COPYING @@ -2,17 +2,14 @@ flags=-g3 -Wall -ansi -pedantic -D_GNU_SOURCE all: icmptx -icmptx: it.o icmptx.o tun_dev.o - gcc $(flags) -o icmptx icmptx.o it.o tun_dev.o +icmptx: it.o icmptx.c tun_dev.o + gcc $(flags) -o icmptx icmptx.c it.o tun_dev.o it.o: it.c tun_dev.h gcc $(flags) -c it.c -icmptx.o: icmptx.c tun_dev.h - gcc $(flags) -c icmptx.c - tun_dev.o: tun_dev.c gcc $(flags) -c tun_dev.c clean: - rm -f tun_dev.o it.o icmptx.o icmptx + rm -f tun_dev.o it.o icmptx Makefile @@ -1,39 +1,73 @@ -I've since forked this project! At the moment, I believe all of the source -code that I'm using falls under the GPL. The VTun code certainly does, and -I believe the itunnel code is based on it, so that would imply that it too -is under GPL. +This is the ICMPTX program. -The text below was the original README. A more elaborate howto can be found at -http://thomer.com/icmptx/ +This software is most recently available from FIXME +ICMPTX is a program that allows a user with root privledges to create a +virtual network link between two computers, encapsulating data inside of +ICMP packets. ------- -an icmp tunnel application based on itunnel and vtun. +-- license -- -it.c - modified itunnel part (pretty straightforward) -tun_dev.c - tun/tap part from vtun (copy) +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. -to run it, make sure you have tuntap in kernel (with 2.6, the driver is 'tun', -not sure if it works with older kernels - i removed older driver support). +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. -create a tunnel on a server (to a dummy address) with: -./create_tun dummy_address +You should have received a copy of the GNU General Public License +along with this ICMPTX. If not, see <http://www.gnu.org/licenses/>. -set the link up with ifconfig or iproute2 ip, set up routes and everything else -as needed (set MTU!): -ifconfig tun0 mtu 1400 192.168.3.1 -route add 192.168.3.2 tun0 +-- basic usage instructions -- -create tunnel from client: -./create_tun server +First, make sure you have the tun module from your 2.6 kernel loaded up +or compiled into your kernel on both ends of your tunnel. -set the link up, routes as needed and so on: -ifconfig tun0 mtu 1400 192.168.3.2 -route add 192.168.3.1 tun0 -route add default gw 192.168.3.1 +Second, compile the code on both the client machine and the server you +wish to tunnel your traffic between. -the MTU should be set to 1400 (it's defined in create_tun.c) or to anything -that can be sent as a payload of a single ICMP packet (changing create_tun.c -accordingly). +Third, on the server side, do something like -Enjoy. +./icmpx -s 1.2.3.4 & +sleep 1 +ifconfig tun0 10.0.3.1 netmask 255.255.255.0 + +Fourth, on the client side, do something like + +./icmptx -c 1.2.3.4 & +sleep 1 +ifconfig tun0 10.0.3.2 netmask 255.255.255.0 + +Replace 1.2.3.4 with your internet-accessible IP on the server. At this +point you should have a simple link between the client and server. On +the client, you should be able to ping 10.0.3.1 and get a response. Note +that there are several levels of irony involved in receiving the responses. +SSH tunneling can be used at this point for secure communication over the +channel. Note that there is no encryption capability provided directly by +ICMPTX. + +Once you've confirmed that the tunnel does in fact work, routing should be +easily accomplished. The tun interfaces are just like any other ethernet +devices on your system and can be used as such, for example: + +route add -net 192.168.0.0/24 gw 10.0.3.1 + +executed on the client could add a route to your server's DMZ segment. +Access to systems on the 192.168.0.0/24 subnet from the client would +then be transparently tunneled through the ICMPTX connection. + +-- who's to blame for all this? -- + +ICMPTX has an interesting lineage. The code for the ICMP handling was +originally included from the itunnel program. Tun interface handling +was included from the VTun project, originally authored by Maxim +Krasnyansky. The two were brought together by edi / teso. From there, +Siim Põder cleaned up the code and wrote a short article about it, +possibly still available at http://www.linuxexposed.com/content/view/153/52/ . +That seems to be where Thomer Gil found it, after which he further cleaned +it up and presented it at http://thomer.com/icmptx/, which is where I, +John Plaxco, came across it. Further and newer information may be +available at the project's homepage at FIXME. README @@ -1,54 +1,57 @@ -/* Code is ruthlessly ripped from vtun and itunnel with appropriate changes. - * Guys, thanks for the great stuff! - * - * itunnel - an ICMP tunnel by edi / teso - * VTun - Virtual Tunnel over TCP/IP network. - * - * Original author unknown, but modified by Thomer M. Gil who found the original - * code through - * http://www.linuxexposed.com/Articles/Hacking/Case-of-a-wireless-hack.html - * (a page written by Siim Põder). - * - * The icmptx website is at http://thomer.com/icmptx/ - */ +/* + This file is part of ICMPTX + + itunnel - an ICMP tunnel by edi / teso + VTun - Virtual Tunnel over TCP/IP network. + + Copyright (C) 1998-2000 Maxim Krasnyansky <max_mk@yahoo.com> + Copyright (C) 2006 Thomer M. Gil <thomer@thomer.com> + Copyright (C) 2008 John Plaxco <john@johnplaxco.com> + + Original author unknown, but modified by Thomer M. Gil who found the original + code through + http://www.linuxexposed.com/Articles/Hacking/Case-of-a-wireless-hack.html + (a page written by Siim Põder). + + Code updated by John Plaxco, cleaned up and added polling support to survive stateful firewalls. + + The (old) icmptx website is at http://thomer.com/icmptx/ + The current icmptx website is hosted at github, FIXME +*/ #include "tun_dev.h" #include <string.h> #include <stdio.h> #include <stdlib.h> -/* modified itunnel */ -int run_icmp_tunnel (int id, int packetsize, char **argv, int tun_fd); +int run_icmp_tunnel (int id, int packetsize, int isServer, char *serverNameOrIP, int tun_fd); -/* max transfered unit - capsuled packet size */ +/* size of the largest icmp data payload to send, NOT MTU of tun device */ const int mtu = 65536; +#define USAGE "Usage: %s [-s|-c] server\n -s Server Mode\n -c Client Mode\n server The host name or IP address of the server\n" + int main(int argc, char **argv) { - char *dev; int tun_fd = 0; if (argc != 3) { - fprintf(stderr, "Error, incorrect number of arguments provided. -s for server mode and -c for client and destination host name?\n"); + fprintf(stderr, USAGE, argv[0]); return 1; } - - /* create the tunnel device */ - if ((dev = (char *) malloc(16)) == NULL) { - fprintf(stderr, "If you have never had problems allocating 16 bytes\n" - "of memory, then now is your first time. Fatal.\n"); + if (strcmp(argv[1],"-c") && strcmp(argv[1],"-s")) { + fprintf(stderr, USAGE, argv[0]); return 1; } - dev[0] = 0; - if ((tun_fd = tun_open(dev)) < 1) { + + if ((tun_fd = tun_open()) < 1) { fprintf(stderr, "Could not create tunnel device. Fatal.\n"); return 1; - } else { - printf("Created tunnel device: %s\n", dev); } - run_icmp_tunnel(7530, mtu, argv, tun_fd); + run_icmp_tunnel(7537, mtu, !strcmp(argv[1],"-s"), argv[2], tun_fd); - tun_close(tun_fd, dev); + /* when run_icmp_tunnel returns, we must be finished */ + tun_close(tun_fd); return 0; } icmptx.c @@ -1,12 +1,23 @@ /* - * itunnel - an ICMP tunnel by edi / teso - * usage: it [-i id] [-s packetsize] host - * establishes a bidirectional ICMP - * 'connection' with 'host' by listening - * to ICMP packets with a specific id - * (default: 7530). uses stdin and stdout - * and needs to run as root. - c * + This file is part of ICMPTX + + Original code copyright date unknown, edi/teso. + Copyright (C) 2006 Thomer M. Gil <thomer@thomer.com> + Copyright (C) 2008 John Plaxco <john@johnplaxco.com> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this ICMPTX. If not, see <http://www.gnu.org/licenses/>. + */ #include <stdio.h> @@ -23,6 +34,9 @@ #include "tun_dev.h" +/* + * standard ICMP header + */ struct icmp { u_int8_t type; u_int8_t code; @@ -31,6 +45,9 @@ struct icmp { u_int16_t seq; }; +/* + * standard IP header + */ struct ip { unsigned int ip_hl:4, ip_v:4; @@ -46,35 +63,34 @@ struct ip { unsigned short in_cksum(unsigned short *, int); -/* icmp_tunnel - does the ICMP tunneling :-) - int sock - ICMP socket used to communicate +/* int sock - ICMP socket used to communicate int proxy - 0 means send echo requests, 1 means send echo replies - struct sockaddr_in *target - other side - int tun_fd - input/output file descriptor - int packetsize - the size of the buffer to allocate for the data part of the packet, apparently? - u_int16_t id - tunnel id field, apparently + struct sockaddr_in *target - For the client, points to the server. For the server, the default place to send replies + int tun_fd - Input/output file descriptor + int packetsize - maximum size of ICMP data payload + u_int16_t id - tunnel id field */ int icmp_tunnel(int sock, int proxy, struct sockaddr_in *target, int tun_fd, int packetsize, u_int16_t id) { + int len, result, fromlen, num; char* packet; - struct icmp *icmp, *icmpr; - int len; - int result; fd_set fs; unsigned char didSend, didReceive; + struct icmp *icmp, *icmpr; struct timeval tv; - struct sockaddr_in from; - int fromlen; - int num; len = sizeof (struct icmp); - packet = malloc (len+packetsize); + if ((packet = malloc (len+packetsize)) == NULL) { + fprintf(stderr, "Error allocating packet buffer"); + exit(1); + } memset (packet, 0, len+packetsize); icmp = (struct icmp*)(packet); icmpr = (struct icmp*)(packet+sizeof(struct ip)); + /* here's the infinite loop that shovels packets back and forth while the tunnel's up */ while (1) { FD_ZERO (&fs); FD_SET (tun_fd, &fs); @@ -85,7 +101,7 @@ int icmp_tunnel(int sock, int proxy, struct sockaddr_in *target, int tun_fd, int tv.tv_sec = 1; tv.tv_usec = 0; - select (tun_fd>sock?tun_fd+1:sock+1, &fs, NULL, NULL, &tv);/* block until data's available in one direction or the other */ + select (tun_fd>sock?tun_fd+1:sock+1, &fs, NULL, NULL, &tv);/* block until data's available in one direction or the other, or it's time to poll */ /* data available on tunnel device, need to transmit over icmp */ if (FD_ISSET(tun_fd, &fs)) { @@ -96,9 +112,9 @@ int icmp_tunnel(int sock, int proxy, struct sockaddr_in *target, int tun_fd, int perror("read"); return -1; } - icmp->type = proxy ? 0 : 8;/*echo request or echo response*/ + icmp->type = proxy ? 0 : 8;/*echo response or echo request*/ icmp->code = 0; - icmp->id = id;/*mark the packet so the other end knows we care about it*/ + icmp->id = id;/* mark the packet so the other end knows it's a tunnel packet */ icmp->seq = 0; icmp->cksum = 0; icmp->cksum = in_cksum((unsigned short*)packet, len+result); @@ -114,14 +130,14 @@ int icmp_tunnel(int sock, int proxy, struct sockaddr_in *target, int tun_fd, int if (FD_ISSET(sock, &fs)) { fromlen = sizeof (struct sockaddr_in); num = recvfrom(sock, packet, len+packetsize, 0, (struct sockaddr*)&from, (socklen_t*) &fromlen); - /* the data packet */ + + /* make the destination be the source of the most recently received packet (this can be dangerous) */ memcpy(&(target->sin_addr.s_addr), &(from.sin_addr.s_addr), 4*sizeof(char)); - if (icmpr->id == id) {/*this filters out all of the other tunnel packets I don't care about*/ + if (icmpr->id == id) {/*this filters out all of the other ICMP packets I don't care about*/ tun_write(tun_fd, packet+sizeof(struct ip)+sizeof(struct icmp), num-sizeof(struct ip)-sizeof(struct icmp)); - /* make the destination be the source of the most recently received packet */ didReceive = 1; } else if (icmpr->type == 8) {/* some normal ping request */ - icmpr->type = 0;/*echo request or echo response*/ + icmpr->type = 0;/*echo response*/ icmpr->code = 0; icmpr->id = icmpr->id; icmpr->seq = icmpr->seq; @@ -139,7 +155,7 @@ int icmp_tunnel(int sock, int proxy, struct sockaddr_in *target, int tun_fd, int if (!proxy && !didSend && !didReceive) { icmp->type = 8;/*echo request*/ icmp->code = 0; - icmp->id = id;/*mark the packet so the other end knows we care about it*/ + icmp->id = id;/*mark the packet so the other end knows it's a tunnel packet*/ icmp->seq = 0; icmp->cksum = 0; icmp->cksum = in_cksum((unsigned short*)packet, len); @@ -156,28 +172,20 @@ int icmp_tunnel(int sock, int proxy, struct sockaddr_in *target, int tun_fd, int /* * this is the function that starts it all rolling - * id - the id value for the icmp stream, to distinguish it from any other tunnels running? + * id - the id value for the icmp stream, to distinguish it from any other incoming ICMP packets * packetsize - I think this is the mtu value for the packets going across the tunnel, seems to be used in buffer allocations - * argv[1] - should be either "-s" or "-c" for server or client mode - * argv[2] - should be a remote host. this seems to be a requirement regardless of mode + * isServer - 0 for client mode, 1 for server mode + * serverNameOrIP - the server's host name or IP address * tun_fd - the file descriptor of the socket we read and write from - * FIXME these arguments are retarded */ -int run_icmp_tunnel (int id, int packetsize, char **argv, int tun_fd) { +int run_icmp_tunnel (int id, int packetsize, int isServer, char *serverNameOrIP, int tun_fd) { struct sockaddr_in target; struct in_addr inp; int s; - char *daemon = argv[1]; - char *desthost = argv[2]; - - if (!desthost) { /*this doesn't make sense for server mode, does it? maybe I need it to know which interface to monitor/transmit on*/ - fprintf (stderr, "no destination\n"); - return -1; - } - if (!inet_aton(desthost, &inp)) { + if (!inet_aton(serverNameOrIP, &inp)) { struct hostent* he; - if (!(he = gethostbyname (desthost))) { + if (!(he = gethostbyname (serverNameOrIP))) { herror ("gethostbyname"); return -1; } @@ -192,7 +200,7 @@ int run_icmp_tunnel (int id, int packetsize, char **argv, int tun_fd) { return -1; } - icmp_tunnel(s, !strcmp(daemon, "-s"), &target, tun_fd, packetsize, (u_int16_t) id); + icmp_tunnel(s, isServer, &target, tun_fd, packetsize, (u_int16_t) id); close(s); it.c @@ -1,7 +1,11 @@ /* + This file is part of ICMPTX + VTun - Virtual Tunnel over TCP/IP network. Copyright (C) 1998-2000 Maxim Krasnyansky <max_mk@yahoo.com> + Copyright (C) 2006 Thomer M. Gil <thomer@thomer.com> + Copyright (C) 2008 John Plaxco <john@johnplaxco.com> VTun has been derived from VPPP package by Maxim Krasnyansky. @@ -14,11 +18,11 @@ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -*/ -/* - * tun_dev.c,v 1.1.2.4 2001/09/13 05:02:22 maxk Exp - */ + You should have received a copy of the GNU General Public License + along with this ICMPTX. If not, see <http://www.gnu.org/licenses/>. + +*/ /* #include "config.h" */ @@ -38,23 +42,15 @@ int snprintf(char *str, size_t size, const char *format, ...); /* * Allocate TUN device, returns opened fd. - * Stores dev name in the first arg(must be large enough). - * FIXME how large is large enough?? why if (*dev)? */ -int tun_open_old(char *dev) { +int tun_open_old() { char tunname[14]; int i, fd; - if(*dev) { - snprintf(tunname, sizeof(tunname), "/dev/%s", dev); - return open(tunname, O_RDWR); - } - for(i=0; i < 255; i++){ sprintf(tunname, "/dev/tun%d", i); /* Open device */ if( (fd=open(tunname, O_RDWR)) > 0 ){ - sprintf(dev, "tun%d", i); return fd; } } @@ -67,24 +63,19 @@ int tun_open_old(char *dev) { #define OTUNSETIFF (('T'<< 8) | 202) /* - *FIXME what is dev supposed to contain? - * current guess is /dev/tunX, and if the first byte is null then I try to find one - * when it comes back out, it's got the device /dev/whatever in it, so it had better be big enough, but I don't think we care about this? + * find a tun device and open it, returning the file descriptor on success or -1 on failure with errno possibly set. */ -int tun_open(char *dev) { +int tun_open() { struct ifreq ifr; int fd; if ((fd = open("/dev/net/tun", O_RDWR)) < 0) { - return tun_open_old(dev); + return tun_open_old(); } memset(&ifr, 0, sizeof(ifr)); ifr.ifr_flags = IFF_TUN | IFF_NO_PI; - if (*dev) { - strncpy(ifr.ifr_name, dev, IFNAMSIZ); - } if (ioctl(fd, TUNSETIFF, (void *) &ifr) < 0) { if (errno == EBADFD) { @@ -95,7 +86,6 @@ int tun_open(char *dev) { goto failed; } - strcpy(dev, ifr.ifr_name); return fd; failed: @@ -103,11 +93,10 @@ int tun_open(char *dev) { return -1; } -int tun_close(int fd, char *dev) { +int tun_close(int fd) { return close(fd); } -/* Read/write frames from TUN device */ int tun_write(int fd, char *buf, int len) { return write(fd, buf, len); } tun_dev.c @@ -1,7 +1,11 @@ /* + This file is part of ICMPTX + VTun - Virtual Tunnel over TCP/IP network. Copyright (C) 1998-2000 Maxim Krasnyansky <max_mk@yahoo.com> + Copyright (C) 2006 Thomer M. Gil <thomer@thomer.com> + Copyright (C) 2008 John Plaxco <john@johnplaxco.com> VTun has been derived from VPPP package by Maxim Krasnyansky. @@ -14,11 +18,11 @@ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this ICMPTX. If not, see <http://www.gnu.org/licenses/>. */ -/* - * tun_dev.h,v 1.1.1.1.2.1 2000/11/20 07:57:33 maxk Exp - */ #ifndef _DRIVER_H #define _DRIVER_H @@ -27,8 +31,8 @@ * version 3.0 */ -int tun_open(char *dev); -int tun_close(int fd, char *dev); +int tun_open(); +int tun_close(int fd); int tun_write(int fd, char *buf, int len); int tun_read(int fd, char *buf, int len); tun_dev.h 1af85f69f4319b296fce07ca998e5800bf0af379 John Plaxco john@johnplaxco.com http://github.com/jakkarth/icmptx/commit/5c07c1b1c485e0803ede5b227e313e8565b51d10 5c07c1b1c485e0803ede5b227e313e8565b51d10 2008-12-10T16:14:52-08:00 2008-12-10T16:14:52-08:00 Finalized licensing changes, added documentation, minor code changes. b019b6de53791a02d3939d480850f23ed9bb16e9 John Plaxco john@johnplaxco.com