I’ve been frustrated during several pen tests lately at the lack of a tool to tunnel through a network in the way that I want to.

Consider the following network:

[Attacker (eth0)]

Once we’ve compromised VICTIM1 we have a number of current choices to tunnel deeper into the network. As far as I’m aware, these are:

  1. Metasploit’s ‘autoroute’ module.
    Advantages: This is a great tool that does exactly what I want. It tunnels traffic through the victim so that the attacker appears to be on the victim’s network.
    Disadvantages: Works great, but only works from within metasploit. No use for running external tools, scans, or layer 2 protocols. Metasploit Pro has a VPN tunneling feature that looks ideal although not all of us can afford it 😉
  2. Metasploit’s portfwd module/iptables/simpleproxy.
    Advantages: Quick and easy
    Disadvantages: Only forwards specified single layer 3 UDP/TCP ports, and each port must be forwarded individually.
  3. Proxychains/ssh -D SOCKS tunnelling.
    Advantages: This is my current preferred method wherever possible. Easy and reasonably flexible
    Disadvantages: Proxychains is a hack in itself, and only supports layer 3 TCP.
  4. Implement a VPN server and set up bridging on your victim.
    Advantages: Will do exactly what we want
    Disadvantages: Disastrous idea, requires config and install on victim, possibly reboot or interface reconfiguration/bridging, very unstealthy

Currently, my preferred method is a mixture of the above depending on the scenario. What I’ve always wanted though, is a method to bring up a local interface on the remote network, that I can interact with as if I was directly connected, running any tools I wish including ARP scans and poisoning.

Introducing TUNDEEP… [Get tundeep now]

For the next release I’m planning compression mode, packet mangling, and a code cleanup as well as any bug fixes that arise.