Saturday, May 07, 2005

Ping Tunnel and Telnet

I often learn of new software by seeing new ports released at FreshPorts. Recently I noticed Daniel Stødle's Ping Tunnel appear as net/ptunnel. Ping Tunnel tunnels TCP over ICMP traffic, as shown in the diagram at left. Being a network security analyst I thought it might be interesting to see what this traffic looks like. I set up the Ping Tunnel client on my laptop (orr, 192.168.2.5), the proxy on a server (janney,192.168.2.7), and tried to Telnet to a third server (bourque, 192.168.2.10). The results surprised me. Here is the setup.

First, I set up the proxy on janney. Here is everything janney reported.

janney:/home/richard$ sudo ptunnel -c xl0
[inf]: Starting ptunnel v 0.60.
[inf]: (c) 2004-2005 Daniel Stoedle, daniels@cs.uit.no
[inf]: Forwarding incoming ping packets over TCP.
[inf]: Initializing pcap.
[inf]: Ping proxy is listening in privileged mode.
[inf]: Incoming tunnel request from 192.168.2.5.
[inf]: Starting new session to 192.168.2.10:23 with ID 33492
[err]: Dropping duplicate proxy session request.
[inf]: Connection closed or lost.

I ran the client on orr. Here is everything orr reported.

orr:/home/richard$ sudo ptunnel -p janney -lp 8000 -da bourque -dp 23
[inf]: Starting ptunnel v 0.60.
[inf]: (c) 2004-2005 Daniel Stoedle, daniels@cs.uit.no
[inf]: Relaying packets from incoming TCP streams.
[inf]: Incoming connection.
[evt]: No running proxy thread - starting it.
[inf]: Ping proxy is listening in privileged mode.
[inf]: Received session close from remote peer.

Here is the output from the window in which I used Telnet to connect to port 8000 TCP on orr. Connecting to port 8000 TCP sends traffic to the Ping Tunnel client, who sends traffic to the Ping Tunnel proxy on janney. The Ping Tunnel proxy on janney sends TCP traffic to port 23 TCP on bourque.

orr:/home/richard$ telnet localhost 8000
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.taosecurity.com.
Escape character is '^]'.
Trying SRA secure login:
User (richard): test
Password:
[ SRA accepts you ]

FreeBSD/i386 (bourque.taosecurity.com) (ttyp1)

Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.

FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004

Welcome to FreeBSD!
...edited...
$ id
uid=1002(test) gid=1002(test) groups=1002(test)
$ exit
Connection closed by foreign host.

It looks like it worked. I was able to Telnet to my localhost on port 8000 TCP, and Ping Tunnel sent the traffic via ICMP to janney, who then sent TCP traffic to port 23 on bourque. So what did the traffic look like?

Here is some of what orr saw. This is ICMP traffic generated by the Ping Tunnel client, exchanged with the Ping Tunnel proxy on janney.

10:15:04.732055 IP orr.taosecurity.com > janney.taosecurity.com: icmp 36:
echo request seq 0
0x0000: 4500 0038 c442 0000 4001 3126 c0a8 0205 E..8.B..@.1&....
0x0010: c0a8 0207 0800 11ec 82d4 0000 d520 0880 ................
0x0020: c0a8 020a 0000 0017 4000 0000 0000 ffff ........@.......
0x0030: 0000 0000 0000 82d4 ........
10:15:04.737694 IP janney.taosecurity.com > orr.taosecurity.com: icmp 36:
echo reply seq 0
0x0000: 4500 0038 1253 0000 4001 e315 c0a8 0207 E..8.S..@.......
0x0010: c0a8 0205 0000 19ec 82d4 0000 d520 0880 ................
0x0020: c0a8 020a 0000 0017 4000 0000 0000 ffff ........@.......
0x0030: 0000 0000 0000 82d4 ........
10:15:04.876140 IP janney.taosecurity.com > orr.taosecurity.com: icmp 40:
echo reply seq 0
0x0000: 4500 003c 125a 0000 4001 e30a c0a8 0207 E..<.Z..@.......
0x0010: c0a8 0205 0000 7732 82d4 0000 d520 0880 ......w2........
0x0020: 0000 0000 0000 0000 8000 0002 0000 0000 ................
0x0030: 0000 0003 0000 82d4 fffd 2580 ..........%.
10:15:04.876778 IP orr.taosecurity.com > janney.taosecurity.com: icmp 40:
echo request seq 1
0x0000: 4500 003c c446 0000 4001 311e c0a8 0205 E..<.F..@.1.....
0x0010: c0a8 0207 0800 afb2 82d4 0001 d520 0880 ................
0x0020: 0000 0000 0000 0000 4000 0002 0000 0000 ........@.......
0x0030: 0000 0003 0001 82d4 fffb 2500 ..........%.

Ok, it looks like ICMP traffic as we would expect. I chose Telnet for this demo because it is a clear text protocol. Everyone knows that -- that's why we use OpenSSH, right? Let me see if I can find some clear text.

10:15:08.839045 IP orr.taosecurity.com > janney.taosecurity.com: icmp 152:
echo request seq 10
0x0000: 4500 00ac c460 0000 4001 3094 c0a8 0205 E....`..@.0.....
0x0010: c0a8 0207 0800 16e7 82d4 000a d520 0880 ................
0x0020: 0000 0000 0000 0000 4000 0002 0000 0009 ........@.......
0x0030: 0000 0073 000a 82d4 fffa 2602 0102 fff0 ...s......&.....
0x0040: fffa 2000 3338 3430 302c 3338 3430 30ff ....38400,38400.
0x0050: f0ff fa23 006f 7272 2e74 616f 7365 6375 ...#.orr.taosecu
0x0060: 7269 7479 2e63 6f6d 3a30 2e30 fff0 fffa rity.com:0.0....
0x0070: 2700 0044 4953 504c 4159 016f 7272 2e74 '..DISPLAY.orr.t
0x0080: 616f 7365 6375 7269 7479 2e63 6f6d 3a30 aosecurity.com:0
0x0090: 2e30 0055 5345 5201 7269 6368 6172 64ff .0.USER.richard.
0x00a0: f0ff fa18 0052 5856 54ff f000 .....RXVT...
10:15:08.844558 IP janney.taosecurity.com > orr.taosecurity.com: icmp 152:
echo reply seq 10
0x0000: 4500 00ac 1277 0000 4001 e27d c0a8 0207 E....w..@..}....
0x0010: c0a8 0205 0000 1ee7 82d4 000a d520 0880 ................
0x0020: 0000 0000 0000 0000 4000 0002 0000 0009 ........@.......
0x0030: 0000 0073 000a 82d4 fffa 2602 0102 fff0 ...s......&.....
0x0040: fffa 2000 3338 3430 302c 3338 3430 30ff ....38400,38400.
0x0050: f0ff fa23 006f 7272 2e74 616f 7365 6375 ...#.orr.taosecu
0x0060: 7269 7479 2e63 6f6d 3a30 2e30 fff0 fffa rity.com:0.0....
0x0070: 2700 0044 4953 504c 4159 016f 7272 2e74 '..DISPLAY.orr.t
0x0080: 616f 7365 6375 7269 7479 2e63 6f6d 3a30 aosecurity.com:0
0x0090: 2e30 0055 5345 5201 7269 6368 6172 64ff .0.USER.richard.
0x00a0: f0ff fa18 0052 5856 54ff f000 .....RXVT...

That's interesting. Those packets look like Telnet environment variables. That's normal. So where is my "Welcome to FreeBSD!" line? It's nowhere. In fact, here is some of what follows.

10:15:09.228115 IP janney.taosecurity.com > orr.taosecurity.com: icmp 1060:
echo reply seq 15
0x0000: 4500 0438 1287 0000 4001 dee1 c0a8 0207 E..8....@.......
0x0010: c0a8 0205 0000 2632 82d4 000f d520 0880 ......&2........
0x0020: 0000 0000 0000 0000 8000 0002 0000 000d ................
0x0030: 0000 0400 000f 82d4 75dc 0adc a3d1 43f5 ........u.....C.
0x0040: 75d2 9147 a100 02d4 3920 1e50 967b 990a u..G....9..P.{..
0x0050: 2983 fc5f 9d9d 54bd 7a46 0187 6e02 2a27 ).._..T.zF..n.*'
0x0060: cee9 79b3 404a c6d5 6a79 c437 d666 5507 ..y.@J..jy.7.fU.
0x0070: 413e 754b 4021 bbb9 7857 8af9 e438 6466 A>uK@!..xW...8df
0x0080: 39a0 8655 6c40 fe9b 76ab 4d19 4773 1991 9..Ul@..v.M.Gs..
...truncated...

That looks encrypted to me. Is Ping Tunnel encrypting the Telnet traffic somehow? Why didn't it encrypt the environment variable exchange?

Let's look at the traffic as bourque saw it. Host bourque is running Telnet.

10:11:05.217479 IP janney.taosecurity.com.61802 > bourque.taosecurity.com.telnet:
S 440505519:440505519(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale 1,nop,
nop,timestamp 931812386 0>
0x0000: 4500 0040 1254 4000 4006 a302 c0a8 0207 E..@.T@.@.......
0x0010: c0a8 020a f16a 0017 1a41 94af 0000 0000 .....j...A......
0x0020: b002 ffff 847f 0000 0204 05b4 0101 0402 ................
0x0030: 0103 0301 0101 080a 378a 5422 0000 0000 ........7.T"....
10:11:05.217653 IP bourque.taosecurity.com.telnet > janney.taosecurity.com.61802:
S 3627412370:3627412370(0) ack 440505520 win 65535 <mss 1460,nop,wscale 1,nop,
nop,timestamp 931351884 931812386,nop,nop,sackOK>
0x0000: 4500 0040 1766 4000 4006 9df0 c0a8 020a E..@.f@.@.......
0x0010: c0a8 0207 0017 f16a d835 eb92 1a41 94b0 .......j.5...A..
0x0020: b012 ffff 3bd6 0000 0204 05b4 0103 0301 ....;...........
0x0030: 0101 080a 3783 4d4c 378a 5422 0101 0402 ....7.ML7.T"....
10:11:05.217932 IP janney.taosecurity.com.61802 > bourque.taosecurity.com.telnet:
. ack 1 win 33304 <nop,nop,timestamp 931812386 931351884>
0x0000: 4500 0034 1256 4000 4006 a30c c0a8 0207 E..4.V@.@.......
0x0010: c0a8 020a f16a 0017 1a41 94b0 d835 eb93 .....j...A...5..
0x0020: 8010 8218 fa89 0000 0101 080a 378a 5422 ............7.T"
0x0030: 3783 4d4c 7.ML

That's as I would expect it. I see the TCP three-way handshake from the host running the Ping Tunnel proxy (janney) to the Telnet server on bourque. How about another traffic sample?

0x0030: 3783 4eda 7.N.
10:11:09.316388 IP janney.taosecurity.com.61802 > bourque.taosecurity.com.telnet:
P 143:258(115) ack 145 win 33304 <nop,nop,timestamp 931812796 931352282>
0x0000: 4500 00a7 1279 4000 4006 a276 c0a8 0207 E....y@.@..v....
0x0010: c0a8 020a f16a 0017 1a41 953e d835 ec23 .....j...A.>.5.#
0x0020: 8018 8218 388c 0000 0101 080a 378a 55bc ....8.......7.U.
0x0030: 3783 4eda fffa 2602 0102 fff0 fffa 2000 7.N...&.........
0x0040: 3338 3430 302c 3338 3430 30ff f0ff fa23 38400,38400....#
0x0050: 006f 7272 2e74 616f 7365 6375 7269 7479 .orr.taosecurity
0x0060: 2e63 6f6d 3a30 2e30 fff0 fffa 2700 0044 .com:0.0....'..D
0x0070: 4953 504c 4159 016f 7272 2e74 616f 7365 ISPLAY.orr.taose
0x0080: 6375 7269 7479 2e63 6f6d 3a30 2e30 0055 curity.com:0.0.U
0x0090: 5345 5201 7269 6368 6172 64ff f0ff fa18 SER.richard.....
0x00a0: 0052 5856 54ff f0 .RXVT..
10:11:09.319963 IP bourque.taosecurity.com.telnet > janney.taosecurity.com.61802:
P 145:170(25) ack 258 win 33304 <nop,nop,timestamp 931352295 931812796>
0x0000: 4510 004d 176f 4000 4006 9dca c0a8 020a E..M.o@.@.......
0x0010: c0a8 0207 0017 f16a d835 ec23 1a41 95b1 .......j.5.#.A..
0x0020: 8018 8218 a77c 0000 0101 080a 3783 4ee7 .....|......7.N.
0x0030: 378a 55bc fffa 2607 00ff f0ff fb03 fffd 7.U...&.........
0x0040: 01ff fd22 fffd 1fff fb05 fffd 21 ..."........!

That's odd. I only see the Telnet environment information from janney to bourque. In fact, going back to the ICMP traffic, the data past the IP header is identical in the "icmp 152" packets. I'm not sure what that means, but it's not central to my immediate concern.

Where is my clear text Telnet protocol?

I decide to load the trace captured at bourque into Tethereal. In one of the Telnet option decodes I see the following:

Telnet
Suboption Begin: Authentication Option
Auth Cmd: REPLY (2)
Auth Type: RSA (6)
...0 .0.. = Encrypt: Off (0)
.... 0... = Cred Fwd: Client will NOT forward auth creds
.... ..0. = How: One Way authentication
.... ...0 = Who: Mask client to server
Command: Forward (4)
Command: Suboption End
Command: Will Encryption Option
Command: Do Terminal Type
Command: Do Terminal Speed
Command: Do X Display Location
Command: Do New Environment Option
Command: Do Environment Option

Interesting... "Will Encryption Option". Let's keep an eye on that. A few packets later I see the Telnet client send these Telnet options:

Telnet
Command: Do Encryption Option
Suboption Begin: Encryption Option
Option data
Command: Suboption End
Suboption Begin: Encryption Option
Option data
Command: Suboption End
Command: Will Terminal Type
Command: Will Terminal Speed
Command: Will X Display Location
Command: Will New Environment Option
Command: Won't Environment Option

Now we're seeing "Do Encryption Option". The next packet from the server agrees:

Telnet
Suboption Begin: Encryption Option
Option data

Just to wrap up the earlier clear text, here's the data from the client to the server decoded:

Telnet
Suboption Begin: Encryption Option
Option data
Command: Suboption End
Suboption Begin: Terminal Speed
Option data
Command: Suboption End
Suboption Begin: X Display Location
Here's my X Display Location
Value: orr.taosecurity.com:0.0
Command: Suboption End
Suboption Begin: New Environment Option
Option data
Command: Suboption End
Suboption Begin: Terminal Type
Here's my Terminal Type
Value: RXVT
Command: Suboption End

From this point forward, all of the data carried in Telnet appears encrypted.

This helpful Telnet protocol page pointed me to this Telnet options list. It turns out that RFC 2946 by none other than Linux kernel hacker Ted Ts'o describes how to add encryption to Telnet. It seems that the default telnetd and telnet installed with FreeBSD (and others, probably?) supports encrypted Telnet. I have never seen this before. Has anyone else? I guess I should have picked another "clear text" protocol to test Ping Tunnel!

3 comments:

Anonymous said...

Yep, telnet encryption options have been around for awhile (at least since 2000...I didn't check how far back it went). Remember the Telnet TESO AYT exploit? It used the encryption option to store the shellcode in heap memory during the overflow.
Dave Chaboya

Richard Bejtlich said...

Hey Dave, thanks for reading my blog! Where are you these days? Email me at richard at taosecurity dot com.

fresh proxy list said...
This comment has been removed by a blog administrator.