ptunnel-ng

ICMP tunneling tool that encapsulates TCP traffic within ICMP echo request/response packets. Useful when ICMP is allowed but other protocols are blocked.

Install

git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng
sudo ./autogen.sh

Static Binary

sudo apt install automake autoconf -y
cd ptunnel-ng/
sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh
./autogen.sh

Transfer to Target

scp -r ptunnel-ng ubuntu@<PIVOT_IP>:~/

Server (Pivot Host)

sudo ./ptunnel-ng -r<PIVOT_IP> -R22

Client (Attack Host)

sudo ./ptunnel-ng -p<PIVOT_IP> -l2222 -r<PIVOT_IP> -R22

SSH Through the Tunnel

ssh -p2222 -lubuntu 127.0.0.1

Dynamic Port Forwarding + Proxychains

ssh -D 9050 -p2222 -lubuntu 127.0.0.1
proxychains nmap -sV -sT <TARGET_IP> -p3389

Flags

Flag	Description
`-r`	Address to accept connections / forward to
`-R`	TCP port to forward traffic to
`-p`	Address of the ptunnel-ng server
`-l`	Local listening port

Notes

Requires root/sudo (raw ICMP sockets)
Only works when ICMP echo is permitted through the firewall
Ensure glibc versions match between hosts, or build a static binary
Traffic appears as ICMP in Wireshark, not TCP/SSH

Keyboard shortcuts

notebook