.

Tunneling Alternatives

<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Nov 08, 2010 9:08 pm

Tunneling Alternatives

Alright, so I read T_Bone's thread on stunnel and for a moment I was about to respond to a completely different topic because of the word stunnel. With that said, I decided to just fork a new thread on tunneling. Or rather, alternative methods to tunnel. This isn't anything new per-se more of a reminder slash refresher slash "oh yea I remember now!" slash "wth is this I've never seen it before."

tunnel: 1. (Engineering / Civil Engineering) (tr) to make or force (a way) through or under (something) to tunnel a hole in the wall to tunnel the cliff


In our case, we'll reshape this definition to: "To make or face a way through a network under the radar" AKA, covert tunneling. (http://www.google.com/search?q=covert+tunnel)

Why and when do you need tunnels all depends on what it is you're trying to accomplish. In the case of T_Bone's post, he solely needed a method to fingerprint a webserver. Personally, I would have just visited the site using a proxy which to an extent is a tunnel via way of a proxy. This is because my information is under the radar. The Proxy's information is visible not mine. While stunnel is popular, in fact tunneling through ssh and ssl is rather popular it also is outdated and detectable in ginormous enterprise networks (ginormous is actually a word you know: http://www.merriam-webster.com/dictionary/ginormous). Most firewalls can detect SSL tunneling before it leaves therefore when in an engagement on large networks, what alternatives can you think of? Here are three to play with with my personal favorite being ICMP tunnels. Who doesn't allow ICMP on the OUTBOUND connection? What about DNS queries. Anyhow, here are three alternative programs to play with if you haven't seen or heard of them.

http://gray-world.net/pr_msnshell.shtml
http://www.dnstunnel.de/
http://www.cs.uit.no/~daniels/PingTunnel/
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Nov 09, 2010 8:00 am

Re: Tunneling Alternatives

Sil, I am in the category "oh yeah I remember now!".

I have studied them for CEH last year, but I have never used them (only SSH tunnel...).

These techniques are indeed very interesting!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Nov 09, 2010 8:34 am

Re: Tunneling Alternatives

ssl tunneling is old hat. Because firewalls are capable of intercepting, checking and modifying ssl tunnels, chances are you could end up with zero route out. This is where something like an ICMP tunnel would come in handy, but again, think like an admin. For example, if you're tasked with defending/analyzing network/security information, an ICMP tunnel would be easily noticed as well (just less likely). This is because as an admin/engineer, if you started seeing megs or gigs of ICMP traffic, you'd want to know what's going on...

For this, you rate limit the amount of ICMP traffic you're sending OUT your tunnel. E.g., go old school and make your tunnel send out say 64k of traffic every N amount of seconds. Solely enough to get you what is NECESSARY. Not what you *what*.

Remember, in a pentest situation, your goal is to provide "proof" not come around and say: "I exfiltrated your entire infrastructure over ICMP!" Defeats the purpose. If you can accomplish it and repeat it, there is no need to go overboard. E.g., an ICMP tunnel sporadically pulling an internally visible webpage/document suffices for proof of concept/accomplishment.

Same goes for DNS tunneling. The issue with DNS tunneling is, if your network is using internal DNS servers, you'd be hit as external lookups are likely disabled. Your tunnel goes nowhere.
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Tue Nov 09, 2010 10:09 am

Re: Tunneling Alternatives

@Sil

I think I am going to write a proposal detailing why you should consider having an apprentice based in the uk :)

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software