Saturday, June 9, 2007

iodine and pingtunnel

Well I tried to go to bed last night at a decent time...guess it just
didn't work out.

In any case I decided to experiment with some tunneling tools. I'm
very interested in being able to tunnel traffic along covert channels
especially for testing/auditing purposes for a client.

That being said I did a little searching around and found the two
tools listed in the subject of the blog. I tried pingtunnel first
but couldn't get it to function in my test environment. I sent an
information packed email to the softwares author and hope to hear
something in a timely fashion. In the interim I decided that I would
give iodine a shot and see what I could get to work. My preliminary
findings are below:

Start the server:

-(igs-awilliams@IGS-DEV01:ttyp5)-(11 files:26k@iodine)-(0 jobs)-(19:36)-
-(~/iodine:$)-> sudo /usr/local/sbin/iodined -f 172.16.0.1 test.asdf
Enter password on stdin:

Opened /dev/tun0
Setting IP of tun0 to 172.16.0.1
Adding route 172.16.0.1/24 to 172.16.0.1
add net 172.16.0.1/24: gateway 172.16.0.1
Setting MTU of tun0 to 1024
Opened UDP socket
Listening to dns for domain test.asdf

Verfiy that the tun/tap interface is enabled:

tun0: flags=51 mtu 1024
groups: tun
inet 172.16.0.1 --> 172.16.0.1 netmask 0xffffff00

Ok...so far so good. Now lets setup the client:

igs-awilliams@IGS-LAP02:~> sudo /usr/local/sbin/iodine -f 10.1.1.36 test.asdf
Enter password on stdin:

Opened dns0
Opened UDP socket
Version ok, both running 0x00000400. You are user #0
Setting IP of dns0 to 172.16.0.2
Setting MTU of dns0 to 1024
Sending queries for test.asdf to 10.1.1.36

The tun/tap interface was aptly named dns0 so lets check that its
been created correctly:

dns0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.0.2 P-t-P:172.16.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1024 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:2153 (2.1 Kb)

If all this works correctly I should be able to ping 172.16.0.1 from
172.16.0.2 right?

igs-awilliams@IGS-LAP02:~> ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=255 time=18.1 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=255 time=17.2 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=255 time=17.3 ms
64 bytes from 172.16.0.1: icmp_seq=4 ttl=255 time=17.3 ms
64 bytes from 172.16.0.1: icmp_seq=5 ttl=255 time=17.4 ms

--- 172.16.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4040ms
rtt min/avg/max/mdev = 17.201/17.491/18.108/0.339 ms

Voila!

NOTE: Usage of iodine makes use of the tun/tap driver of *nix
platforms. Windows users need not apply. The driver installs
standard on OpenBSD (the server in the example above) and requires a
kernel adjustment and compile on Linux (the client in the example).
For a list of supported OSes and platforms consult the following:

http://dev.kryo.se/iodine/wiki/SupportedPlatforms

May Your Skill Prevail.

2 comments:

DreamKatcher said...

Thanks for you post, it will help me with iodine setup.

Anthony Williams said...

You are more than welcome! I wish you success in installing and configuring iodine.