Firewall Piercing through ICMP Tunneling (Ping Tunneling)

!!!!

Jonnathan Griffin SUNY Institute of Technology

Utica, New York web.cs.sunyit.edu/~griffije

griffije@sunyit.edu !!!!!!!!!!

Figures

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 1(

(Figure(2.0:(Ping(protocol(used(within(the(terminal.((((

(Figure(3.0:(Communication(path(for(ICMP(and(TCP(traffic(between(the(Client,(Proxy(and(Destination.(((

(Figure(4.0:(Altered(ICMP(packet(through(Ptunnel.((

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 2(

(((((((((((((((

(((

((Figure(4.1:(Sequence(request(and(reply(example.((

(

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 3(

Figure(5.0:(Network(diagram(of(the(controlled(test(environment.((((

Figure'5.1'Switch'Configuration'files. '

' ' 1'

Cisco Catalyst 2960 - SWITCHCONFIG FILE Current'configuration':'3275'bytes'!'version'12.2'no'service'pad'service'timestamps'debug'datetime'msec'service'timestamps'log'datetime'msec'service'passwordBencryption'!'hostname'pod4isw'!'bootBstartBmarker'bootBendBmarker'!'no'logging'console'enable'secret'5'$1$BeW/$axe5z45ZeInYOfNAQK60A/'!'username'ncs450'secret'5'$1$O0zs$8KEvDtJT5po7BqqyX9Btt1'username'griffije'secret'5'$1$CZ75$OUzN/vjh9xXszTJgQcAHh1'username'sleysr'secret'5'$1$QDGC$hQRzwCK/jcTYv8d4Cj.GN1'no'aaa'newBmodel'clock'timezone'utc'B5'clock'summerBtime'EDT'recurring'system'mtu'routing'1500'vtp'mode'transparent'ip'subnetBzero'!'!'ip'domainBlist'gw.cs.sunyit.edu'ip'domainBlist'cs.sunyit.edu'ip'domainBname'gw.cs.sunyit.edu'ip'nameBserver'10.107.0.1'login'onBfailure'log'login'onBsuccess'log'!'!'crypto'pki'trustpoint'TPBselfBsignedB338209792''enrollment'selfsigned''subjectBname'cn=IOSBSelfBSignedBCertificateB338209792''revocationBcheck'none''rsakeypair'TPBselfBsignedB338209792'!'!'crypto'pki'certificate'chain'TPBselfBsignedB338209792''certificate'selfBsigned'01'''3082024E'308201B7'A0030201'02020101'300D0609'2A864886'F70D0101'04050030''''30312E30'2C060355'04031325'494F532D'53656C66'2D536967'6E65642D'43657274''''69666963'6174652D'33333832'30393739'32301E17'0D393330'33303832'32323431''''385A170D'32303031'30313030'30303030'5A303031'2E302C06'03550403'1325494F''''532D5365'6C662D53'69676E65'642D4365'72746966'69636174'652D3333'38323039''''37393230'819F300D'06092A86'4886F70D'01010105'0003818D'00308189'02818100''''B9B18F44'8FFE99BD'9E904E7F'AF28F132'BA76A236'43153A6F'9D8C21E5'76EE90B6''''AED601B1'891E0267'F0B2F8AD'170CA668'6860223F'56B7FC50'846CBC83'DBB71215''''9C025F20'5C67653F'899D38D1'86DF2DCE'54784916'1567D760'700E0570'11DBA086''''ABE10E04'04D2EC97'C49D6F2A'3E857098'D1C39789'794E1BF8'F8719D23'053DEC15''''02030100'01A37830'76300F06'03551D13'0101FF04'05300301'01FF3023'0603551D''

Figure'5.1'Switch'Configuration'files. '

' ' 2'

''11041C30'1A821870'6F643469'73772E67'772E6373'2E73756E'7969742E'65647530''''1F060355'1D230418'30168014'A7A21830'6AC0D421'01899FBE'A62E69BA'1A45A9EA''''301D0603'551D0E04'160414A7'A218306A'C0D42101'899FBEA6'2E69BA1A'45A9EA30''''0D06092A'864886F7'0D010104'05000381'81003804'9FA7D6AF'C695D522'143E0701''''6488A5BD'947AED74'400DD53B'EE8532AF'350DC6A4'3AF90131'A4640758'624CAB1B''''B9E2FF4C'613E2807'E5ADF97E'2639EDF6'B822FFC8'14F772F5'47922A59'CB0BED35''''138A89B3'952B4D86'4E165DC5'312209AC'5975AAF8'8A569F15'C3A7808F'05819BD8''''C27A5A65'01C9979C'32D73D8F'DB8DF3C9'4356'''quit'!'!'!'!'!''''''''''archive''log'config'''logging'enable'''notify'syslog'contenttype'plaintext'''hidekeys'spanningBtree'mode'pvst'spanningBtree'extend'systemBid'!'vlan'internal'allocation'policy'ascending'!'vlan'2''!'vlan'40''name'native'!'vlan'41B45,63B64''!'vlan'100''name'Parking'!'vlan'803''!'ip'ssh'timeBout'60'ip'ssh'version'2'!'!'interface'FastEthernet0/1'!'interface'FastEthernet0/2'!'interface'FastEthernet0/3'!'interface'FastEthernet0/4'!'interface'FastEthernet0/5'!'interface'FastEthernet0/6'!'interface'FastEthernet0/7'!'interface'FastEthernet0/8'!'interface'GigabitEthernet0/1'

!'interface'Vlan1''ip'address'172.16.4.2'255.255.255.0''no'ip'routeBcache''shutdown'!'ip'http'server'ip'http'secureBserver'logging'facility'local6'logging'10.107.0.25'!'controlBplane'!'!'line'con'0'line'vty'0'4'login'line'vty'5'15'login'!'ntp'clockBperiod'36028830'ntp'peer'150.156.192.2'end''

Continued:'

Figure'5.2'Router'Configuration'files.''

' ' 1'

Cisco&1900&Series&Router&0&ROUTERCONFIG&FILE&&Current'configuration':'2809'bytes'!'!'Last'configuration'change'at'16:10:19'utc'Fri'Nov'22'2013'!'NVRAM'config'last'updated'at'14:25:48'utc'Fri'Nov'8'2013'!'NVRAM'config'last'updated'at'14:25:48'utc'Fri'Nov'8'2013'version'15.1'service'timestamps'debug'datetime'msec'service'timestamps'log'datetime'msec'service'passwordKencryption'!'hostname'pod4r'!'bootKstartKmarker'bootKendKmarker'!'!'no'logging'console'enable'secret'4'164pc3NLG8oLs1Dr69M1tWFsmmTVrQEQB8zy7kj//b.'!'no'aaa'newKmodel'clock'timezone'utc'K5'0'clock'summerKtime'EDT'recurring'!'no'ipv6'cef'ip'sourceKroute'ip'cef'!'!'!'ip'domain'list'gw.cs.sunyit.edu'ip'domain'list'cs.sunyit.edu'ip'domain'name'gw.cs.sunyit.edu'ip'nameKserver'10.107.0.1'login'onKfailure'log'login'onKsuccess'log'multilink'bundleKname'authenticated'!'crypto'pki'token'default'removal'timeout'0'!'!'license'udi'pid'CISCO1921/K9'sn'FGL162820PQ'!'!'archive''log'config'''logging'enable'''notify'syslog'contenttype'plaintext'''hidekeys'vtp'mode'transparent'username'ncs450'secret'4'164pc3NLG8oLs1Dr69M1tWFsmmTVrQEQB8zy7kj//b.'username'sleysr'secret'4'164pc3NLG8oLs1Dr69M1tWFsmmTVrQEQB8zy7kj//b.'username'griffije'secret'4'164pc3NLG8oLs1Dr69M1tWFsmmTVrQEQB8zy7kj//b.'!'!'ip'ssh'timeKout'60'

Figure'5.2'Router'Configuration'files.''

' ' 2'

ip'ssh'version'2'!'!'!'interface'EmbeddedKServiceKEngine0/0''no'ip'address''shutdown'!'interface'GigabitEthernet0/0''ip'address'10.107.5.97'255.255.0.0''ip'nat'outside''ip'virtualKreassembly'in''duplex'auto''speed'auto'!'interface'GigabitEthernet0/1''ip'address'172.16.4.1'255.255.255.0''ip'accessKgroup'NoSSH'out''duplex'auto''speed'auto'!'interface'Dialer0''no'ip'address''no'cdp'enable'!'!'router'eigrp'10''network'192.168.1.4'0.0.0.3''redistribute'static'!'ip'forwardKprotocol'nd'!'no'ip'http'server'no'ip'http'secureKserver'!'ip'nat'inside'source'list'1'interface'GigabitEthernet0/0'overload'ip'route'0.0.0.0'0.0.0.0'10.107.0.1'!'ip'accessKlist'standard'standardacl'!'ip'accessKlist'extended'ACL''permit'tcp'any'any'ip'accessKlist'extended'Allow''permit'tcp'any'any''permit'icmp'any'any''permit'ip'any'any'ip'accessKlist'extended'NetMgmt'ip'accessKlist'extended'noSSH''deny'''22'any'any'!'logging'facility'local6'logging'10.107.0.25'accessKlist'1'permit'172.16.0.0'0.0.0.255'accessKlist'1'permit'192.168.1.0'0.0.0.3'accessKlist'1'permit'192.168.1.4'0.0.0.3'!'no'cdp'run'

!'!'controlKplane'!'!'!'line'con'0''logging'synchronous''length'0'line'aux'0'line'2''no'activationKcharacter''no'exec''transport'preferred'none''transport'input'all''transport'output'pad'telnet'rlogin'lapbKta'mop'udptn'v120'ssh''stopbits'1'line'vty'0'4''sessionKtimeout'15'''login'local''transport'input'ssh'!'scheduler'allocate'20000'1000'ntp'peer'150.156.192.2'end''

Continued:'

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 6(

(Figure(5.3:(Client(network(configurations.((

!!((

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 7(

(Figure(6.0:(Ptunnel(created(on(the(client(((

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 8(

(Figure(6.1:(Client(command(for(SSH(into(localhost(while(using(a(second(terminal((((((((((((

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 9(

(Figure(6.2:(Percent(difference(of(protocol(hierarchy(between(baseline(SSH(and(Ptunnel(SSH(Wireshark(log(

Ptunnel'Wireshark'log'

Normal'SSH'Wireshark'log'

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 10(

((((((((((Figure(6.3:(SSH(handshake(((((((((

(((Figure(6.4:(SSH(packet(reassembling(two(packets(for(SSH(connection((((

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 11(

(

(((((((((((((Figure(6.5:(Unique(hexadecimal(generated(by(Ping(Tunnel(through(Cisco(((( ac(10(04(23(is(the(hexadecimal(code(illustrating(the(source(IP(Address(172.16.4.35(

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 12(

((((((((((((((((

(Figure(6.7:(Excerpt(from(source(code(of(Ptunnel.h(when(compiled.(Magic(number(variable(illustrated(which(is(used(for(identification.((((

Ptunnel(magic(number(

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 13(

(((((

(Figure(7.0:(Communication(time(out(error.((

( (Figure(7.1:(Duplicate(packets(through(SEQ(identifier(error(

Firewall(Piercing(through(ICMP(Tunneling(5(Figures(

Jonnathan(Griffin((

( ( ( ( ( ( ( 14(

((((

(Figure(7.2:(Duplicate(tunnels(created(on(the(same(port(6789(prohibiting(connection((