Tundeep is a network tunnelling daemon written in C that runs in userspace using libpcap. Tundeep is used as a security testing tool allowing a tester to tunnel through the target network at layer 2. A TAP interface will be brought up on the tester’s machine for each level of the network allowing direct interaction with hosts on the network segment through a compromised client device.
Install the prerequisites using apt-get:
apt-get install make gcc libc6-dev libpcap-dev
Downloading and building Tundeep
tar -xzf tundeep-latest.tgz
The default make configuration is to build on Linux with all options supported. Makefile can be edited however to support Windows or disable options.
Tundeep settings are as follows:
Usage: tundeep <-i iface|[-t|-T] tapiface> <-h ip> <-p port> [-6] [-C] <-c|-s> [-x tapip] [-y tapmask] [-u tapmac] [-b bpf] [-d udp mode] [-e udp remote] [-K] -6 IPv6 mode -C compress mode -K disable checksum -a print all pcap devs -b "bpf" -i interface to bind to -h IP to bind to/connect to -p port to bind to/connect to -c client mode -s server mode -d udp mode -e udp peer -t tap interface -T ipv6 tap interface -u tap mac -x if -t mode, set iface ip, if -T mode, set iface ipv6 ip -y if -t mode, set iface mask, if -T mode, set iface ipv6 prefixlen -------------------- DEBUG(2): Usage: Either -s or -c must be specified
On the compromised server, Tundeep can be started in TCP server mode on port 9999 as follows:
./tundeep -s -h 0.0.0.0 -p 9999 -i eth1
On your client, Tundeep would be initialized as follows:
./tundeep -c -h SERVER-IP -p 9999 -t tap0
Tundeep also supports UDP peer mode (-d/-e) should additional speed or firewall evasion be required. Assuming a server IP of 192.168.1.1 and client IP of 192.168.1.2:
./tundeep -d -e 192.168.1.2 -h 192.168.1.1 -p 53 -i eth1
The client would run:
./tundeep -d -e 192.168.1.1 -h 192.168.1.2 -p 53 -t tap0
The client now presents a ‘tap0’ interface virtually placed on the server’s eth1 (private) interface
- BPF filters can be used (-b) (as with tcpdump) to selectively forward traffic over the link and avoid traffic loops.
- Link Compression (-C) is supported to gzcompress data between Tundeep links
- IP/MAC cloning (via -x/-u) should port security or ARP lockdown be in place.
- IPv6 is supported to both tunnel an IPv6 network over IPv4 or vice versa.
IO Digital Sec