• Stars
    star
    189
  • Rank 204,649 (Top 5 %)
  • Language
    C++
  • License
    Other
  • Created over 11 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ICMP and DNS tunneling via IPv4 and IPv6

fraud-bridge

Intro

This project helps bypassing restrictive censorship environments that block direct TCP or UDP connections, by setting up ICMP, ICMP6, DNS or DNS over UDP6 tunnels. It has the same aim as icmptx, iodine, ozzyman DNS, nstx etc.

It automatically patches TCP MSS option to achieve a non-fragmented stream of packets (known as MSS-clamping).

It also uses MD5 to (HMAC-)integrity protect the tunnel from evil injected TCP packets. If you need privacy, you have to use encryption yourself. Its assumed that you use SSH over the tunnel anyways. (Either directly or with the SSH proxy option if you need HTTP tunneled.)

fraud-bridge also uses EDNS0 extension headers to put as many bytes into the TXT reply as possible. In my tests, as it tries to answer any timing packets, it produces no logs in a bind9 system log-file. If you change the EDNS0 (-E), you need to do it on both ends with the same value. (As inside announces maximum UDP payload size to the nameserver and outside endpoint calculates the MSS from that what was given with -E.)

fraud-bridge also includes some other techniques to cope with certain bind limitations, e.g. quotas/limiting.

Please also note that c->skills is providing the full chain of censorship fucking equipment you may be interested in:

crash and psc

Build

Basically you just do make on Linux.

Run

The usage is as follows:

fraud-bridge -- https://github.com/stealth/fraud-bridge

Usage: ./fraud-bridge <-k key> [-R IP] [-L IP] [-pP port] [-iIuU]
	[-E sz] [-d dev] [-D domain] [-S usec] [-X user] [-r dir] [-v]

	-k -- HMAC key to protect tunnel packets
	-R -- IP or IPv6 addr of (outside) peer when started inside
	-L -- local IP addr to bind to if started outside (can be omitted)
	-p -- remote port to use if in DNS mode (default: 53)
	-P -- local port to use if in DNS mode (outside default: 53)
	-i -- use ICMP tunnel
	-I -- use ICMPv6 tunnel
	-u -- use DNS tunnel over IP
	-U -- use DNS tunnel over IPv6
	-E -- set EDNS0 size (default: 1024)
	-d -- tunnel device to use (default: tun1)
	-D -- DNS domain to use when DNS tunneling
	-S -- usec slowdown for DNS ping (default: 5000)
	-X -- user to run as (default: nobody)
	-r -- chroot directory (default: /var/empty)
	-v -- enable verbose mode

After start, fraud-bridge opens a point-to-point tunnel: 1.2.3.4 <-> 1.2.3.5

Then you need to start inside.sh on the inside and outside.sh outside.

Looks like so:

# ./fraud-bridge -u -R 127.0.0.1 -D f.sub.dnstunnel.com -k key

(and starting inside.sh)

And on outside end of tunnel (e.g. a server at the internet):

# ./fraud-bridge -u -L 192.168.2.222 -D f.sub.dnstunnel.com -k key

(and starting outside.sh)

for a DNS tunnel with a local 127.0.0.1 named running and the outside peer being at 192.168.2.222. As said, outside part of tunnel can (and actually needs to) be started beforehand and will just listen for the peer to open the tunnel. Example zone-files are included if you want to experiment with your own bind setups. For running ITW tunnels they are not necessary.

The -L parameter at outside can be omitted. In real setups the -R parameter on inside setups contains the IP or IP6 address of the outside server, or if DNS recursion is used, the IP address of the DNS server of your provider or public recursive DNS resolver.

You can then use ssh -x -v 1.2.3.5 to get a SSH connection to 192.168.2.222 and use the SSH proxy options to setup a web browser environment that runs across the tunnel.

You can also do that with ICMP: -i and ICMP on IPv6: -I or DNS on UDP via IPv6: -U. It's also possible to switch tunnel from DNS to ICMP beyond your SSH connection, as the TCP state is kept in local and remote kernel and not in the bridge.

fraud-bridge will leave stdout open for reporting errors or verbose messages, so you need to run it on a screen or redirect output to /dev/null if you need it running in background. Keep that in mind since you need to start the inside/outside scripts after invoking fraud-bridge.

Before using any ICMP tunnels, make sure to relax your cable-modem's firewalling rules in order to receive the reply packets from your remote peer. fraud-bridge works behind NAT, but it needs to receive the reply packets at last.

Performance considerations

Since fraud-bridge opens a PtP tunnel, it can strip the IP header off the packets that it transmits and synthesize it at each end. So for ICMP tunneling you just have an overhead of 8 (ICMP) + 16 (HMAC) bytes, which is acceptable. DNS tunneling has still good latency and bandwidth when doing directly, thanks to MSS clamping. When tunneling indirectly via public DNS resolvers, the default values are good enough to have a reasonable session, but of course ICMP tunneling is to prefer whenever possible.

By using ssh -D [0.0.0.0]:1234 1.2.3.5 you can setup a local SOCKS proxy on your machine port 1234 (inside) and distribute it via WLAN to your neighborhood for censorship-free web sessions.

You may also setup a local tor on the outside box, offering a SOCKS port on 127.0.0.1:9150 as you normally do and then using ssh -L 9150:127.0.0.1:9150 1.2.3.5 to forward this outside port to your inside machine, so to exactly mirror the outside tor setup locally and distribute it as tor SOCKS port via WLAN to your users. This way we do not need to implement pluggable transports and you can still use tor as before. The same also works with crash or psc sessions or any other tunneling mechanism.

The -S parameter has a reasonable default value for the DNS timer packets that need to be sent to the server in constant interval. Lower values give a better tunnel latency but may overload the recursive DNS server and produce more noise.

proudly sponsored by:

More Repositories

1

sshttp

SSH/HTTP(S) multiplexer. Run a webserver and a sshd on the same port w/o changes.
C++
861
star
2

opmsg

opmsg message encryption
C++
744
star
3

grab

experimental and very fast implementation of a grep
C++
257
star
4

crash

crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX
C++
174
star
5

lophttpd

lots of performance (or lots of porn, if you prefer) httpd: Easy, chrooted, fast and simple to use HTTP server for static content. Runs on Linux, BSD, Android and OSX/Darwin. It's free but if you like it, consider donating to the EFF: https://supporters.eff.org/donate
C++
135
star
6

psc

E2E encryption for multi-hop tty sessions or portshells + TCP/UDP port forward
C++
109
star
7

troubleshooter

setroubleshootd xSports
C
93
star
8

fernmelder

async mass DNS resolver
C++
82
star
9

drops

opmsg p2p transport network
C++
70
star
10

plasmapulsar

PLASMA PULSAR
C
69
star
11

injectso

C
52
star
12

libusipp

unix socket interface for C++ raw IP/IP6/UDP/TCP, Layer2 etc. framework
C++
39
star
13

harddns

RFC8484 and DoH/JSON resolver
C++
38
star
14

pam_schroedinger

Uncertainty for brute forcers during login.
C++
25
star
15

odd

optimized dd
C
20
star
16

qdns

QUANTUM-DNS server
C++
18
star
17

call-graphs

17
star
18

u2f

U2F toolset
C++
17
star
19

QI

Quantum Insert/FoxAcid case study
C++
15
star
20

sslps

OpenSSL Privilege Separation
C
15
star
21

greenday

DGC forensics
Perl
13
star
22

devpops

Companion Worm research
Go
13
star
23

tensor-pwn

AI fun
Python
11
star
24

loaded

IPv4 and IPv6 load balancer
C++
9
star
25

hoschi

hoschi BTC mapper
C++
9
star
26

contrib

Various HTTP, SSH, SSL, localhost etc. related contributions of me, which are too small to have an own repo each
Python
9
star
27

7350topless

C
8
star
28

dropsview

Fancy ncurses frontend for opmsg + drops
C++
8
star
29

aio

scalable Linux implementation for IEEE 1003.1-2004 AIO
C
8
star
30

tinkershell

Perl
7
star
31

number

C++
7
star
32

opmsg-qr

opmsg QR convenience
C
6
star
33

massbind

mass adding ip6 addresses
C
5
star
34

plugmein

pcap USB keyboard sniffer
C++
4
star
35

papyrus

C
3
star
36

test

just ignore
1
star
37

maps

some geojson maps
1
star
38

cloud-clock

C++
1
star
39

polyglots

some polyglots
Shell
1
star
40

bananajoe

Banana Boomsh
C
1
star