Keyboard shortcuts

Press ← or β†’ to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

ICMP Tunneling with ptunnel-ng

ICMP tunneling encapsulates traffic within ICMP packets (echo requests and responses). This only works when ping responses are permitted within the firewalled network. A host that is allowed to ping an external server can encapsulate its traffic within the ping echo request, and the external server validates and responds accordingly.

This is useful for data exfiltration and creating pivot tunnels when other protocols are blocked.

How It Works

  • Traffic is encapsulated inside ICMP echo request/response packets
  • The ptunnel-ng server runs on the pivot host and listens for incoming ICMP packets
  • The ptunnel-ng client runs on the attack host and forwards local TCP traffic through the ICMP tunnel
  • SSH can then be layered on top for encrypted access and dynamic port forwarding

Setup

Building ptunnel-ng

git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng
sudo ./autogen.sh

Static Binary (Alternative)

sudo apt install automake autoconf -y
cd ptunnel-ng/
sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh
./autogen.sh

Transfer to Pivot Host

scp -r ptunnel-ng ubuntu@<PIVOT_IP>:~/

Usage

Server (Pivot Host)

sudo ./ptunnel-ng -r<PIVOT_IP> -R22
  • -r β€” IP to accept connections on (the pivot host’s reachable IP)
  • -R22 β€” the TCP port to forward traffic to (SSH in this case)

Client (Attack Host)

sudo ./ptunnel-ng -p<PIVOT_IP> -l2222 -r<PIVOT_IP> -R22
  • -p β€” IP of the ptunnel-ng server
  • -l2222 β€” local port to listen on
  • -r β€” target address for the tunnel
  • -R22 β€” target port (SSH)

SSH Through the Tunnel

ssh -p2222 -lubuntu 127.0.0.1

Dynamic Port Forwarding Over the Tunnel

Combine with SSH dynamic port forwarding for proxychains access to the internal network:

ssh -D 9050 -p2222 -lubuntu 127.0.0.1

Then use proxychains:

proxychains nmap -sV -sT 172.16.5.19 -p3389

Traffic Analysis

  • Without ICMP tunneling: Wireshark shows TCP and SSHv2 traffic
  • With ICMP tunneling: traffic appears as ICMP echo requests/responses only
  • ptunnel-ng provides session logs and I/O statistics on both client and server

Note: Ensure glibc versions are compatible between attack host and target. If there are mismatches, build a static binary.