[p2p-hackers] ICMP tunneling
coderman at gmail.com
Fri Jun 16 17:13:57 UTC 2006
On 6/16/06, Travis Kalanick <travis at redswoosh.net> wrote:
> It got me to thinking about ICMP tunneling around these wireless "toll
> booths" so I could travel Asia and even the states without having to
> communicate over those popular ports that cost money to communicate over.
depending on how the captive portal is setup i've had luck using an
openvpn connection in UDP mode to port 53 to a server i run at home or
elsewhere. obviously that means you can't run DNS on this host too.
if the portal is setup properly (that is, they provide a DNS server
and restrict all lookups to this endpoint) then you would have to use
a more inefficient Kaminsky style DNS tunnel.
the problem with using ICMP (which otherwise might work well) is how
frequently it gets dropped or filtered, especially if you try sending
large payloads in ping packets for example. this would be a fun
there was also a very NOT legal utility released last year at defcon
(i think it was called "partyline" but i can't find it anymore) that
would sniff for authenticated users who paid for service, set your
wireless MAC to match, and then use a UDP openvpn tunnel for transport
on their session without kicking them off or causing problems (like
the TCP stack does when two hosts are sharing an IP/MAC).
and last, it's not really applicable to your situation but there is
even a covert tunnel utility using tun/tap devices that performs raw
packet injection of specific types of 802.11 control/mgmt packets that
are always responded to so that two clients could use a WISP tower AP
for backhaul for example.
i'd be curious to know if you have much luck, or if anyone else on the
list is aware of other tunneling applications/methods. this always
reminded me of NAT busting to some degree, and i expect over time a
good p2p toolkit will include all sorts of such features for
internetworking across various transports and environments.
More information about the P2p-hackers