Like me, you may have faced this situation when you really need Internet but only have access to non-free WiFi hotspots (airport, tube, train, etc.). And even worst, when you cannot establish a single SSH connexion nor VPN proxy because the firewall blocks everything. Fortunately, DNS tunneling is here to save us!
One of the most famous DNS tunneling tool is iodine, which is quite easy to setup. Unfortunately the latest client version (0.6.0-rc1) was not available for iOS, until I decided to compile it and push it on my Cydia Repository. So you can now enjoy DNS tunneling on your jailbroken iPhone, iPad or iPod Touch!
The package “iodine 0.6.0-rc1 (IPv4 over DNS tunnel)” installs the latest and patched version of iodine on your iDevice. This tool lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.
If you need the server daemon compiled for iOS too, feel free to contact me.
How do I install this package?
Add Thireus Repository http://repo.thireus.com/ to Cydia and install the package named “iodine 0.6.0-rc1 (IPv4 over DNS tunnel)“.
Is it safe?
The iodine client should be safe to use. The most dangerous aspect of DNS tunneling is that anyone can see your trafic and do nasty things with it. Nothing is encrypted. So if you really wish to do DNS tunneling you should use a SSH tunnel inside the DNS tunnel.
I recommend you to read those lines carefully. They have been extracted from the manpage:
Login is a relatively secure challenge-response MD5 hash, with the password never passing the wire. However, all other data is NOT encrypted in any way. The DNS traffic is also vulnerable to replay, injection and man-in-the-middle attacks, especially when iodined is used with the -c option. Use of ssh or vpn tunneling is strongly recommended. On both server and client, use iptables, pf or other firewalls to block all traffic coming in from the tun interfaces, except to the used ssh or vpn ports.
What about performances?
DNS tunneling is very slow. But you have to understand that using such a trick allows you to have Internet in the worst scenario, just by accessing a WiFi hotspot that performs DNS queries (most of them do). Depending of the payload size you can pipe into the DNS tunnel, you can have very bad performances such as 5kb/s but that can go up to 200kb/s.
Enjoy Internet everywhere!
Big thanks to Kryo, yarrick, Doorman, D4rkM4t3r and all iodine contributors.
- http://code.kryo.se/iodine/ – Official iodine website, kryo.se: iodine (IP-over-DNS, IPv4 over DNS tunnel).
- https://github.com/yarrick/iodine – A maintained iodine version. This is the one I used.
- http://doorman.danssaert.be/?p=51 – An old iodine version (0.5.2) compiled for iOS with diff provided by Doorman.
- https://github.com/D4rkM4t3r/libpcap-iphone – libpcap for iOS. Awesome script by D4rkM4t3r.
- http://code.gerade.org/tunemu/ – tunemu, a tun device emulation for Darwin.
Incoming search terms:
Tcpdump (remote) and WireShark (local) can be combined to analyse your router’s traffic
While debugging my DDWRT router, I wanted to analyse some traffic between my DDWRT router and my iPhone. Usually I do a MITM attack, but I recently found that tcpdump can be installed on DDWRT. WireShark can thus be used to analyse the traffic dumped locally by the remote tcpdump application.
Some other examples can be found on the following page, analyze traffic remotely over ssh w/ wireshark. Unfortunately under MacOS FIFO files combined with pipes are not supported by Wireshark . To bypass this limitation, all traffic must be stored into a file using the following command line:
ssh root@ROUTER_IP tcpdump -i wl0.1 -U -s0 -w - 'not port 22' > /tmp/wireshark_analyse_01 &
The traffic dumped by tcpdump is stored locally into the file /tmp/wireshark_analyse_01. WireShark can be used to open this file . The only disadvantage is that you must perform a reload of the file to refresh the newly dumped traffic (there is a button in WireShark to do it).
If you really want the FIFO functionality, you should use another OS or Wireshark version to be able to use pipes/FIFO files tricks. You can also install a decent version of WireShark using MacPorts if you are running MacOS X
Incoming search terms:
Assuming the router you’re connected to does not filter any IPv4 broadcasts, you can easily use ping to perform a quick scan of your network.
For example, if your network is 192.168.1.0/24:
Will give you something like:
Thireus:~ thireus$ ping 192.168.1.255 PING 192.168.1.255 (192.168.1.255): 56 data bytes 64 bytes from 192.168.1.102: icmp_seq=0 ttl=64 time=0.087 ms 64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.553 ms (DUP!) 64 bytes from 192.168.1.152: icmp_seq=0 ttl=64 time=124.870 ms (DUP!) 64 bytes from 192.168.1.102: icmp_seq=1 ttl=64 time=0.065 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.454 ms (DUP!) 64 bytes from 192.168.1.152: icmp_seq=1 ttl=64 time=39.073 ms (DUP!)
Then arp will list you all MAC adresses associated to the IP that replied:
Thireus:~ thireus$ arp -a ? (192.168.1.1) at 0:14:8d:41:87:1a on en0 ifscope [ethernet] ? (192.168.1.102) at e3:7a:2b:79:55:11 on en0 ifscope [ethernet] ? (192.168.1.152) at e1:15:d6:55:34:12 on en0 ifscope [ethernet] ? (192.168.1.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]
Note: On Linux platform the -b option is required to perform a broadcast ping.