Most networks today use a network based access control system to permit certain traffic and deny others. Since the inception of firewalls and web filters users (and malware) working behind them have strived to bypass the firewalls in order to do whatever it is they want to do.

For those who are more visual here is a video walkthrough of the following in a video

Tunneling is a very common and effective way to bypass access control systems. Tunneling techniques can be used to bypass firewalls, Network Intrusion Prevention Systems, Web Security Gateways, and WiFi sign in pages.

Tunneling to bypass security is achieved by encapsulating a denied type of traffic in a permitted type of traffic. Because there are many ways to identify HTTP tunneled within HTTP I decided to dig deeper into another protocol used for troubleshooting that is also typically permitted, ICMP. Ping in particular uses ICMP echo-request to ask if a host is alive on the network and echo-reply to respond to that request.

For this edition we will use a tool called PingTunnel or ptunnel. PingTunnel works in a client/server model. The same software is used on both the client and server.

Requirements:

1. Get the software and build it on your platforms. The documentation on the developers website is great http://www.cs.uit.no/~daniels/PingTunnel/.
2. A system on the Internet that accepts ping that you also have administrative access to. This is for the PingTunnel server. The easiest solution here is to use a computer in your home network. You will also need to create a NAT rule on your modem/router/firewall to forward Ping to this host in your network. There are lots of tutorials on how to do this. Otherwise a VPS will also work but you will need to pay for that. Guess it depends on how serious you are about bypassing the security control.
3. Patience. Tunneling HTTP in ICMP is not super fast.

Ptunnel Server

On the ptunnel server you can run ptunnel without any additional options. The -v 4 increases the output which can be good for troubleshooting. The -x allows you to specify a password;

ptunnel -v 4 – x <password>

There are a few ways that you can use the tool to browse websites.

Local HTTP Proxy

In this configuration a proxy is started on the client device.

From there what you send to that proxy will go over the tunnel to the ptunnel server. The ptunnel server will make the request to the target website.

You still specify the target website, so the limitation is that you need to change the destination address in the ptunnel command for every site you want to get to.

ptunnel -p <ptunnel server IP> -lp <local port to open> -da <target website URL> -dp <open port on website>

So my command looked like this;

ptunnel -p 192.168.55.146 -lp 8080 -da www.thepiratebay.se -dp 80

From there open a browser and browse to http://localhost:8080. This should load www.thepriatebay.se in this example.

Remote HTTP Proxy

In this configuration you can use an HTTP proxy in addition to the ptunnel server.

So traffic will go from your client to the ptunnel server over ICMP to an HTTP proxy specified after -da. The proxy can be one that you setup on the ptunnel server or an open one you find.

The ptunnel server will send the request to the HTTP proxy. The HTTP proxy will make the requests to the target website. The HTTP proxy can be running on the same host as the ptunnel server.

The benefit is that you can set everything up once and browse any website that the HTTP proxy can get to.

ptunnel -p <ptunnel server IP> -lp <local port to open> -da <open HTTP proxy server IP> -dp <open HTTP proxy server port>

The other setup you will need to do is change your browser proxy settings to be localhost on the port you specified with lp.

So my command looked like this;

ptunnel -p 192.168.55.146 -lp 8080 -da 192.168.55.146 -dp 3128

The switch your browser to use localhost for the HTTP proxy on port 8080

SSH SOCKS Proxy

Similar to the way you can proxy through an HTTP proxy, SSH can be used as a SOCKS proxy.

So the traffic will appear to be ICMP traffic from the client to the ptunnel server and then the HTTP requests will be encrypted in an SSH tunnel, and finally the SSH server will make requests to the target server. The SSH proxy can be running on the same host as the ptunnel server.

The other setup you will need to do is change your browser proxy settings to be localhost on the port you specified with lp.

ptunnel -p <ptunnel server IP> -lp <local port to open> -da <localhost> -dp <open SSH server port>

then…

ssh -p 8080 -C -D 8081 <username>@localhost

So my commands looked like this;

ptunnel -p 192.168.55.146 -lp 8080 -da localhost -dp 22
ssh -p 8080 -C -D 8081 remnux@localhost

Then switch your browser to use localhost for the SOCKS proxy on port 8081.

Caveats:

• As stated earlier it is not super fast. If you are trying to load pages with lots of content they will likely timeout.
• Getting SSL to work was very rare in my environment, even over the proxies.
• You may need to run this on *nix/mac systems 
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
• The security appliance I am using was configured to permit the traffic and log it for demonstration purposes. As you can see from the screenshot below it does differentiate between regular ping and ping tunnel. If this were in a production environment with positive security policy that allows ping, the ping tunnel would not have been allowed, and therefor the traffic would have been prevented.

*** This is a Security Bloggers Network syndicated blog from Insecurity authored by asdfasdfasdfasdf. Read the original post at: http://stephenperciballi.blogspot.com/2014/09/firewall-evasion-with-icmp-pingtunnel.html