Tuesday, 22 March 2016

Evading an Authentication Proxy Using ICMPTX

ICMP: The Internet Control Message Protocol
As you know, ICMP is a protocol that is used detect the presence of a active host. We can determine if a host is active (pay attention, newbies) by simply typing:
·         kali > ping <IPaddress>

There are multiple types of ICMP messages, but this one is echo request(Type 0) and echo reply (Type 8). Although nearly all of us use ping one time or another, keep in mind that there are other types of ICMP that can come in handy when scanning or hacking systems that may block or drop ICMP Type 0.
If a server accepts ICMP (many won't as a security precaution), you can use ICMP to bypass the need for authentication via the proxy (that webpage that asks you for credentials). Because it is very slow, I don't recommend this for daily use, but in a pinch, this can be a very innovative way to get your email when you don't want to buy access to the service, or—you want to access the web without leaving a trace.
Step 1: Fire Up Kali & Download Icmptx
To begin, let's fire up Kali Linux and download icmptx. Since icmptx is in the Kali repository, all we need to do is:


·         kali > apt-get install icmptx


This will install icmptx to your Kali operating system.
Step 2: Getting Help
Next, let's take a look at the help file for icmptx. Simply type:
·         kali > icmptx


This help screen will appear. As you can see, the syntax is very straightforward and simple. Unfortunately, the implementation is not.
When we downloaded icmptx, it installed a manual page, so let's take a look at it by typing:
·         kali > man icmptx


The manual page doesn't offer much more information than the help page.
Step 3: Server Side Proxy
The way icmptx works is that you need to set up a proxy/server between you, the client, and the intended target on the web. First, let's set up the proxy/server.
To set up the up the proxy/server, the syntax is simple:
·         kali > icmptx -s 10.0.0.1


This points the server/proxy at the IP address 10.0.0.1. This is only an example; you will need to replace this IP with whatever the target IP address you are trying to connect to.
Step 4: Tunneling
Next, we need to set up a tunnel. A tunnel provides a packet transmission and reception place for user-based applications. Since icmptx is a user-based application, we need to set up a tunnel to send and receive packets, in this case, ICMP packets.
We can check to see whether our kernel supports tunneling by typing:
·         kali > ifconfig tun0


This response indicates that our Debian operating system (that Kali is built on) supports tunneling. Let's set up a tunnel on the server now.
Step 5: IP Forwarding
Next, we need to set up this server to first, ignore ICMP requests and second, forward IP traffic. If we didn't tell the kernel to ignore ICMP requests, it would respond with a echo reply (Type 8), which is the normal response. We don't want that. We want the ICMP traffic to enter the server and pass right through it.
We can tell the kernel to ignore ICMP traffic by typing:
·         kali > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all


Then we need to forward IP traffic, by typing:
·         kali > echo 1 > /proc/sys/net/ipv4/ip_forward


Step 6: Set Up the Client
Now, let's set up our client. This is the system we will be using to access the Internet from. We need to install icmptx on this system as well, but here we will be using the client and not the server setup.
To do so, type:
·         kali > icmptx -c <IP address of the proxy/server>


Then we need to establish a tunnel on this system as well.
Next, we need to set up a route to the proxy.
Lastly, we need to set a route through the tunnel we created (tun0) to the server on the web we want to access.
Now, when you want to access that site on the web, you can do so without authenticating and be almost totally invisible!
Although using icmptx is probably not a practical means of accessing the web on a daily basis, in a pinch or under severely clandestine circumstances, it will get you past web-based authentication and leave almost no trail. Few, if any, security administrators will be looking for ICMP traffic to trace your activities and, since you did not have to authenticate, your trail is almost invisible. In addition, if you set up the server on a zombie system, the only trail will lead back to the server/zombie without a highly skilled forensic investigation.

No comments:

Post a comment