Alright, so I read T_Bone's thread on stunnel and for a moment I was about to respond to a completely different topic because of the word stunnel. With that said, I decided to just fork a new thread on tunneling. Or rather, alternative methods to tunnel. This isn't anything new per-se more of a reminder slash refresher slash "oh yea I remember now!" slash "wth is this I've never seen it before."


In our case, we'll reshape this definition to: "To make or face a way through a network under the radar" AKA, covert tunneling. (http://www.google.com/search?q=covert+tunnel)

Why and when do you need tunnels all depends on what it is you're trying to accomplish. In the case of T_Bone's post, he solely needed a method to fingerprint a webserver. Personally, I would have just visited the site using a proxy which to an extent is a tunnel via way of a proxy. This is because my information is under the radar. The Proxy's information is visible not mine. While stunnel is popular, in fact tunneling through ssh and ssl is rather popular it also is outdated and detectable in ginormous enterprise networks (ginormous is actually a word you know: http://www.merriam-webster.com/dictionary/ginormous). Most firewalls can detect SSL tunneling before it leaves therefore when in an engagement on large networks, what alternatives can you think of? Here are three to play with with my personal favorite being ICMP tunnels. Who doesn't allow ICMP on the OUTBOUND connection? What about DNS queries. Anyhow, here are three alternative programs to play with if you haven't seen or heard of them.

http://gray-world.net/pr_msnshell.shtml
http://www.dnstunnel.de/
http://www.cs.uit.no/~daniels/PingTunnel/

ssl tunneling is old hat. Because firewalls are capable of intercepting, checking and modifying ssl tunnels, chances are you could end up with zero route out. This is where something like an ICMP tunnel would come in handy, but again, think like an admin. For example, if you're tasked with defending/analyzing network/security information, an ICMP tunnel would be easily noticed as well (just less likely). This is because as an admin/engineer, if you started seeing megs or gigs of ICMP traffic, you'd want to know what's going on...

For this, you rate limit the amount of ICMP traffic you're sending OUT your tunnel. E.g., go old school and make your tunnel send out say 64k of traffic every N amount of seconds. Solely enough to get you what is NECESSARY. Not what you *what*.

Remember, in a pentest situation, your goal is to provide "proof" not come around and say: "I exfiltrated your entire infrastructure over ICMP!" Defeats the purpose. If you can accomplish it and repeat it, there is no need to go overboard. E.g., an ICMP tunnel sporadically pulling an internally visible webpage/document suffices for proof of concept/accomplishment.

Same goes for DNS tunneling. The issue with DNS tunneling is, if your network is using internal DNS servers, you'd be hit as external lookups are likely disabled. Your tunnel goes nowhere.