digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Using ICMP tunneling to steal Internet

nulldigital.net — You connect to a open access wireless network. You are prompted with some sort of authorization page when you open a browser, but you can easily ping external hosts. You don't have authorization for TCP or other traffic, so what do you do? Tunnel! This article explains the basics of ICMP tunneling, and how it works.

Bury
show profanity settings
expand all
  • Andrewaclt, on 10/12/2007, -4/+12Not a bad write up, nice introduction.
    • danglerman, on 10/12/2007, -1/+24you're not stealing, you're just breaking through a wall ;)
    • CharlesDarwin, on 10/12/2007, -37/+5A dog could crap out a better write up.
    • dclowd9901, on 10/12/2007, -12/+7I'm not really sure what constitutes a "good" or "bad" writeup. All I know is that I didn't know what this was about before I saw this article, and after reading the page, I still don't know what it's about. Besides stealing Internet.
    • LocDawg, on 10/12/2007, -0/+6It's not stealing outright. Yes you're borrowing a little bandwith here, a few clock cycles there. Technically all of the "internet" is being served by the remote host computer, and the open wireless network is simply providing a link to that computer through ICMP requests. A nice gray area I'd say.
    • CharlesDarwin, on 10/12/2007, -19/+6fscking noobs!
    • rastan, on 10/12/2007, -4/+22It's not stealing, it's copyright infringement.

      Oh wait, wrong subject. My talking points have failed me!
    • portis, on 10/12/2007, -0/+2I see....either install all that and then take the time time to connect and route to your server only to get it slowly served back to you or just pay friggin 5 bucks for easy quick access. Hmmm.
  • waratah, on 10/12/2007, -2/+25I am not digging this because it is a great idea, I am digging this because of the security concern.

    This might be moved to the security section.
  • Marek, on 10/12/2007, -1/+16I'll digg this because its a great idea, without ICMP tunneling where would programming be today? Its great that you brought this article explaning this to our attention. With the knowledge gained here you can program a number of very useful and creative things. Good job kuuhey, keep the good stuff coming.
  • billiam, on 10/12/2007, -0/+14http://www.duggmirror.com/programming/Using_ICMP_tunneling_to_steal_Internet/
  • chaosmachine, on 10/12/2007, -12/+11so, who wants to rewrite bittorrent to use this method?
  • stoops, on 10/12/2007, -0/+22Well kids, what did we learn today?

    If you're gonna write a firewall, start be denying ALL traffic and then slowly allow access to protocols to trusted users only.
    • CypherXero, on 10/12/2007, -0/+5Exactly. For example, if you're writing rules for PF (Packet Filter) on OpenBSD, make sure to use "Pass In Quick" to allow certain protocols and ports in, and once you've allowed in everything you want, then type in "Block All"
    • kuuhey, on 10/12/2007, -3/+3I agree, I still don't have a good example scenernio where permitting ICMP is really worth while. I can understand why you may want clients to easily to connect to your network, whilst stopping their external traffic, but why not block it all?
    • djflow159, on 10/12/2007, -2/+6@kuuhey:

      If you block all of ICMP then you will break various protocols: black hole detection, UDP error handling, etc.
  • ElectricKetchup, on 10/12/2007, -1/+11from my experience, it's better to tunnel over DNS than ICMP or anything else
  • bgoodknight, on 10/12/2007, -8/+2sounds cool but too complicated for me =
  • nxxm, on 10/12/2007, -7/+9digg and other similar sites should auto rewrite direct links into cached versions or load-sharing services such as coral-cache and so on. too bad sites like slashdot digg and other stuff takes down so many pages instead of acting intelligently and giving your userbase a decent service and avoid this sort of stuff from happening when possible.
    • ctia, on 10/12/2007, -9/+1Amen!
    • kimos, on 10/12/2007, -0/+8This question has been addressed countless times...
      Automatically mirroring content not only makes digg responsible for the content, but it also takes click revenue away from the creators of these sites.

      It's not going to happen. If you're so bothered go get GreaseMonkey and install this script. It puts the duggmirror link right next to the digg link (though I haven't tried it in the new digg layout...)
      http://www.digg.com/programming/DuggMirror_Greasemonkey_Script
    • joelhardi, on 10/12/2007, -1/+5Uh, yeah. If digg is driving tons of traffic to my site because some original content I worked hard on is popular, I *want* that traffic at my site! Not visiting some adword-sponsored profiteer that's making $$$ off of content it republished without permission.
  • tehpoutine, on 10/12/2007, -1/+1this is easily blocked with a simple firewall rule, and will not work on most setups (not that I've observed). Just use an AP that's not protected, there's plenty of them.
  • PhonicUK, on 10/12/2007, -4/+2either i've misunderstood something or you need 2 machines to do this? A proxy system and a client system? Sux...
    • kuuhey, on 10/12/2007, -2/+1yes you need two computers, there may be some ICMP proxies which are not password protected, I don't know of any, I used to run a passworded one, I wrote a ICMP proxy wrapper for linux. You basically start up a shell using this wrapper which intercepts socket calls, and any traffic you send which in this wrapper is automatically redirected. The wrapper for the most part is done, it works perfect for simple traffic (say irssi for IRC) but its abit buggy with IO multiplexing, something which I hope to have fixed at some point when I get time (busy guy).
    • salar, on 10/12/2007, -1/+1@kuuhey:
      let me know if I've got it right.
      You wrote something that grabs all traffic and redirects it to go through a proxy; meaning if I don't have direct access to 1.2.3.4 but the proxy 4.3.2.1 does, then without setting firefox to use the proxy, I will be able to view 1.2.3.4(because your program grabs the request and automatically sends it through the proxy)
      Right??
    • salar, on 10/12/2007, -0/+1@kuuhay
      I didn't understand the part that concerned a specific shell.
      So what you mean is if I have two shell instances and both of them have called two instances of firefox, then one would have this functionality and one wouldn't?

      Please clear up and excuse me if I'm being an idiot.
    • kuuhey, on 10/12/2007, -0/+0@salar
      yes, thats correct, though it's buggy with IO multiplexing which i *think* firefox uses, so it wont work with FF quiet yet until i get the bugs sorted. but otherwise yea thats correct. i got the idea from the tor project - they have a wrapper called tsocks (most know it as 'torify').

      its actually a riculously simple thing to write. i just basically merge ptunnel's code into this lib and bam, instance icmp tunneling.
    • kuuhey, on 10/12/2007, -0/+4well, ok here is what you do, u have a lib override calls to libc functions, such as connect(), close(), send(), recv() etc. to do this you make a lib with functions named after what you want to override, then before you execute any process within the wrapper you set the environmental variable, LD_PRELOAD to use your lib. then when the process beneith the shell makes a call to an overriden function it checks LD_PRELOAD first, otherwise uses libc (or other libs)

      so, you can set LD_PRELOAD in term A and run whatever there, and have it tunneled. and you don't bother setting LD_PRELOAD in term B, and run whatever there with your normal socket interface
  • ToadX, on 10/12/2007, -0/+5You don't necessarily have authorization for ICMP traffic either.
  • elusive, on 10/12/2007, -1/+3The issues with ICMP are well-known and ICMP is at least partially disabled on most networks. This is an old technique and will not work most of the time these days. Even my crappy $20 belkin router allows me to disable certain ICMP messages.
  • silentdud, on 10/12/2007, -5/+2dead
  • Denelson83, on 10/12/2007, -4/+4Censored.
  • Skawouter, on 10/12/2007, -9/+2this was in 2600 magazine months ago, this news is so old
  • Daisuke, on 10/12/2007, -2/+2Tor seems to do something like this. I have a ***** wireless router, and sometimes it drops all traffic. I can't open webpages, I can't ssh into another server, etc. The only things that work are torrents that have already contacted the tracker and have already connected to peers and Tor. I end up using Tor alot because I'm just too lazy to get up and restart the router. :-P
  • V3X3D, on 10/12/2007, -0/+1Interesting indeed. I have a NTL(UK) cable modem here and I'm able to ping any host but I can only access only the registration site(https://autoreg.autoregister.net/.) .I suppose this would work ?The modem config file is only capable of 150/32kbit.

    Worth a digg, but too complicated as one can steal a mac address and use that to obtain internet thats more practical.
  • n00854180t, on 10/12/2007, -0/+1Technically, if the service provider provides ICMP without any notices or restrictions on this use, I'm guessing it'd be sort of greyish "legal." Of course, hat doesn't mean anything concerning whether or not you could get away with it faced with better lawyers than you could get yourself.
  • eosp, on 10/12/2007, -4/+4One time I had to resort to HTTP tunneling.
  • Obsidian743, on 10/12/2007, -2/+2I'm sure netcat could do the same thing with a little hacking if not out of the box.
  • rabidsnail, on 10/12/2007, -0/+3Wasn't this in 2600 like 6 months ago?
    • Massif, on 10/12/2007, -0/+2Yup, it certainly was. 2600 is ahead of the game ;)
    • mrkoje, on 10/12/2007, -0/+3Yes it was... 4th quarter of 2005... and it was a good article.
  • tranix, on 10/12/2007, -0/+3How do I prevent this & DNS tunneling?
    I use HotSpot software on my wireless. It currently doesn't allow pings unless authenticated, but it does allow DNS lookups. I am also using pfSense.org firewall.
    • ElectricKetchup, on 10/12/2007, -0/+21.
      You could do a ratelimit on DNS queries until they are authenticated. That would lower the amount of bandwidth they use, while still making it easy on all your normal users before they authenticate. This is probably your best option.

      2.
      You could drop all DNS queries (except for your domain you own) until authenticated. The bad thing about this is now you can't do DNAT on http and other ports which you are probably wanting to do (most systems I've used do DNAT for non-authenticated users)

      3.
      You could just let us keep using DNS because all packets are being tunneled to our own systems and we aren't messing with your network. It's probably easier for us to setup airjack, MITM attacks, mac/ip spoofing than it is for you to block DNS queries.

      One thing you might think you want to do is setup your DNS server to always reply with your IP address when the user isn't authenticated. That wouldn't work on some client's operating systems that use client side DNS caching (windows XP does this by default I think, probably some others too). You could always set the ttl really low and hope it expires, but their client may be broken and ignoring the ttls and no one wants to wait a few seconds more than they need to.

      those are just some ideas off the top of my head, I'm sure there are others
  • agent_smith, on 10/12/2007, -0/+2This would be why Cisco firewalls by default have an explicit deny all at the end of your firewall and hence avoid such problems. Nonetheless, this will come in handy potentially at Starbucks and their army of T-mobile hotspots.
  • JRJ0710296, on 10/12/2007, -0/+1I've done this before at some hotspots I have visited. This article sums it up nicely.
  • Nick42, on 10/12/2007, -0/+1He mentions in the article that it's not currently possible to tunnel web traffic through this system. Now, perhaps I'm missing something obvious, but if ssh works, couldn't you just add something like '-L 80:localhost:80' to the ssh arguments to set up port forwarding? Sure, it's a bit of a hack, what with a tunnel through a tunnel and all that, but it seems like it ought to work just fine....
    • geronimo, on 10/12/2007, -0/+1well if you set up a proxy on the host that does the tunnel then you could browse the web.
  • japanlover, on 10/12/2007, -1/+2stolen from a 2600 article.

    lame.
  • dork101, on 10/12/2007, -0/+1If it _requires_ me to be root at the 'proxy' node, I'd rather enable Internet access for local system.
  • 1807, on 10/12/2007, -0/+1Would this work for a mobile device running windows mobile 5 with a Wi-fi connection? I am sure gonna try when I finally get my Cingular 8125.
  • whatsagoodname, on 10/12/2007, -0/+0I've completely missed the point of how this enables "stealing internet." What I think I understand: You set up ptunnel on a proxy server and the machine you are on (localhost). Ask for a service on the localhost, pointing to the proxy server. The localhost ptunnel wraps the tcp packets in ICMP packets and sends them to the proxy server, which unwraps them and sends them to the server you want to talk to. OK so that server never sees you, it sees the proxy server. So where is the stealing?
    • Nick42, on 10/12/2007, -0/+1The idea is that while many wireless hotspots block TCP traffic unless you pay to use the connection, they typically don't block ICMP. As a result, you can use such a hotspot without paying for it by tunneling TCP through ICMP.
  • woodyuk, on 10/12/2007, -1/+1any directions to do this under windows ?
    • kuuhey, on 10/12/2007, -1/+1The directions are exactly the same for windows, but rather than use root, you use an account with admin level privs. I talk about windows ported ptunnel software http://www.cs.uit.no/~daniels/PingTunnel/PingTunnel-Windows.zip which you might want to use. Quote from the article:

      On windows there are some ported copies of PingTunnel which are unsupported by the original creator, but I have used them and can they worked fine for me. You can find them here. One of the packages I believe should be ready for compiling with Microsoft Visual C++, the other is certainly ready for compiling with the windows gcc.

      Everything else is exactly the same for windows.
  • snow0x1a4, on 10/12/2007, -0/+1Heh, I'm surprised to see people still writing about this technique, but not terribly surprised to find that it still works some places. Phrack published a whitepaper on this concept about 10 years ago:

    http://www.phrack.org/show.php?p=49&a=6

    Same issue with the classic "Smashing the stack for fun and profit" too ;)
  • yogastore, on 06/30/2008, -0/+0http://astore.amazon.com/calphalon.commercial-20
    http://astore.amazon.com/calphalon.contemporary-20
    http://astore.amazon.com/black.and.decker.lawn.hog ...
    http://astore.amazon.com/black.and.decker.oven-20
    http://astore.amazon.com/cast.iron.skillet-20
    http://astore.amazon.com/12.electric.skillet-20
    http://astore.amazon.com/6.quart.pressure.cooker-2 ...
    http://astore.amazon.com/electric.pressure.cooker- ...
    http://astore.amazon.com/8.inch.chefs.knife-20
    http://astore.amazon.com/chefs.choice.knife-20
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.