Disguise UDP traffic in TCP / ICMP using udp2raw

This article will discuss the udp2raw utility, which allows you to bypass firewalls configured to block UDP protocol using RAW sockets, as well as to tunnel any other protocols when working in conjunction with OpenVPN.

Feature Overview

→ Official website of the tool

It also presents the scheme of the utility
')


Their scheme makes it clear that the tool consists of a client and a server, and the second is required to be placed behind the firewall. Other utilities for tunneling traffic, as a rule, require the same, for example, reGeorg, whose work is described in my other article on defcon.ru .

One server can serve several clients at the same time, and one client can handle several UDP connections through one RAW socket.

You can use udp2raw for both Linux (including Android, OpenWRT, Raspberry PI) as root, and for Windows and MacOS, but in a rather specific way - as an image of a virtual machine. But the image of the virtual machine takes only 4.4 MB, so it is quite applicable.

In its basic form, udp2raw can add fake ICMP / TCP headers to network packets, thereby causing the firewall to consider them as packets of the appropriate network protocols, rather than UDP.

In FakeTCP mode, udp2raw simulates a tripartite TCP handshake when a connection is established and then supports the correct setting of the SYN / ACK flags directly during data transfer.

udp2raw can also be used as an auxiliary tool for stabilizing a connection, protecting against a replay attack ( anti-replay window ), or simply for encrypting traffic (AES-128-CBC) in the mode of a normal UDP tunnel. In this case, fake ICMP / TCP headers will not be added to packets.

It is also possible to use udp2raw in conjunction with OpenVPN, which allows using udp2raw to tunnel not only UDP traffic. The scheme of work is presented below.



For this particular case there is a separate simple instruction on the developer github.

Practical example

To get started with udp2raw in Linux, download the archive from github

wget https://github.com/wangyu-/udp2raw-tunnel/releases/download/20170826.0/udp2raw_binaries.tar.gz 

and unpack

 root@kalix64:~/tunneling/udp2raw# tar -xvzf udp2raw_binaries.tar.gz udp2raw_amd64 udp2raw_mips34kc udp2raw_arm udp2raw_amd64_hw_aes udp2raw_arm_asm_aes udp2raw_mips34kc_asm_aes udp2raw_x86 udp2raw_x86_asm_aes 

The client and the server are the same application. Only keys will differ at startup.

 usage: run as client : ./this_program -c -l local_listen_ip:local_port -r server_ip:server_port [options] run as server : ./this_program -s -l server_listen_ip:server_port -r remote_ip:remote_port [options] 

Suppose that the network has a Windows machine with an activated SNMP service and a gateway that blocks UDP packets, but allows TCP access to the Windows machine.

The attacker was able to access the gateway from his Kali Linux machine and place the udp2raw server there. If an attacker tries to directly connect to the Windows machine on UDP port 161, then nothing will come of it.



Then he can use udp2raw to hide the nature of SNMP packets from the firewall by running on the gateway

 ./udp2raw_amd64 -s -l 0.0.0.0:5555 -r 192.168.2.2:161 -a -k "snmptunnel" --raw-mode faketcp 

And on Kali car

 ./udp2raw_amd64 -c -l 0.0.0.0:4444 -r 192.168.1.5:5555 -a -k "snmptunnel" --raw-mode faketcp 

Now an attacker can access the SNMP service of a remote machine through an encrypted tunnel.



In this case, only TCP traffic will be visible in Wireshark.



If you use ICMP headers, then in Wireshark we will see the following



If you check the traffic on the gateway side, you will see that the most common SNMP UDP packets are sent to the Windows machine

In custody

Additionally, you can speed up the work of the tunnel using kcptun , as well as get acquainted with other tools for tunneling traffic: reGeorg , dnscat2 , icmptunnel and others.

If an intruder uses udp2raw, similar anomalies in the corporate network can be detected using IDS, IPS and DPI network security systems.