrapped otpional settings// on proxy: ./ptunnel [-c -v -f -u -x] //same as up//

Example: sudo ./ptunnel -p proxy.lamaman.ec -lp 1337 -da login.Yomomma.ex -dp 22

now ssh: ssh -p 8000 localhost no start proxy ./ptunnel on proxy PC

Switches -u tries to run ptunnel in non root enviroment -v verbosity

Copyright 2006 Nostur aka Tomas Kroupa Under Gnu/FDL license [can be copied or used part of it, but authors name must be included]

Comments
Mr_Cheese's avatar
Mr_Cheese 18 years ago

excellent article. by far the best i've seen in a while. nice work.