icmptunnel works by encapsulating your IP traffic in ICMP echo packets and sending them to your own proxy server. The proxy server decapsulates the packet and forwards the IP traffic. The incoming IP packets which are destined for the client are again encapsulated in ICMP reply packets and sent back to the client. The IP traffic is sent in the ‘data’ field of ICMP packets.
RFC 792 , which is IETF’s rules governing ICMP packets, allows for an arbitrary data length for any type 0 (echo reply) or 8 (echo message) ICMP packets.
So basically the client machine uses only the ICMP protocol to communicate with the proxy server. Applications running on the client machine are oblivious to this fact and work seamlessly.
Many public Wi-Fi use Captive Portals to authenticate users, i.e. after connecting to the Wi-Fi the user is redirected to a webpage that requires a login. icmptunnel can be used to bypass such authentications in transport/application layers.
Firewalls are set up in various networks to block certain type of traffic. icmptunnel can be used to bypass such firewall rules. Obfuscating the data payload can also be helpful to bypass some firewalls.
Adding sufficient encryption to the data, icmptunnel can be used to establish an encrypted communication channel between two host machines.
Clone this repository using this command:
git clone https://github.com/DhavalKapil/icmptunnel
On the server side run the tunnel with root privileges:
[sudo] ./icmptunnel -s 10.0.1.1
On the client side, find out your gateway and the corresponding interface:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.25.30.1 0.0.0.0 UG 0 0 0 eth0
Edit client.sh and replace <server> with the IP address of the proxy server. <gateway> with gateway address obtained above and similarly for <interface>.
[sudo] ./icmptunnel -c <server>
The tunnel should run and your client machine should be able to access the internet. All traffic will be tunneled through ICMP.
icmptunnel works by creating a virtual tunnel interface(say tun0). All the user traffic on the client host is routed to tun0. icmptunnel listens on this interface for IP packets. These packets are encapsulated in an ICMP echo packet(i.e. the payload of the ICMP packet is nothing but the original IP packet). This newly generated ICMP packet is sent outside the client machine, to the proxy server, through the restricted internet connection.
The proxy server receives these ICMP packets and decapsulates the original IP packet. This is retransmitted onto the Internet after implementing IP masquerading. Hence, the target believes that its the proxy server making the request. The target then responds back to the proxy server with an IP packet. This is again captured by icmptunnel, encapsulated in an ICMP reply packet and send back to the client.
On the client side, the IP packet is retrieved from the payload of the ICMP reply packet and injected intun0. The user applications read from this virtual interface and hence get the proper IP packet.
+--------------+ +------------+ | | ICMP traffic | | IP traffic | Client | -------------------> | Proxy | ------------------> | | <------------------- | Server | <------------------ | | through restricted | | proper internet +--------------+ internet +------------+