Thursday, January 31, 2008

Free Internet Using ICMP Tunnels

I'm planning to go on a course soon and I was concerned that I might have trouble finding some free WiFi Internet access. I decided to look at how I could get by this pay-for-internet problem and a couple of things I found out is it's quite easy to tunnel certain types of traffic within other traffic.

As i've stayed in hotels before I have noticed that the biscuits in the rooms are often crap and that I get ping responses when I'm bored. So here is my little guide to turn those ping responses into full SSH and HTTP access using ICMP Tunnels.

How This Works

Really it is very simple. If your computer (client) can ping a computer on your home network (server/Proxy) it can use a program (ptunnel) to encapsulate data in the data portion of the echo request packet. As the computer on the home network receives these packets it proxies to the destination (either itself or another server) and encapsulates the response in the echo reply back to the client.


  • ssh
  • ptunnel
  • browser

Server/Proxy Setup

For the purpose of this example I have a server running SSH on port 22 (bad I know but this is just an example) and a proxy on port 8118.

On the server I SSH in, start a screen session, and run the following command:

ptunnel -v 4 -x catwoman -f tun.log

I then detach from the screen session with ctr+a d

This leaves ptunnel running with a verbosity of 4 (pretty verbose), a password of catwoman and logging to a file called tun.log.

Client Setup

If i want to tunnel SSH through ICMP to my server at home I use the following to create the tunnel:

ptunnel -p -lp 8000 -da -dp 22 -x catwoman

This sets up ptunnel to use the proxy (-p) of, creates a listening port on my client box of 8000. It connects to the destination address of on a port of 22. It also uses the password of catwoman.

I would then open another terminal and type:

ssh -p 8000 lee@localhost

This all well and good for a bit of remote admin. Supposing I need to do a little surfing through my ICMP tunnel. Well I just use the following command:

ptunnel -p -lp 8000 -da -dp 8118 -x catwoman

I then go to my network properties on my browser and change the proxy settings to point to localhost on port 8000

And bingo. I get web access.

If you want to keep a track of things you can also view the log that you set up on your server (remember, the -f tun.log)

That's about it. I'm also in the process of creating some DNS tunnels but i'll save that for another blog entry.

Saturday, January 19, 2008

Creating Custom Password Lists

This blog entry is on how to quickly create a custom wordlist to use with a password cracker. This is something I have been wanting to learn for a while but was unsure how to do it. I learned this technique from a video created by pur3h4t3. I link to his blog can be found at the bottom of this entry.

You may want to create a custom wordlist using a companies website. What the method I am demonstrating will do is take a website, in this example, and create a wordlist using all the words on that site. Hopefully these words may be relevant to my target.

I will cover how to use this list with a password cracker in a later blog entry.

All tools i use are on the backtrack3 CD.

  • wget
  • pw-inspector

Creating the Wordlist

1. First I create a directory that I am going to download a copy of the website into. After changing to that directory I quickly grab the site using wget.

wget - r

2. After grabbing the site I use to extract all the words from the site into a single file. -n -o /root/sj/wordlist.txt /root/sj/

3. I then cat the file that I have created out, piping it through sort and uniq, to put it in order and remove any duplicate words.

cat wordlist.txt | sort | uniq > wordlist2.txt

This then gives me a file called wordlist2.txt that is a bit smaller as the duplicates have been removed.

4. Next I use pw-inspector to go through the file and remove any words that do not meet the criteria.

cat wordlist2.txt | pw-inspector -m 1 -M 20 >customlist.txt

The criteria I have set here is words should be a minimum of 1 letter and a maximum of 20. If you know that your target hes a minimum password legnth of 8 characters you could remove all words with less than 8 characters using this tool.

6. The result is a file called customlist.txt that contains words that may be more relevant to a target.

cat customlist.txt