Home page logo

nmap-dev logo Nmap Development mailing list archives

From: Jacek Wielemborek <d33tah () gmail com>
Date: Sun, 26 Jan 2014 21:20:36 +0100


I recently had an opportunity to play with ptunnel a bit, an interesting tool 
to tunnel TCP connections over ICMP echo. After playing with a sniffer for a 
while, I noticed that ptunnel is very easy to detect and figured I'd write my 
first NSE script that sniffs on the network. I managed to create something that 
seems to work and I decided to publish my script on the mailing list. Here's 
the link:


The script creates a ptunnel packet that says "connect to". The 
last byte of the session ID is randomized in order to avoid throttling by 
ptunnel if the script is run repeatedly. Regardless of whether the port is 
open or not on the destination host, we should get a reply if the program is 
running on the remote host. We sniff for ICMP from the host for 2 seconds, 
expecting to get both our ping and ptunnel response.

There's definitely a lot of room for improvements, but I decided to wait for 
feedback before I'll add new features. In order to test it, copy ptunnel.nse 
to your current directory and run:

nmap -sn <target> --script ptunnel

Note that you might need administrative privileges to send raw IP packets, 
which is needed by the script.

Is anybody interested in this script?

jacek Wielemborek

Attachment: signature.asc
Description: This is a digitally signed message part.

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • ptunnel.nse Jacek Wielemborek (Jan 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]