Sniffing & Spoofingtunnelicmptcpproxyfirewallping

ptunnel

ptunnel tunnels TCP connections over ICMP echo request and reply packets, acting as a proxy to handle sockets and secured identification. It is useful in closed networking environments with firewalls and proxies.

Description

ptunnel is an application that allows reliable tunneling of TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. It operates as a proxy and can handle sockets and secured identification, making it handy for environments restricted by firewalls and proxies.

The tool supports both proxy and forwarding modes, with features for security such as password authentication, privilege dropping, and chroot restrictions. It can also toggle to UDP instead of ICMP, listening on port 53 when root privileges are available.

ptunnel requires root privileges for full functionality but offers unprivileged mode with limitations. It is particularly effective for bypassing network restrictions where ICMP traffic is permitted.

How It Works

ptunnel encapsulates TCP connections within ICMP echo request and reply packets to tunnel traffic to a remote host. In forwarding mode (with -p), it listens on a TCP port and forwards packets; without -p, it operates in proxy mode connecting to a remote destination. It supports custom echo replies in privileged mode for reliability, with security via password matching (-x), privilege dropping (-setuid, -setgid), chroot (-chroot), and optional UDP encapsulation on port 53.

Installation

bash

sudo apt install ptunnel

Flags

-pSet address of peer running packet forwarder. This causes ptunnel to operate in forwarding mode - the absence of this option causes ptunnel to operate in proxy mode.

-lpSet TCP listening port (only used when operating in forward mode)

-daSet remote proxy destination address if client. Restrict to only this destination address if server

-dpSet remote proxy destination port if client

-mSet max_tunnels or max_threads

-vSet verbosity

-fSet logfile

-cSet device

-daemonRun in background, the PID will be written in the file supplied as argument

-syslogOutput debug to syslog instead of standard out.

-udpToggle use of UDP instead of ICMP. Proxy will listen on port 53 (must be root).

-xSet password (must be same on client and proxy)

-uRun proxy in unprivileged mode. This causes the proxy to forward packets using standard echo requests, instead of crafting custom echo replies.

-setuidWhen started in privileged mode, drop down to user's rights as soon as possible

-setgidWhen started in privileged mode, drop down to group's rights as soon as possible

-chrootWhen started in privileged mode, restrict file access to the specified directory

-setconSet SELinux context when all there is left to do are network I/O operations

Examples

Show usage help for ptunnel

ptunnel -h

Starting the proxy (needs to run as root)

ptunnel

Starting a client (also needs root) to tunnel to login.domain.com:22 via proxy on port 8000

ptunnel -p proxy.pingtunnel.com -lp 8000 -da login.domain.com -dp 22 -c eth0

Using the tunnel to ssh to login.domain.com

ssh -p 8000 localhost

Run ptunnel in background as daemon, writing PID to specified file

ptunnel -daemon /var/run/ptunnel.pid

Toggle use of UDP instead of ICMP, proxy listens on port 53 (must be root)

ptunnel -udp

Run with password authentication, drop privileges, and chroot for security

ptunnel -x password -setuid nobody -chroot /var/empty

Updated 2026-04-16kali.org ↗