Installing and using Tundeep for network tunnelling and testing on Debian
Tundeep is a network tunnelling daemon written in C that runs in userspace using libpcap. Tundeep is used as a security testing tool allowing a tester to tunnel through the target network at layer 2. A TAP interface will be brought up on the tester's machine for each level of the network allowing direct interaction with hosts on the network segment through a compromised client device.
Prerequisites
Install the prerequisites using apt-get:
apt-get install make gcc libc6-dev libpcap-dev
Downloading and building Tundeep
wget http://www.iodigitalsec.com/wp-content/tundeep-latest.tgz
tar -xzf tundeep-latest.tgz
cd tundeep_v0.2a_130916
make
The default make configuration is to build on Linux with all options supported. Makefile can be edited however to support Windows or disable options.
Running Tundeep
Tundeep settings are as follows:
Usage: tundeep <-i iface|[-t|-T] tapiface> <-h ip> <-p port> [-6] [-C] <-c|-s> [-x tapip] [-y tapmask] [-u tapmac] [-b bpf] [-d udp mode] [-e udp remote] [-K] -6 IPv6 mode -C compress mode -K disable checksum -a print all pcap devs -b "bpf" -i interface to bind to -h IP to bind to/connect to -p port to bind to/connect to -c client mode -s server mode -d udp mode -e udp peer -t tap interface -T ipv6 tap interface -u tap mac -x if -t mode, set iface ip, if -T mode, set iface ipv6 ip -y if -t mode, set iface mask, if -T mode, set iface ipv6 prefixlen -------------------- DEBUG(2): Usage: Either -s or -c must be specified
On the compromised server, Tundeep can be started in TCP server mode on port 9999 as follows:
./tundeep -s -h 0.0.0.0 -p 9999 -i eth1
On your client, Tundeep would be initialized as follows:
./tundeep -c -h SERVER-IP -p 9999 -t tap0
Tundeep also supports UDP peer mode (-d/-e) should additional speed or firewall evasion be required. Assuming a server IP of 192.168.1.1 and client IP of 192.168.1.2:
./tundeep -d -e 192.168.1.2 -h 192.168.1.1 -p 53 -i eth1
The client would run:
./tundeep -d -e 192.168.1.1 -h 192.168.1.2 -p 53 -t tap0
The client now presents a 'tap0' interface virtually placed on the server's eth1 (private) interface
Further Options
- BPF filters can be used (-b) (as with tcpdump) to selectively forward traffic over the link and avoid traffic loops.
- Link Compression (-C) is supported to gzcompress data between Tundeep links
- IP/MAC cloning (via -x/-u) should port security or ARP lockdown be in place.
- IPv6 is supported to both tunnel an IPv6 network over IPv4 or vice versa.