이종의 프로토콜을 이용한 터널링 기법으로 icmp 패킷에 tcp 데이터를 숨긴 은닉 채널(Covert Channel)기법입니다.
○ ICMP 터널링이란?
Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. At first glance, this might seem like a rather useless thing to do, but it can actually come in handy in some cases. The following example illustrates the main motivation in creating ptunnel:
○ ICMP 터널링 툴
| |
|
ptunnel.exe
PingTunnel-0.72.tar.gz참고 사이트 : http://www.cs.uit.no/~daniels/PingTunnel/#download
○ 실행 및 컴파일 방법
ptunnel.exe를 실행하기 위해서는 winpcap이 설치되어 있어야 합니다.
설치방법 등은 아래의 다운로드 사이트를 참고하여 주시기 바랍니다.
※ winpcap 다운로드 : https://www.winpcap.org/
리눅스용 소스코드를 다운로드 하여 /tmp에 저장합니다.
#tar -zxvf PingTunnel-0.72.tar.gz
#cd PingTunnel
#make SHARED=0 CC='gcc -static'
아래와 같이 pcap.h 오류가 발생하면 lib를 설치해 줍니다.
#apt-get update
#apt-get install libpcap-dev
Centos -> Yum install libpcap-devel
오류 메세지
ptunnel.h:70:21: fatal error: pcap.h: No such file or directory
○ 사용방법(Using ptunnel)
Client
./ptunnel -p <proxy address> -lp <listen port> -da <destination address> -dp <destination port> [-c <network device>] [-v <verbosity>] [-f <logfile>] [-u] [-x password]
Proxy
./ptunnel [-c <network device>] [-v <verbosity>] [-f <logfile>] [-u] [-x password]
The -p switch sets the address of the host on which the proxy is running. A quick test to see if the proxy will work is simply to try pinging this host - if you get replies, you should be able to make the tunnel work.
The -lp, -da and -dp switches set the local listening port, destination address and destination port. For instance, to tunnel ssh connections from the client machine via a proxy running on proxy.pingtunnel.com to the computer login.domain.com, the following command line would be used:
sudo ./ptunnel -p proxy.pingtunnel.com -lp 8000 -da login.domain.com -dp 22
An ssh connection to login.domain.com can now be established as follows:
ssh -p 8000 localhost
