Bypassing Firewalls With PING!
HTML-код
- Опубликовано: 27 сен 2024
- In this video, I show you how you can modify the payload of an ICMP PING packet to send your own data back and forth through an ICMP tunnel. If a firewall allows pings, then there's a good chance you can set up a tunnel.
Wireguard video - • Wireguard VPN On Raspb...
awesome content, no shitty intros, no outros, no BGM, just pure juicy meat from end to end.
Personally i like to do some nasty stuff inside my homelab's network, but utilizing ping's payload as a data carrier is something new and fun!
I love linux way of thinking - open tunnel, use another layer of communication inside of it and if protocol by its sole nature doesn't support encryption, just add it as an layer :P. I recall the good ol' days of stunnelling smtp traffic where smtps wasn't a common thing.
Oh, we don't do dodgy shit around here!... much
The most mindblowing thing to me when I discovered that was that ICMP for some unknown reason allows to send data back and forth, and by default `pong` will send the same peace of data as `ping` have. Why? Idk, possibly admins back then wanted to send ascii goatse to each other through pings or something.
I see this could be valuable for bypassing expensive airline internet
I found this channel last week and it’s already in my top 10 (and I don’t watch any of the mainstream crap), very nice, keep it up!
didn't watch the video yet, but I remember softether having the functionality of setting up L2 tunnels over icmp or even DNS.
Bro this outfit is out of control. I love it. You are a legend
If you can get anything out of a network you can turn it into a tunnel and run everything over it.
Indeed you can
It don't mean a thing if it ain't got that ping
Doowah Doowah Doowah Doowah Doowah Doowah Doowah Doowah
I mean
Echo request echo reply
Echo request echo reply
So in all seriousness-if you are the owner/operator of the system with the captive portal, maybe consider disallowing ICMP or restrict the allowed source/destination addresses for ICMP traffic to avoid being subjected to this type of attack.
Shabba
I figured this one out on my own by accident. I was using my wireguard vpn and my device connected to a guest network, then i immediately connected to the vpn and I was connected to the internet. I didn't have to sign in and I had never used the network before.
@@LowOutput don't block icmp just the ping element blocking all icmp is bad on so many levels
I like how you broke this down to byte sized pieces. Subscribed!
I also take requests :)
Gotta love the pun xD
@@TallPaulTech how about an echo request?
Brilliant mate, that was a new one to me. Thanks for sharing.
Just my opinion but, any Admin who cares enough to set up a firewall but doesn't block ping is really missing the low hanging fruit. I have yet to see, in a professional setting, a system that didn't block ping by default.
I actually got to know the guy who originally wrote 'ping' - he was a senior engineer at the Army Research Labs in Aberdeen Maryland. Very smart and experienced guy, probably could have been making triple what he did as an Army employee if he went to work for a big IT company.
"I know the guy who wrote ping" is such a weird flex hahaha 😂
DNS port usually works as well
This chanenel has been on fire!
And I thought that ping was just: BEEP ... BOOP.
Very cool indeed.
I stumbled upon VERY old peace of code that does proxy through ICMP exactly like this. It's not 100% sollution though because ICMP can be blocked as well and you need a server that will speak to you with the same handmade protocol. There is that.
dude,,, nice info... 👍
and I like the "Blues-Brothers" style!!! 😎
but if you pay attention at 15m:11s the sign at the garage door is trying to trick you to "attack the hydrant"... 🤔
(we have to always aware of this tentative distractions... 🤣)
my schools network firewall has blocked everything except for tcp 80 and 443. no vpns, dns or icmp (or anything else) can get through. i’ve had to make my own tunneling protocol from scratch to get past. i’ve had to write a program that sets up a listener udp server locally and tunnels incoming connections over tcp to a remote server to bypass the firewall. the remote server then translates it back to standard udp and sends it to its destination. in my case, i’m using wireguard over this udp-to-tcp tunnel protocol to ensure my stuff is encrypted on transport since the firewall doubles up as a DPI. the only thing obvious about this protocol is the fast it opens a http websocket connection to a remote server since it’s obviously on tcp 443. besides that, all flowing data is encrypted by wireguard. it’s pretty stealthy but my own protocol is probably really insecure hence need for wireguard on top of
Skid
@@Linux333 nah, this guy seems like he knows what he's talking about.
interesting might actually try this.
Awesome tutorial. Thank you for posting.😀
loving the content man ... keep it up !!!
Nice! Well done. And thanks for sharing, very clear setup. I'll try this myself
huh, would not have thought to use ICMP to tunnel, but it's so obvious is retrospect and WAY more likely to work by default for basic captive portal installs... I feel like this is the first clever ICMP-related hack since the good ol' Ping of Death in the 90s.
Edit: gah, icmptx is old and I feel old
I have seen different devices that had a 'ping reply reject' option. I use to think that would be dumb thing to select, what harm could a ping reply do?
Free tip from a colleague: if you're tall you wanna raise the height of your monitors by around 10 inches, judging by the video. Your neck and back will thank me later.
I have plenty of inches
@@TallPaulTech
Where exactly ??
Thanks for this.
Why would providers of wifi allow ICMP anyway? I have seen many do not. Some do allow DNS (tcp even) with no auth either. So I run a sshd on port 53 that can be used for forwarding.
Im a network engineer myself, this could definitely work in SOME scenarios. But you get into enterprise environments where ping is blocked for security reasons all of those ICMP packets will either be dropped or a reset will be sent back etc. I am curious to see if the likes of palo alto / fortigates layer 7 features would be able to catch this though as abnormal ICMP traffic.
One couod absolutely build a custom application in these firewalls to restrict the size of pings allowed to the point that this utility is unusable.
ICMP doesn't have resets, as they don't have a session to reset as TCP in layer 4 does.
As for a Palo Alto, I tried this through my PA-200 which I was going to put in the video but didn't. They have a rule for ping and another rule for ping-tunnel. On a very quick test, even only allowing ping through enabled me to make this tunnel. I'd have to dig into it properly to be sure of how it works through that though, which I couldn't be bothered for RUclips :)
@@TallPaulTech interesting, I need to pick up a palo for my homelab at some point price is a bit daunting to swallow though. I currently have an srx-300 I need to put back into service to swap my udm-pro out
Back in the 90s we did this with DNS TXT records :)
Back in the 90's I still had my Commodore Amiga :)
I agree using VPN over DNS more likely to work. Some hotspots block icmp when you've even logged in
Nice paintings!
veeeeery nice :) thx a lot for the vid! Please keep creating similar ones, this was really insightful!
Yeah you made me decide to start wearing a lab coat when I go to work. It really is justified…it’s a messy job.
You do you Champ
Great content! Keep up the good work
Sometimes they will also allow DNS traffic out as well. You can tunnel over that too. I did this 20 years ago in high school on my schools network so I could play counter strike lol.
Slacker!
Your latency must've been awful
Always asked myself if it would be possible to exploit ICMP for data transfer .... thx
I played with the idea of using ping for tunneling but never knew the tools were available so easily.
What about performance of such a tunnel?
and... subscribed
I could test it in lab conditions, which I think would be pretty high speed, as I don't see why it wouldn't be. The unknown would be the public networks that would bring all the variables into it. If I did it in a lab though, you know people would just say "yeah, but that's in a lab".
If you are accessing your home network and using that as your internet server, then you will be at least restricted by your home internet's upload speed (which I think will be your download speed).
@@andrewborntrager7909 10 Gb fibre... wan and doing 10 Gb inside also, I have no worries about that ;-)
There are few general purpose sites that can match the speed actually.
And... I'm living in the swiss countryside with direct view on the mountains - just perfect location!
Ironic that it's tunnelling using ICMP ping protocol, but you can't use ping to test the connection through the tunnel!
There's a Nong Nang Ning where the trees go Ping! And the teapots jibber-jabber-joo.
I wrote an essay on that poem at school many many years ago!
Hey, just come across your channel. Interesting stuff. Will have a look through your content. Have a great weekend.
Okay, so out of curiosity, how did you end up here?
@@TallPaulTech Came up as a recommended video on my feed and I'd recently installed a new firewall and done a ping test! Was the perfect moment!
Ah, so that's how this game works.
Now try it on a airplane :)
Yeah sure. He should buy a plane ticket and sit there typing on the laptop - and then turn return - only because you requested 🤣🤣
Woahwow, I slithy deformed my Wow (so sorry, is gracefully time to show this video).
Not sure if I’m tuning in to the channel now for content or the clothing 😜
Well, somebody had to do it.
@@TallPaulTech just pulling your chain (like your tailor! 😜)
Great content as ever dude! Keep it up.
LOL at the 4:00 mark. Some script kiddies are going to take you literally and learn life lessons the hard way. I love it.
You showed up on my feed either because I've been binging David Plummer or because I was shopping for a Flipper Zero; so there must be something good here. Subscribed.
It's all good here, no matter what they tell you ;)
I clicked on this video soley because you look like Adam Pearce from WWE
I just looked him up. How the hell do I look like him?!
WG over ICMPTX... It's tunnels all the way down!
Mmm... cool. Be using that!!
pings don't get through my firewall :) :)
But you didn't bypass the firewall with ping, though :/
Why not just call the video 'Bypassing firewalls using icmptx'?
Or ICMP type 8 and 0
Brilliant!
Neat hack
How would you control for it? block icmp, rate limit, DPI IDS? It's very disapointing that telstra haven't got that locked down.
ps mum says hi
Not allowing anything go to the internet from this IP until it it will talk to the captive portal and that portal will say that this abonent is ok to go out.
Perhaps the more interesting question is: why have they allowed it?
@@poddmo - likely for making their own diagnostics easy. 😃
Lock it down by restricting to known IPs for troubleshooting purposes.
by default new firwalls have icmp filtered .. maybe DNS tunel .. have a chance
It's nothing new, it's been there since 1999. It's a choice.
DNS tunel wont work since often custom dns servers are blocked
This is cheeky..... hahaha
Ty for this
what is the program called where you display all wifi infos from the telephone both with the wifi symbol on top?
wavemon
little confused about 1 thing. where doed the address 8.7.6.5 come from.
Wow, NEAT!
wow wow wow
YAY we becoming hackers now!
True. The word "hacker" has been abused way too much. A hacker is technically someone who gets something to work by fixing it a way which is not 'traditional'. 😉
Exactly.
Oh that’s awesome. Could you help me with my NAT66 setup for my IPv6. Yes I know, but it’s my only option.
Sure, I did a video on that.
@@TallPaulTech I’m afraid my setup is even more complicated than the video goes into. Long story short. I use a VPN provider (Mullvad) that has given me a single /128 IPv6 using FFCE allocation. I’m using wireguard and a Debian computer that I turned into a Router using VLANs and iptables, etc. I got the v4 portion working perfectly and been working for years but I now require v6 for work since they switched to v6 only. But I can’t seem to figure out the v6 portion no matter how much I try and research. Maybe you can help and have potential video out of it. It’s like double natting on v6 but it’s my only option. The V6 works fine on router itself. I can’t seem to forward to my VLANs.
5:36 - Remember AI has learnt to guess passwords based on the sounds the keycaps make as you punch them in.. just sayin..
Am I on drugs or I am really watching a british dressed like columbian cocaine dealer explanation on how to use ping to bypass firewalls?
You must be on something, because I'm not British.
@@TallPaulTech Bloody foreigners confusing the British with Kiwis!! 😜
Secured by Telstra😂
lol they have never secured anything... except maybe the luck of using PSTN which stopped phreaking
@@HyperVectralove your profile picture
Netscape nostalgia
excuse me sir i am confused a bit ... isn't this trick just about to connect to your home network with VPN/ICMP TUNNEL through telstra wifi network ?? so if it's right i think the concept of bypassing captitive portal like that is pointless ... because you are finally using your own network ...
I think you've missed a whole lot of things.
@@TallPaulTechExactly 😂
I’m running a Palo Alto…this does not and cannot work hahaha
This way behind me. Lol
What is the name of the software you're using?
Wireshark
15:16 - wifi signal is quite weak but rate is good with 80MHz channel width
Me when icmp is blocked
Fuckin Heisennerd - Breaking NaT 😂
Can hackers exploit this?
Yes but it’s not gonna happen due to the need of a custom ping. Too many moving parts to execute effectively
That's why it's good practice to not allow ICMP from your internal network to traverse perimeter firewalls... It's a type of data exfiltration, they use things like DNS queries too....
It'd be more effort for a threat actor, unless this was a very lucrative target which they planned to access routinely for gathering data, otherwise this is is a really great work around but using a dedicated VPN or even Cloudflare works to setup a secure tunnel and it's simple to do and with proper measures in play, more secure.
Great video to learn network traffic and how packets work with firewalls but is akin to painting a car with a with a paint brush.
C'mon whoever open any service pre auth captive portal is crazy...I's funny to see existing people in industry done this and not apply the very basic concept of triple A breaking al security chain. I think this type of tunneling is used for data exfiltration post auth or from malware action but is a different story. Telstra network or security admin doesn't like this video 😄
Turn back the time where Admins blocked all except Port 80 and explicitly block Port 443 to prevent encryption 😂😂😂
My Firewall Tunnels work all over https and CloudFlare tunnels. 😂 It your firewall decrypts TLS Dona second layer of encryption which is not disclosed to the firewall.
Lier! prove your tunnel bypasses ClouldFlare! you can't! Can you superman?
Nothing to do with firewalls ,,, how to hump an access point , maybe ...
Do you need a slap?
@@TallPaulTech As long as you're confident you've satisfied your deductible ...
this bs is never going to work in an actual enviorment :) but cool for the plebs I guess
Don't be so sure about that.
You'd be surprised
It works even if you have pings blocked on modem interface, you'll still receive ICMP requests just not able to ping it
Errr, what makes you think it's not already used in your network?
the amount of non enterprise solutions out there is huge. I could see this being useful on vacations. :)
I don't believe that !!! Is it a fake ??? A firewall that allows ping is no firewall !!!🤣
Well that's not true.
@@TallPaulTech Could you please tell me why a firewall should allow ping? I used firewalls already several years and I never used any ping. That's an invitation to be hacked. Your own fault.
@@l.a.v.5663 Well yeah. Your home router/firewall shouldn't openly allow pings. Some firewalls though that may just connect segmented networks together likely allow pings, usually bcs of testing purposes etc.
I didn't say which side should be allowed. If a firewall is your gateway out, you should be able to ping it from your client host.
@@TallPaulTech exactly. I don't know why people are complaining in the comments lol. tbh this is interesting, thanks for the video :)
Why so complicated????
Install Sockscap on a windows laptop, set the sockscap ip to your home ip address and use port 139 to forward all traffic in Sockscap to your home ip address.
On your computer at home install Proxy+ software and make it listen to port 139, then configure your router to forware port 139 to your computer with Proxy+ installed.
There you go 🙂
Tip: Give your home computer a fixed internal ip address in your router.
The goal of the firewall is to block all of theses ports, so it won't work
@@sylvaincamus4985 If they allow to ping then port 139 MUST be open and can be used to transfer socks ip data through it !!
@@DMNL2No. ICMP plays on Network Layer (3). There is no such a thing as „port“.
Yeah, someone missed the point of this thing
@@TallPaulTech Why not escape expensive captive portals by reading a book. 😁😂
where is software 17 minute of blah blah
It's PoC if you don't know how to recreate it don't cry. And also there must be millions of sources for this already since it's been known since mid 90s.
That is a very bad captive portal. We have captive portals at our office, but the AP put you into an isolated network (/29) which the only server you can connect with the the authentication server. Once you're authenticated, a gateway to added to your 'personal' network and you can access the internet. The /29 also prevent guests from snooping on each other.
Aside from icmp tunneling, one could also employ DNS tunneling, but that is easier to block as most AP's have DHCP and set the DNS you are allowed to use. It is not hard to block other DNS servers. Captive portal providers that don't understand user isolation mode should not exists. I knew aboyt icmptx, but didn't think of nesting WG together. That is actually a smart and sensible thing to do. Of course icmp speeds aren't that good. Even on our regular network, the gateway is traffic shaping icmp traffic (prevent flooding)...
Mate, you're spot on. Some people get it, and some don't.
@@TallPaulTech Quality videos attract quality comments. Subbed just now.
The comments are a mixed bag :)
Same idea as DNS tunneling. I've used it to run OpenVPN through pay wifi APs. Fun stuffs.
That is some premium content 👌🏻
Very useful! I'd probably never have thought of this.
Mate, I love it. Casual but professional to a tee.
This video could have been 10 times longer if I'd gotten right into it, but had to end it somewhere.
@@TallPaulTech - I think from this video, one can get started and understand how it works. If there are details that doesn't work out, it should be possible to do look for the answer on the net.
-So I think the video is just right! 😄
Almost makes me want to build out a pfSense router instead of my Ubiquiti
Really informative video, thanks!
A question, will this affect data speed?
I have policing with 100 bytes max for ICMP and 10 pps, so while this would work, the throughput is slow modem speeds.
Blocked UDP / ICMP echo... no love from above.
that was fun
Dummy me, ticking the checkbox "allow ICMP ping through gateway" in a web interface, thinking "now that doesn't hurt, does it? It'll make it easier to debug network issues".
I don't know any application that does it, but instead of using a tun device doing a datagram stream tunneling a single unix socket would remove a level of complexity.
Also the level of mangled icmp fields should be configurable, so that you can eak out every bit of available space on the link you have. Plus instead of a magic number, a checksum(simple parity) would be better... especially if it was salted(using a key derived by difhel) to evade classification.
I like your thinking. It would add complexity to the program of course. One day I'll look deep at how the ping via my mobile network modified the ICMP packet, so ping worked but was changed, making the tunnel unusable.
ping is an indespensable network tool and should not be dropped just because some kids used it maliciously. it just have to be able to be governed, such as. allows only limited rate and amount of ping from the same source (1p/s max.1000p/hr), putting it into an efficient algorithm is a different matter, though.
That was REALLY interesting indeed - I'm looking to build a Pi Zero 2W as a pocket hop-on router (so it seeks out open WIFI relays, connects and then routes a personal wifi lan through a tunnel established on that picked up interface).
Question though - wouldn't most of these services detect unusually high activity on ICMP and treat it as a potential attack or security risk? I'm vaguely remembering large scale ping activity to a set address being interpreted as a saturation DDOS attack method, is this correct?
Yes they should be. Usually modern firewalls are now 'payload aware' devices that inspect anything with regards to some traffic baseline set by cybersecurity analysts. So if ICMP traffic is allowed (first vulnerability as it should be disabled once network build is completed), firewall will surely trigger alert by detecting variable payload in ICMP packets (usually constant and small value, some tenth of bytes). So chances of exfiltrating data this way are weak on well protected networks. However, this is an extremely interesting technical approach and very educative, thanks to Paul !
This is awesome man 😄
May I know what software you use for capturing the ping ?
Looks like wireshark
Either Wireshark, tshark, or tcpdump.
he is using LEARN THE BASICS... dumbass
mr i watch technical videos without any technical foundations.
@@ace6664 Why are you being so rude to someone trying to learn the basics by asking questions?
@@timgeel260 Ironically, they need noobs to convince themselves that they alone are the GOAT typically. There are no dumb Q's so long as they're legit IMO. Sure, there may be a time & place for certain things but if even youtube comments have such restrictions we're doomed. Makes for an ideal stackexchange 💪mod though.
Router? Public IP ?? Please reply?
NO
What?
Thanks for the knowledge, great video
Now you behave
subbed very smart idea.
That's so cool, thanks for sharing 😃👍
Pretty cool stuff
Holy shit.
Holy shit what?
ingenious!
Nifty