mailing list archives
From: Jacek Wielemborek <d33tah () gmail com>
Date: Sun, 26 Jan 2014 21:20:36 +0100
I recently had an opportunity to play with ptunnel a bit, an interesting tool
to tunnel TCP connections over ICMP echo. After playing with a sniffer for a
while, I noticed that ptunnel is very easy to detect and figured I'd write my
first NSE script that sniffs on the network. I managed to create something that
seems to work and I decided to publish my script on the mailing list. Here's
The script creates a ptunnel packet that says "connect to 127.0.0.1:22". The
last byte of the session ID is randomized in order to avoid throttling by
ptunnel if the script is run repeatedly. Regardless of whether the port is
open or not on the destination host, we should get a reply if the program is
running on the remote host. We sniff for ICMP from the host for 2 seconds,
expecting to get both our ping and ptunnel response.
There's definitely a lot of room for improvements, but I decided to wait for
feedback before I'll add new features. In order to test it, copy ptunnel.nse
to your current directory and run:
nmap -sn <target> --script ptunnel
Note that you might need administrative privileges to send raw IP packets,
which is needed by the script.
Is anybody interested in this script?
Description: This is a digitally signed message part.
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/
- ptunnel.nse Jacek Wielemborek (Jan 26)