ICMP tunneling with ptunnel-ng

Anyone have any issues using the ptunnel-ng binary from Release SeLinux update, pcap improvment · utoni/ptunnel-ng · GitHub?

I’m currently on the ‘Pivoting, Tunneling, and Port Forwarding’ Module, section ’ ICMP Tunneling with SOCKS’. I’m able to compile the binary per instructions on my attack host(kali). I can execute the binary on my attack host. But when I move the folder to the pivothost, it won’t execute there. I tried running the auto.sh script but I keep getting the following error:
++ pwd

  • OLD_WD=/home/ubuntu/ptunnel-ng
    ++ dirname ./autogen.sh
  • NEW_WD=.
  • cd .
  • autoreconf -fi
    ./autogen.sh: line 10: autoreconf: command not found
  • aclocal
    ./autogen.sh: line 11: aclocal: command not found
  • autoheader
    ./autogen.sh: line 12: autoheader: command not found
  • automake --force-missing --add-missing
    ./autogen.sh: line 13: automake: command not found
  • autoconf
    ./autogen.sh: line 14: autoconf: command not found
  • cd /home/ubuntu/ptunnel-ng
  • ./configure
    ./autogen.sh: line 19: ./configure: No such file or directory

I tried sudo apt install autoconf on the pivot host(HTB instance), but it errors out. I’m assuming there are restrictions in place that prevent updating/changing packages on an HTB host; totally understandable.

How do I get ptunnel-ng to work on pivothost?

NOTE* I get the following error when trying to run the binary via repository directory transfered from attack host:

ubuntu@WEB01:~/ptunnel-ng/src$ ./ptunnel-ng -h
./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or
directory

you don’t need to install anything, just clone the ptunnel-ng to your attack host then use command " sudo ./autogen.sh "
now copy the repo to pivot host using scp and use it directly

thats what I did

anyone manage to succesfull use ptunnel? also stuck here, Probably gonna just use another pivot method this ptunnel is full of fail.

Yes I did. I compiled it on a different linux distro(mint)5.4.0-135-generic x86_64. I think some of the lab boxes aren’t up to date. I had a similar issues with tools presented in Active Directory Enumeration & Attacks.

Thanks for the tip. So you loaded a very old version of Linux mint in order to compile the program? man im probably going to do Active directory enumeration next guess ill need to do that.

Pretty much. I’m def a noob, so I bet there’s a better way.

Had the same problem at first when trying to build it from scratch in the ubuntu server, but insted I built it in Parrot OS and copied the whole folder, including binaries, to the ubuntu server. No real need to build it in the victim host.

I had the same issue, solved installing autoreconf:
sudo apt install autoreconf

You have to find ubuntu distro with the same version of libc-bin as on pivot host.

I also got stuck here, I used another method, ssh with dynamic port and after connect via proxychains and rdp.

As of May 2023, I get the same errors as the OP. Using Kali-Linux (updated) on my attack host. Maybe have to use the parrot os to do it?

Yea I’m not an expert at this by any means, so take it with a grain of salt; I think its a GLIBC compatibility issue. Compiling binaries on one version of GLIBC may not work properly on other versions. Basically, I’d check the current version of GLIBC on the attack host with “ldd --version”, then compile the binary on an OS with that version. That’s basically what I did.

I recommend compiling it in a docker image of ‘ubuntu:20.04’.

how did U do “sudo apt install autoreconf” on the pivot machine??

just use the command line in the right directory, on the server-side and attack ost, you must run the ptunnel-ng command line in /ptunnel-ng/src directory. I was stuck, and just did this, and the there was no error.

1 Like

Another approach would be to statically build the binary, this means that the needed libraries will be included in the binary (which would increase its size from 150k to more than 5mb)

To do this, open both the Makefiles from the root folder and the src folder and add the following flags to the LDFLAGS parameter:

LDFLAGS: -static -lssl -lcrypto

Once that’s done, you can do sudo ./autogen.sh normally and it will generate the new static binary that you then can pass to the machine with scp and it should work.

That does not work:

ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.202.64 -R22
./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.36' not found (required by ./ptunnel-ng)
./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./ptunnel-ng)

I just used the following version of chisel and got the required flag:

$ wget https://github.com/jpillora/chisel/releases/download/v1.5.2/chisel_1.5.2_linux_amd64.gz
# unzip file
$ gzip -d chisel_1.5.2_linux_amd64.gz
# make it executable
$ chmod +x chisel_1.5.2_linux_amd64
# transfer files to pivot host
$ scp chisel ubuntu@10.129.202.64:~/
1 Like

I used Ptunnel

  • Using ptunnel from Kali. Find Binay using locate ptunnel | grep bin
  • On Victim Run sudo ./ptunnel -p <Attacker_IP> -lp 8000 -da <VICTIM_IP> -dp 22
  • ON Attacker host run sudo ptunnel
  • Connect to Victim using ssh -p 8000 Username@<VICTIM_IP>

it works