Git Product home page Git Product logo

fragtunnel's Introduction

Fragtunnel

Fragtunnel is a PoC TCP tunneling tool that exploits the design flaw that IDS/IPS engines and Next Generation Firewalls have; therefore, it can tunnel your application's traffic to the target server and back while not being detected and blocked by Next Generation firewalls using Layer 7 application rules.

The issue

IDS/IPS engines used by the most next-generation firewalls allow a few packets of data to reach the destination while they collect enough information to make a verdict on whether they should allow or block the traffic. This is a design flaw that was discussed and published by different researchers within the last decade and can be exploited by malicious actors (if they were not already??). A few years ago, a few interesting findings made me curious about this funny behavior, and I did my research and wrote a simple PoC code without being aware of other researchers work. To learn more about the issue, you can check out the slides from my recent presentation on this topic: Bypassing NGFWs - BSides Vancouver 2024

The original PoC code from my initial research was good to just demonstrate the bypass, but it wasn't really useful for other use cases. For a long time, I was envisioning developing a tunneling tool that you can just use with any tool you have and bypass NGFWs without changing their source code. Finally, meet fragtunnel! It may not be perfect yet, but it does the job ;)

How it works?

  • Data received from your local application (tunnel client side) or from target server (tunnel server side)
  • received data gets encoded/decoded (optional)
  • then sliced into smaller fragments.
  • each fragment gets sent one by one over the tunnel, each fragment within a new TCP session
  • fragments coming out from tunnel gets merged to make original data
  • finally, restored original data gets sent to its target (either to your application at local or to the target server)

Usage

Usage: fragtunnel.py -p port -t target ip:port -T tunnel endpoint ip:port -b bind ip:port -e secret -v verbose

-h --help        help
-p --port        port to listen for a local app to connect
-t --target      target's ip:port
-T --Tunnel to   tunnel server's ip:port
-b --bind        tunnel server listen ip:port
-e --encrypt     encrypt/encode tunnel traffic using the secret provided with this flag
-v --verbose     verbose mode

Set up a tunnel server:

python fragtunnel.py -b <interface-ip>:<port-to-listen>

Straightforward. This will be your tunnel server listening for a tunnel client connection. Once the tunnel client is connected, it will pass target information to the server first, and then the server will establish a connection to the final target.

Set up a tunnel client

python fragtunnel.py -p <local-port-to-listen> -t <target-server-address>:<target-server-port> -T <tunnel-server-address>:<tunnel-server-port>

Once executed, the tunnel client will setup a local server on the local port (-p) so you can connect with your application. Then the tunnel client will connect to the target tunnel server using the address and port number provided (-T) and will send target details provided (-t) to the tunnel server so the tunnel server can establish a connection to the final target on its side.

Examples:

# setting up tunnel server
python fragtunnel.py -b 1.2.3.4:80

# setting up tunnel client
python fragtunnel.py -p 1234 -t mywebsite.com:80 -T 1.2.3.4:80
If you want to encode/encrypt your tunnel traffic then:
# setting up tunnel server
python fragtunnel.py -b 1.2.3.4:80 -e secret-key-to-use

# setting up tunnel client
python fragtunnel.py -p 1234 -t mywebsite.com:80 -T 1.2.3.4:80 -e secret-key-to-use

Note:

If you are using encoding/encryption make sure both tunnel client and server have -e flag with same secret key provided!

To-do

This is the initial version of the tool, and currently it has some shortcomings, like:

  • Tunnel traffic is not multithreaded; therefore, the overall speed is slow. Depending on the tool you use and its timeout value, there is quite a bit of a chance that your tool may timeout while sending or receiving the data.
  • Currently, it does not support SSL/TLS. That's something planned to be added.
  • If the tunnel client exits and reconnects for a new target the tunnel server should properly handle the new connection without restarting
  • The tool was tested with a limited number of applications. There might be bugs of which I am not aware yet, but again, this is a working PoC I wanted to share with the community.

Final note:

This is for research and educational purposes only! Do not use this tool for any unauthorized activities or bad things.

fragtunnel's People

Contributors

efeali avatar

Stargazers

avatar avatar Zodiac Engine [MOPD4H] avatar avatar Pickry avatar Ramy Allam avatar SquareZer0 avatar Phil Reed avatar avatar Lz1y avatar Dan Bolsun avatar avatar Michael Eder avatar Priya avatar Nate avatar Matthew Conway avatar hirak0 avatar avatar Xu Hong Bo avatar MyeongGun Kim avatar al0ne avatar avatar Diego Briceno avatar jjan X avatar Nicolas RUFF avatar Ramadhan Amizudin avatar avatar InfosecWatchman avatar JJ0ne avatar avatar Summ3r avatar avatar avatar avatar Unmesh Gundecha avatar Ryan Whitworth avatar Gibran Iqbal avatar Computer button pusher // Pousseur de boutons en informatique || SIN - SIN HACK - HACK || NO-CODE evangelist || Black coffee like my sense of humor avatar Peter Hille avatar ItsTerminal avatar Matthew Linney avatar Wlk7 avatar 蒙花落 avatar EndlessParadox avatar Jonas avatar Greg Martenson avatar guly avatar avatar avatar avatar avatar avatar c0unt avatar avatar Cyril avatar Mohamed Abdennebi avatar Daniel Thorvil avatar avatar avatar avatar Adrian Tarver avatar Alex avatar avatar The Red Operator avatar samy kamkar avatar Christopher H Cope avatar Erik avatar orzchen avatar Kaan Ertürk avatar Brains avatar Michael Clermont avatar hoangitk avatar Globus avatar avatar Subhash Dasyam avatar Denys Daneliuk avatar avatar Maxim Marshak avatar Pierre Garel avatar Paul avatar avatar avatar Rajan avatar S4ndxBeGrasped avatar 晚风 avatar avatar Fidel Perez-Smith avatar avatar OK avatar Ayoub FATHI avatar xsshim avatar avatar avatar A.R. avatar agung susanto avatar DamnVanish avatar Saleh Souzanchi avatar Ricardo avatar (⋆❛ ہ ❛⋆)⊃.:☆..:*・☆ avatar avatar

Watchers

avatar Dimitri Mestdagh avatar

Forkers

emdnaia jermainlaforce djayagit cyb3rm3g wisdark cd9e xbl2022 sent1nelx killvxk sioux69 30579096 edermi teflotask zodiacddos

fragtunnel's Issues

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.