Bypassing Firewalls With PING! 

Doowah Doowah Doowah Doowah Doowah Doowah Doowah Doowah I mean Echo request echo reply Echo request echo reply

So in all seriousness-if you are the owner/operator of the system with the captive portal, maybe consider disallowing ICMP or restrict the allowed source/destination addresses for ICMP traffic to avoid being subjected to this type of attack.

Shabba

I figured this one out on my own by accident. I was using my wireguard vpn and my device connected to a guest network, then i immediately connected to the vpn and I was connected to the internet. I didn't have to sign in and I had never used the network before.

​@@LowOutput don't block icmp just the ping element blocking all icmp is bad on so many levels

Indeed you can

Oh, we don't do dodgy shit around here!... much

Mate, you're spot on. Some people get it, and some don't.

@@TallPaulTech Quality videos attract quality comments. Subbed just now.

The comments are a mixed bag :)

Or ICMP type 8 and 0

You do you Champ

Yeah sure. He should buy a plane ticket and sit there typing on the laptop - and then turn return - only because you requested 🤣🤣

Skid

@@Linux333 nah, this guy seems like he knows what he's talking about.

interesting might actually try this.

This video could have been 10 times longer if I'd gotten right into it, but had to end it somewhere.

@@TallPaulTech - I think from this video, one can get started and understand how it works. If there are details that doesn't work out, it should be possible to do look for the answer on the net. -So I think the video is just right! 😄

I have plenty of inches

@@TallPaulTech Where exactly ??

I could test it in lab conditions, which I think would be pretty high speed, as I don't see why it wouldn't be. The unknown would be the public networks that would bring all the variables into it. If I did it in a lab though, you know people would just say "yeah, but that's in a lab".

If you are accessing your home network and using that as your internet server, then you will be at least restricted by your home internet's upload speed (which I think will be your download speed).

@@andrewborntrager7909 10 Gb fibre... wan and doing 10 Gb inside also, I have no worries about that ;-) There are few general purpose sites that can match the speed actually. And... I'm living in the swiss countryside with direct view on the mountains - just perfect location!

Slacker!

Your latency must've been awful

I just looked him up. How the hell do I look like him?!

Back in the 90's I still had my Commodore Amiga :)

I agree using VPN over DNS more likely to work. Some hotspots block icmp when you've even logged in

ICMP doesn't have resets, as they don't have a session to reset as TCP in layer 4 does. As for a Palo Alto, I tried this through my PA-200 which I was going to put in the video but didn't. They have a rule for ping and another rule for ping-tunnel. On a very quick test, even only allowing ping through enabled me to make this tunnel. I'd have to dig into it properly to be sure of how it works through that though, which I couldn't be bothered for RU-vid :)

@@TallPaulTech interesting, I need to pick up a palo for my homelab at some point price is a bit daunting to swallow though. I currently have an srx-300 I need to put back into service to swap my udm-pro out

True. The word "hacker" has been abused way too much. A hacker is technically someone who gets something to work by fixing it a way which is not 'traditional'. 😉

Exactly.

lol they have never secured anything... except maybe the luck of using PSTN which stopped phreaking

​@@HyperVectralove your profile picture Netscape nostalgia

Yes they should be. Usually modern firewalls are now 'payload aware' devices that inspect anything with regards to some traffic baseline set by cybersecurity analysts. So if ICMP traffic is allowed (first vulnerability as it should be disabled once network build is completed), firewall will surely trigger alert by detecting variable payload in ICMP packets (usually constant and small value, some tenth of bytes). So chances of exfiltrating data this way are weak on well protected networks. However, this is an extremely interesting technical approach and very educative, thanks to Paul !

Also the level of mangled icmp fields should be configurable, so that you can eak out every bit of available space on the link you have. Plus instead of a magic number, a checksum(simple parity) would be better... especially if it was salted(using a key derived by difhel) to evade classification.

I like your thinking. It would add complexity to the program of course. One day I'll look deep at how the ping via my mobile network modified the ICMP packet, so ping worked but was changed, making the tunnel unusable.

Not allowing anything go to the internet from this IP until it it will talk to the captive portal and that portal will say that this abonent is ok to go out.

Perhaps the more interesting question is: why have they allowed it?

​@@poddmo - likely for making their own diagnostics easy. 😃

Lock it down by restricting to known IPs for troubleshooting purposes.

Looks like wireshark

Either Wireshark, tshark, or tcpdump.

he is using LEARN THE BASICS... dumbass mr i watch technical videos without any technical foundations.

@@ace6664 Why are you being so rude to someone trying to learn the basics by asking questions?

@@timgeel260 Ironically, they need noobs to convince themselves that they alone are the GOAT typically. There are no dumb Q's so long as they're legit IMO. Sure, there may be a time & place for certain things but if even youtube comments have such restrictions we're doomed. Makes for an ideal stackexchange 💪mod though.

It's nothing new, it's been there since 1999. It's a choice.

DNS tunel wont work since often custom dns servers are blocked

Now you behave

I also take requests :)

Gotta love the pun xD

@@TallPaulTech how about an echo request?

NO

What?

Well, somebody had to do it.

@@TallPaulTech just pulling your chain (like your tailor! 😜) Great content as ever dude! Keep it up.

Sure, I did a video on that.

@@TallPaulTech I’m afraid my setup is even more complicated than the video goes into. Long story short. I use a VPN provider (Mullvad) that has given me a single /128 IPv6 using FFCE allocation. I’m using wireguard and a Debian computer that I turned into a Router using VLANs and iptables, etc. I got the v4 portion working perfectly and been working for years but I now require v6 for work since they switched to v6 only. But I can’t seem to figure out the v6 portion no matter how much I try and research. Maybe you can help and have potential video out of it. It’s like double natting on v6 but it’s my only option. The V6 works fine on router itself. I can’t seem to forward to my VLANs.

I wrote an essay on that poem at school many many years ago!

wavemon

Okay, so out of curiosity, how did you end up here?

@@TallPaulTech Came up as a recommended video on my feed and I'd recently installed a new firewall and done a ping test! Was the perfect moment!

Ah, so that's how this game works.

Holy shit what?

"I know the guy who wrote ping" is such a weird flex hahaha 😂

I think you've missed a whole lot of things.

​@@TallPaulTechExactly 😂

You have to have a public IP address that you can use.

You would need a VPS, hosted in a data center, similar to providers like Linode (which sponsors many RU-vid videos). From your home router or the server where you wish to host services, establish a WireGuard tunnel to that VPS. Afterward, set up iptables rules to both forward traffic from the VPS IP address and masquerade it, sending it through the tunnel to your server.

Thanks for the replies. So I need to tunnel though a service/server.

​@@bluetrepidationnot necessarily. You can also just use IPv6. Even if you're behind a cgnat you'll have a public IPv6 prefix to use.

@@LampJustin Even though it's 2023, not all ISPs give out IPv6 prefixes so they may be out of luck for a 100% home-hosted solution.

You must be on something, because I'm not British.

@@TallPaulTech Bloody foreigners confusing the British with Kiwis!! 😜

Kind of pisses me off though. There are reasons these tools where developed, and sometimes it's useful to know that a problem is not your ISP, or something on your own network, but something in the damn middle. While I couldn't do anything about it at the time, not having the skills to do so, there was a point years back where some idiots screwed up major branch of the backbone between California and a mess of servers some place between northern California and the site in Oregon I was trying to reach. Virtually everyone else, all over the country, could still get there, but thanks to the ironically "usually" useful fact that in this day and age they route via the fastest path and severely limit the networks ability to fix itself by hunting alternatives, literally everyone in Southern California, Arizona, probably parts of Navada, etc. couldn't reach anything in that area for nearly 4 months, until they finally fixed what ever broke. Now, without ping, and uts related tracert I would had no f-ing clue what the problem was, or been able to figure out that, ifiotically, anything routing via NY, instead of California, could still access them. Now, imagine you are someone relying on a server in that area and half your customers are unable to get to your site, but every system on the network has decided to not "limit" what such packets can do, and/or implement solutions to stop someone using it to get around your systems, by checking the flipping packets to make sure they are legit packet requests, instead of something hijacking it, you just disabled all ability to even use the tool... For me it was an inconvenience, for a company it could be thousands of lost customers, hours, or days, or worse, wasting time trying to find soneone that knows what the f is going on, and when it will be fixed, and let's not forget lost income. All because you can't use network diagnostics tools to find were on the internet the failure is happening and flipping call the companies at the point before failure and ask, "What the bleep is going on?" Just.. annoys the heck out of me.

@@patrickelliott2169 I definitely understand that frustration, just a thought but you could have a bare bones pi with a Linux os just to perform those two commands in the DMZ portion of your network not sure how that would look or even if it is a good idea.

@@asheglenn If it's my own network odds are I would either have alternate tools, or not have it disabled internally - just at the external points of access. The issue is generally diagnosing what may be going on someplace between you and another network. However, I have found that even some links on the internet own backbone get "disabled", possibly by overly paranoid ISPs that you end up passing through in some manner. This has rendered any ability to determine where your traffic is actually going problematic. And, honestly, I can see it being an issue if someone managed to spoof DNS somehow, and you might be paranoid enough of this to want to figure out, roughly, if the server you 'think' you are trying to talk to is actually in Nort America, when it's been spoofed and you are actually talking to something that inexplicably traces to a, "last jump before I got there", in China, or something. Not that I have a reason to a) be that paranoid, or b) actually design something to check that. Just... sometimes companies insist on ignoring why something exists, or why it needs to keep working, or the possible consequences of it no longer doing so, if they can find a simplistic short cut. This just flat out bugs the hell out of me.

Wireshark

Yes but it’s not gonna happen due to the need of a custom ping. Too many moving parts to execute effectively

That's why it's good practice to not allow ICMP from your internal network to traverse perimeter firewalls... It's a type of data exfiltration, they use things like DNS queries too....

It'd be more effort for a threat actor, unless this was a very lucrative target which they planned to access routinely for gathering data, otherwise this is is a really great work around but using a dedicated VPN or even Cloudflare works to setup a secure tunnel and it's simple to do and with proper measures in play, more secure. Great video to learn network traffic and how packets work with firewalls but is akin to painting a car with a with a paint brush.

Lier! prove your tunnel bypasses ClouldFlare! you can't! Can you superman?