Nmap Development mailing list archives
ptunnel.nse
From: Jacek Wielemborek <d33tah () gmail com>
Date: Sun, 26 Jan 2014 21:20:36 +0100
Hi, I recently had an opportunity to play with ptunnel a bit, an interesting tool to tunnel TCP connections over ICMP echo. After playing with a sniffer for a while, I noticed that ptunnel is very easy to detect and figured I'd write my first NSE script that sniffs on the network. I managed to create something that seems to work and I decided to publish my script on the mailing list. Here's the link: https://github.com/d33tah/nmap-ptunnel-discovery/blob/master/scripts/ptunnel.nse The script creates a ptunnel packet that says "connect to 127.0.0.1:22". The last byte of the session ID is randomized in order to avoid throttling by ptunnel if the script is run repeatedly. Regardless of whether the port is open or not on the destination host, we should get a reply if the program is running on the remote host. We sniff for ICMP from the host for 2 seconds, expecting to get both our ping and ptunnel response. There's definitely a lot of room for improvements, but I decided to wait for feedback before I'll add new features. In order to test it, copy ptunnel.nse to your current directory and run: nmap -sn <target> --script ptunnel Note that you might need administrative privileges to send raw IP packets, which is needed by the script. Is anybody interested in this script? Yours, jacek Wielemborek
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ptunnel.nse Jacek Wielemborek (Jan 26)