Bypassing Firewalls With PING!
ฝัง
- เผยแพร่เมื่อ 14 ต.ค. 2023
- In this video, I show you how you can modify the payload of an ICMP PING packet to send your own data back and forth through an ICMP tunnel. If a firewall allows pings, then there's a good chance you can set up a tunnel.
Wireguard video - • Wireguard VPN On Raspb... - วิทยาศาสตร์และเทคโนโลยี
![กินอาหาร ถูก vs แพง!! จานละ 500,000 vs จานละ 50!! [Ver. 2024]](http://i.ytimg.com/vi/FF_HppKg4vs/mqdefault.jpg)
The most mindblowing thing to me when I discovered that was that ICMP for some unknown reason allows to send data back and forth, and by default `pong` will send the same peace of data as `ping` have. Why? Idk, possibly admins back then wanted to send ascii goatse to each other through pings or something.
I see this could be valuable for bypassing expensive airline internet
Mate, I love it. Casual but professional to a tee.
This video could have been 10 times longer if I'd gotten right into it, but had to end it somewhere.
@@TallPaulTech - I think from this video, one can get started and understand how it works. If there are details that doesn't work out, it should be possible to do look for the answer on the net.
-So I think the video is just right! 😄
I found this channel last week and it’s already in my top 10 (and I don’t watch any of the mainstream crap), very nice, keep it up!
awesome content, no shitty intros, no outros, no BGM, just pure juicy meat from end to end.
Personally i like to do some nasty stuff inside my homelab's network, but utilizing ping's payload as a data carrier is something new and fun!
I love linux way of thinking - open tunnel, use another layer of communication inside of it and if protocol by its sole nature doesn't support encryption, just add it as an layer :P. I recall the good ol' days of stunnelling smtp traffic where smtps wasn't a common thing.
Oh, we don't do dodgy shit around here!... much
If you can get anything out of a network you can turn it into a tunnel and run everything over it.
Indeed you can
Bro this outfit is out of control. I love it. You are a legend
Very useful! I'd probably never have thought of this.
Same idea as DNS tunneling. I've used it to run OpenVPN through pay wifi APs. Fun stuffs.
didn't watch the video yet, but I remember softether having the functionality of setting up L2 tunnels over icmp or even DNS.
DNS port usually works as well
Brilliant mate, that was a new one to me. Thanks for sharing.
That is some premium content 👌🏻
Nice! Well done. And thanks for sharing, very clear setup. I'll try this myself
It don't mean a thing if it ain't got that ping
Doowah Doowah Doowah Doowah Doowah Doowah Doowah Doowah
I mean
Echo request echo reply
Echo request echo reply
So in all seriousness-if you are the owner/operator of the system with the captive portal, maybe consider disallowing ICMP or restrict the allowed source/destination addresses for ICMP traffic to avoid being subjected to this type of attack.
Shabba
I figured this one out on my own by accident. I was using my wireguard vpn and my device connected to a guest network, then i immediately connected to the vpn and I was connected to the internet. I didn't have to sign in and I had never used the network before.
@@LowOutput don't block icmp just the ping element blocking all icmp is bad on so many levels
Awesome tutorial. Thank you for posting.😀
loving the content man ... keep it up !!!
veeeeery nice :) thx a lot for the vid! Please keep creating similar ones, this was really insightful!
Nice paintings!
Just my opinion but, any Admin who cares enough to set up a firewall but doesn't block ping is really missing the low hanging fruit. I have yet to see, in a professional setting, a system that didn't block ping by default.
Great content! Keep up the good work
This chanenel has been on fire!
Thanks for the knowledge, great video
Now you behave
This is exactly the reason to drop ICMP packets in your firewall, really informative!
Kind of pisses me off though. There are reasons these tools where developed, and sometimes it's useful to know that a problem is not your ISP, or something on your own network, but something in the damn middle. While I couldn't do anything about it at the time, not having the skills to do so, there was a point years back where some idiots screwed up major branch of the backbone between California and a mess of servers some place between northern California and the site in Oregon I was trying to reach. Virtually everyone else, all over the country, could still get there, but thanks to the ironically "usually" useful fact that in this day and age they route via the fastest path and severely limit the networks ability to fix itself by hunting alternatives, literally everyone in Southern California, Arizona, probably parts of Navada, etc. couldn't reach anything in that area for nearly 4 months, until they finally fixed what ever broke. Now, without ping, and uts related tracert I would had no f-ing clue what the problem was, or been able to figure out that, ifiotically, anything routing via NY, instead of California, could still access them. Now, imagine you are someone relying on a server in that area and half your customers are unable to get to your site, but every system on the network has decided to not "limit" what such packets can do, and/or implement solutions to stop someone using it to get around your systems, by checking the flipping packets to make sure they are legit packet requests, instead of something hijacking it, you just disabled all ability to even use the tool... For me it was an inconvenience, for a company it could be thousands of lost customers, hours, or days, or worse, wasting time trying to find soneone that knows what the f is going on, and when it will be fixed, and let's not forget lost income.
All because you can't use network diagnostics tools to find were on the internet the failure is happening and flipping call the companies at the point before failure and ask, "What the bleep is going on?"
Just.. annoys the heck out of me.
@@patrickelliott2169 I definitely understand that frustration, just a thought but you could have a bare bones pi with a Linux os just to perform those two commands in the DMZ portion of your network not sure how that would look or even if it is a good idea.
@@asheglenn If it's my own network odds are I would either have alternate tools, or not have it disabled internally - just at the external points of access.
The issue is generally diagnosing what may be going on someplace between you and another network. However, I have found that even some links on the internet own backbone get "disabled", possibly by overly paranoid ISPs that you end up passing through in some manner. This has rendered any ability to determine where your traffic is actually going problematic. And, honestly, I can see it being an issue if someone managed to spoof DNS somehow, and you might be paranoid enough of this to want to figure out, roughly, if the server you 'think' you are trying to talk to is actually in Nort America, when it's been spoofed and you are actually talking to something that inexplicably traces to a, "last jump before I got there", in China, or something.
Not that I have a reason to a) be that paranoid, or b) actually design something to check that. Just... sometimes companies insist on ignoring why something exists, or why it needs to keep working, or the possible consequences of it no longer doing so, if they can find a simplistic short cut. This just flat out bugs the hell out of me.
That's so cool, thanks for sharing 😃👍
I like how you broke this down to byte sized pieces. Subscribed!
I also take requests :)
Gotta love the pun xD
@@TallPaulTech how about an echo request?
This is a really cool video, I've been fascinated by networks and tunnelling ever since i started reading rfcs and man pages when i was 15 or 16, about 11 years ago. Something i learned about from Jason D that might be useful here is network namespaces, not just for simplifying the route setup (you can just slap a /0 route in your 'container' namespace and you're good to go) but you could also use a namespace to isolate the icmptx program from the tun interface, allowing you to answer pings through the tunnel in the usual fashion (different namespaces can have different values for all the properties like icmp_echo_ignore_all)
This is awesome man 😄
dude,,, nice info... 👍
and I like the "Blues-Brothers" style!!! 😎
but if you pay attention at 15m:11s the sign at the garage door is trying to trick you to "attack the hydrant"... 🤔
(we have to always aware of this tentative distractions... 🤣)
Really informative video, thanks!
A question, will this affect data speed?
I stumbled upon VERY old peace of code that does proxy through ICMP exactly like this. It's not 100% sollution though because ICMP can be blocked as well and you need a server that will speak to you with the same handmade protocol. There is that.
I actually got to know the guy who originally wrote 'ping' - he was a senior engineer at the Army Research Labs in Aberdeen Maryland. Very smart and experienced guy, probably could have been making triple what he did as an Army employee if he went to work for a big IT company.
"I know the guy who wrote ping" is such a weird flex hahaha 😂
Pretty cool stuff
Brilliant!
And I thought that ping was just: BEEP ... BOOP.
Very cool indeed.
Mmm... cool. Be using that!!
Thanks for this.
Why would providers of wifi allow ICMP anyway? I have seen many do not. Some do allow DNS (tcp even) with no auth either. So I run a sshd on port 53 that can be used for forwarding.
I have policing with 100 bytes max for ICMP and 10 pps, so while this would work, the throughput is slow modem speeds.
subbed very smart idea.
Hey, just come across your channel. Interesting stuff. Will have a look through your content. Have a great weekend.
Okay, so out of curiosity, how did you end up here?
@@TallPaulTech Came up as a recommended video on my feed and I'd recently installed a new firewall and done a ping test! Was the perfect moment!
Ah, so that's how this game works.
my schools network firewall has blocked everything except for tcp 80 and 443. no vpns, dns or icmp (or anything else) can get through. i’ve had to make my own tunneling protocol from scratch to get past. i’ve had to write a program that sets up a listener udp server locally and tunnels incoming connections over tcp to a remote server to bypass the firewall. the remote server then translates it back to standard udp and sends it to its destination. in my case, i’m using wireguard over this udp-to-tcp tunnel protocol to ensure my stuff is encrypted on transport since the firewall doubles up as a DPI. the only thing obvious about this protocol is the fast it opens a http websocket connection to a remote server since it’s obviously on tcp 443. besides that, all flowing data is encrypted by wireguard. it’s pretty stealthy but my own protocol is probably really insecure hence need for wireguard on top of
Skid
@@Linux333 nah, this guy seems like he knows what he's talking about.
interesting might actually try this.
I have seen different devices that had a 'ping reply reject' option. I use to think that would be dumb thing to select, what harm could a ping reply do?
ingenious!
Ty for this
huh, would not have thought to use ICMP to tunnel, but it's so obvious is retrospect and WAY more likely to work by default for basic captive portal installs... I feel like this is the first clever ICMP-related hack since the good ol' Ping of Death in the 90s.
Edit: gah, icmptx is old and I feel old
Always asked myself if it would be possible to exploit ICMP for data transfer .... thx
Im a network engineer myself, this could definitely work in SOME scenarios. But you get into enterprise environments where ping is blocked for security reasons all of those ICMP packets will either be dropped or a reset will be sent back etc. I am curious to see if the likes of palo alto / fortigates layer 7 features would be able to catch this though as abnormal ICMP traffic.
One couod absolutely build a custom application in these firewalls to restrict the size of pings allowed to the point that this utility is unusable.
ICMP doesn't have resets, as they don't have a session to reset as TCP in layer 4 does.
As for a Palo Alto, I tried this through my PA-200 which I was going to put in the video but didn't. They have a rule for ping and another rule for ping-tunnel. On a very quick test, even only allowing ping through enabled me to make this tunnel. I'd have to dig into it properly to be sure of how it works through that though, which I couldn't be bothered for TH-cam :)
@@TallPaulTech interesting, I need to pick up a palo for my homelab at some point price is a bit daunting to swallow though. I currently have an srx-300 I need to put back into service to swap my udm-pro out
That is a very bad captive portal. We have captive portals at our office, but the AP put you into an isolated network (/29) which the only server you can connect with the the authentication server. Once you're authenticated, a gateway to added to your 'personal' network and you can access the internet. The /29 also prevent guests from snooping on each other.
Aside from icmp tunneling, one could also employ DNS tunneling, but that is easier to block as most AP's have DHCP and set the DNS you are allowed to use. It is not hard to block other DNS servers. Captive portal providers that don't understand user isolation mode should not exists. I knew aboyt icmptx, but didn't think of nesting WG together. That is actually a smart and sensible thing to do. Of course icmp speeds aren't that good. Even on our regular network, the gateway is traffic shaping icmp traffic (prevent flooding)...
Mate, you're spot on. Some people get it, and some don't.
@@TallPaulTech Quality videos attract quality comments. Subbed just now.
The comments are a mixed bag :)
Almost makes me want to build out a pfSense router instead of my Ubiquiti
Wow, NEAT!
Back in the 90s we did this with DNS TXT records :)
Back in the 90's I still had my Commodore Amiga :)
I agree using VPN over DNS more likely to work. Some hotspots block icmp when you've even logged in
Woahwow, I slithy deformed my Wow (so sorry, is gracefully time to show this video).
Sometimes they will also allow DNS traffic out as well. You can tunnel over that too. I did this 20 years ago in high school on my schools network so I could play counter strike lol.
Slacker!
Your latency must've been awful
what is the program called where you display all wifi infos from the telephone both with the wifi symbol on top?
wavemon
ping is an indespensable network tool and should not be dropped just because some kids used it maliciously. it just have to be able to be governed, such as. allows only limited rate and amount of ping from the same source (1p/s max.1000p/hr), putting it into an efficient algorithm is a different matter, though.
that was fun
Free tip from a colleague: if you're tall you wanna raise the height of your monitors by around 10 inches, judging by the video. Your neck and back will thank me later.
I have plenty of inches
@@TallPaulTech
Where exactly ??
little confused about 1 thing. where doed the address 8.7.6.5 come from.
Increidble. That's pretty cool. Setup via the script is pretty quick. Have you experienced all hotpot working just as easy as this one? I presume that if ping is blocked by firewall at the wifi hotpot the whole thing won't be working. Correct?
Correct.
It's very rare that ping is blocked. Most admin keep it available for debug but that's obviously not the best thing to do but that's a cost to pay. To be honest I leave it on but I do not manage wifi and our physical network is 802.1x certificate secured + auth
I played with the idea of using ping for tunneling but never knew the tools were available so easily.
What about performance of such a tunnel?
and... subscribed
I could test it in lab conditions, which I think would be pretty high speed, as I don't see why it wouldn't be. The unknown would be the public networks that would bring all the variables into it. If I did it in a lab though, you know people would just say "yeah, but that's in a lab".
If you are accessing your home network and using that as your internet server, then you will be at least restricted by your home internet's upload speed (which I think will be your download speed).
@@andrewborntrager7909 10 Gb fibre... wan and doing 10 Gb inside also, I have no worries about that ;-)
There are few general purpose sites that can match the speed actually.
And... I'm living in the swiss countryside with direct view on the mountains - just perfect location!
Yeah you made me decide to start wearing a lab coat when I go to work. It really is justified…it’s a messy job.
You do you Champ
Ironic that it's tunnelling using ICMP ping protocol, but you can't use ping to test the connection through the tunnel!
There's a Nong Nang Ning where the trees go Ping! And the teapots jibber-jabber-joo.
I wrote an essay on that poem at school many many years ago!
Nifty
Dummy me, ticking the checkbox "allow ICMP ping through gateway" in a web interface, thinking "now that doesn't hurt, does it? It'll make it easier to debug network issues".
May I know what software you use for capturing the ping ?
Looks like wireshark
Either Wireshark, tshark, or tcpdump.
he is using LEARN THE BASICS... dumbass
mr i watch technical videos without any technical foundations.
@@ace6664 Why are you being so rude to someone trying to learn the basics by asking questions?
@@timgeel260 Ironically, they need noobs to convince themselves that they alone are the GOAT typically. There are no dumb Q's so long as they're legit IMO. Sure, there may be a time & place for certain things but if even youtube comments have such restrictions we're doomed. Makes for an ideal stackexchange 💪mod though.
That was REALLY interesting indeed - I'm looking to build a Pi Zero 2W as a pocket hop-on router (so it seeks out open WIFI relays, connects and then routes a personal wifi lan through a tunnel established on that picked up interface).
Question though - wouldn't most of these services detect unusually high activity on ICMP and treat it as a potential attack or security risk? I'm vaguely remembering large scale ping activity to a set address being interpreted as a saturation DDOS attack method, is this correct?
Yes they should be. Usually modern firewalls are now 'payload aware' devices that inspect anything with regards to some traffic baseline set by cybersecurity analysts. So if ICMP traffic is allowed (first vulnerability as it should be disabled once network build is completed), firewall will surely trigger alert by detecting variable payload in ICMP packets (usually constant and small value, some tenth of bytes). So chances of exfiltrating data this way are weak on well protected networks. However, this is an extremely interesting technical approach and very educative, thanks to Paul !
Not sure if I’m tuning in to the channel now for content or the clothing 😜
Well, somebody had to do it.
@@TallPaulTech just pulling your chain (like your tailor! 😜)
Great content as ever dude! Keep it up.
I don't know any application that does it, but instead of using a tun device doing a datagram stream tunneling a single unix socket would remove a level of complexity.
Also the level of mangled icmp fields should be configurable, so that you can eak out every bit of available space on the link you have. Plus instead of a magic number, a checksum(simple parity) would be better... especially if it was salted(using a key derived by difhel) to evade classification.
I like your thinking. It would add complexity to the program of course. One day I'll look deep at how the ping via my mobile network modified the ICMP packet, so ping worked but was changed, making the tunnel unusable.
LOL at the 4:00 mark. Some script kiddies are going to take you literally and learn life lessons the hard way. I love it.
You showed up on my feed either because I've been binging David Plummer or because I was shopping for a Flipper Zero; so there must be something good here. Subscribed.
It's all good here, no matter what they tell you ;)
Oh that’s awesome. Could you help me with my NAT66 setup for my IPv6. Yes I know, but it’s my only option.
Sure, I did a video on that.
@@TallPaulTech I’m afraid my setup is even more complicated than the video goes into. Long story short. I use a VPN provider (Mullvad) that has given me a single /128 IPv6 using FFCE allocation. I’m using wireguard and a Debian computer that I turned into a Router using VLANs and iptables, etc. I got the v4 portion working perfectly and been working for years but I now require v6 for work since they switched to v6 only. But I can’t seem to figure out the v6 portion no matter how much I try and research. Maybe you can help and have potential video out of it. It’s like double natting on v6 but it’s my only option. The V6 works fine on router itself. I can’t seem to forward to my VLANs.
Wow this is game changing!
And what game exactly are you playing?
Cool things that literally are never used in the real world.
Blocked UDP / ICMP echo... no love from above.
WG over ICMPTX... It's tunnels all the way down!
wow wow wow
Now try it on a airplane :)
Yeah sure. He should buy a plane ticket and sit there typing on the laptop - and then turn return - only because you requested 🤣🤣
What is the name of the software you're using?
How would you control for it? block icmp, rate limit, DPI IDS? It's very disapointing that telstra haven't got that locked down.
ps mum says hi
Not allowing anything go to the internet from this IP until it it will talk to the captive portal and that portal will say that this abonent is ok to go out.
Perhaps the more interesting question is: why have they allowed it?
@@poddmo - likely for making their own diagnostics easy. 😃
Lock it down by restricting to known IPs for troubleshooting purposes.
I clicked on this video soley because you look like Adam Pearce from WWE
I just looked him up. How the hell do I look like him?!
How do I host services over an ISP that uses GNAT?
You have to have a public IP address that you can use.
You would need a VPS, hosted in a data center, similar to providers like Linode (which sponsors many TH-cam videos). From your home router or the server where you wish to host services, establish a WireGuard tunnel to that VPS. Afterward, set up iptables rules to both forward traffic from the VPS IP address and masquerade it, sending it through the tunnel to your server.
Thanks for the replies. So I need to tunnel though a service/server.
@@bluetrepidationnot necessarily. You can also just use IPv6. Even if you're behind a cgnat you'll have a public IPv6 prefix to use.
@@LampJustin Even though it's 2023, not all ISPs give out IPv6 prefixes so they may be out of luck for a 100% home-hosted solution.
Next vid… top hat.
by default new firwalls have icmp filtered .. maybe DNS tunel .. have a chance
It's nothing new, it's been there since 1999. It's a choice.
DNS tunel wont work since often custom dns servers are blocked
This is cheeky..... hahaha
Neat hack
do you have any tutorials how to setup WireShark on Windows? It is probably a very noob question, but just wondering if there is anything special (prereq required) before setting it up. Great content btw. I saw your Tesla post on HN, that is how I found you.
I don't use Windows, so I don't know. Also, what's HN?
Ah, Hacker News.... haha, damn, I see it there now.
On windows you just install wireshark and it installs it's network capturing driver automatically. Just make sure to reboot after install and everything should work fine
thank you@@VitisCZ
Holy shit.
Holy shit what?
Router? Public IP ?? Please reply?
NO
What?
pings don't get through my firewall :) :)
This way behind me. Lol
excuse me sir i am confused a bit ... isn't this trick just about to connect to your home network with VPN/ICMP TUNNEL through telstra wifi network ?? so if it's right i think the concept of bypassing captitive portal like that is pointless ... because you are finally using your own network ...
I think you've missed a whole lot of things.
Mate, great content.. Just friendly advice just bleep out the "company" you tested this on..
But you didn't bypass the firewall with ping, though :/
Why not just call the video 'Bypassing firewalls using icmptx'?
Or ICMP type 8 and 0
With your permission, can I use this video to show some of the government (my current client) here how easily their NGFW is bypassed? Some people hold by high or low that the network is secured because the firewall is "next generation"...
The point isn't to block ICMP, the point I'm trying to make is that securing all outgoing connectivity is a extremely difficult thing to do without draconic measures.
It's TH-cam. Anyone can click it I'm sure.
Don't show them the video.. A LIVE DEMO will get the point across far more efficiently!
5:36 - Remember AI has learnt to guess passwords based on the sounds the keycaps make as you punch them in.. just sayin..
Me when icmp is blocked
YAY we becoming hackers now!
True. The word "hacker" has been abused way too much. A hacker is technically someone who gets something to work by fixing it a way which is not 'traditional'. 😉
Exactly.
Fuckin Heisennerd - Breaking NaT 😂
I’m running a Palo Alto…this does not and cannot work hahaha
Secured by Telstra😂
lol they have never secured anything... except maybe the luck of using PSTN which stopped phreaking
@@HyperVectralove your profile picture
Netscape nostalgia