Thireus' Bl0g

The famous DNS tunneling client, iodine 0.6.0-rc1 for iOS 6.1! Available in Thireus Cydia Repository…

Like me, you may have faced this situation when you really need Internet but only have access to non-free WiFi hotspots (airport, tube, train, etc.). And even worst, when you cannot establish a single SSH connexion nor VPN proxy because the firewall blocks everything. Fortunately, DNS tunneling is here to save us!

One of the most famous DNS tunneling tool is iodine, which is quite easy to setup. Unfortunately the latest client version (0.6.0-rc1) was not available for iOS, until I decided to compile it and push it on my Cydia Repository. So you can now enjoy DNS tunneling on your jailbroken iPhone, iPad or iPod Touch!

Description

The package “iodine 0.6.0-rc1 (IPv4 over DNS tunnel)” installs the latest and patched version of iodine on your iDevice. This tool lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.

If you need the server daemon compiled for iOS too, feel free to contact me.

How do I install this package?

Add Thireus Repository http://repo.thireus.com/ to Cydia and install the package named “iodine 0.6.0-rc1 (IPv4 over DNS tunnel)“.

Is it safe?

The iodine client should be safe to use. The most dangerous aspect of DNS tunneling is that anyone can see your trafic and do nasty things with it. Nothing is encrypted. So if you really wish to do DNS tunneling you should use a SSH tunnel inside the DNS tunnel.

I recommend you to read those lines carefully. They have been extracted from the manpage:

Login is a relatively secure challenge-response MD5 hash, with the password never passing the wire. However, all other data is NOT encrypted in any way. The DNS traffic is also vulnerable to replay, injection and man-in-the-middle attacks, especially when iodined is used with the -c option. Use of ssh or vpn tunneling is strongly recommended. On both server and client, use iptables, pf or other firewalls to block all traffic coming in from the tun interfaces, except to the used ssh or vpn ports.

What about performances?

DNS tunneling is very slow. But you have to understand that using such a trick allows you to have Internet in the worst scenario, just by accessing a WiFi hotspot that performs DNS queries (most of them do). Depending of the payload size you can pipe into the DNS tunnel, you can have very bad performances such as 5kb/s but that can go up to 200kb/s.

Enjoy Internet everywhere!
Big thanks to Kryo, yarrick, Doorman, D4rkM4t3r and all iodine contributors.

References

Incoming search terms:

• ios diagram (2)
• free web bypass ip for ipad (2)
• resolv conf ios (2)
• how to send traffiic to internet using iodine tunnel (2)
• ios tun device (2)
• iphone iodine dns (1)
• iphone dns tunnel wifi authentication (1)
• iphone dns bypass jailbreak (1)
• ipv4 tunnel iphone (1)
• john jumbo compilation (1)

Tcpdump (remote) and WireShark (local) can be combined to analyse your router’s traffic

While debugging my DDWRT router, I wanted to analyse some traffic between my DDWRT router and my iPhone. Usually I do a MITM attack, but I recently found that tcpdump can be installed on DDWRT. WireShark can thus be used to analyse the traffic dumped locally by the remote tcpdump application.

Some other examples can be found on the following page, analyze traffic remotely over ssh w/ wireshark. Unfortunately under MacOS FIFO files combined with pipes are not supported by Wireshark . To bypass this limitation, all traffic must be stored into a file using the following command line:

ssh root@ROUTER_IP tcpdump -i wl0.1 -U -s0 -w - 'not port 22' > /tmp/wireshark_analyse_01 &

The traffic dumped by tcpdump is stored locally into the file /tmp/wireshark_analyse_01. WireShark can be used to open this file . The only disadvantage is that you must perform a reload of the file to refresh the newly dumped traffic (there is a button in WireShark to do it).

If you really want the FIFO functionality, you should use another OS or Wireshark version to be able to use pipes/FIFO files tricks. You can also install a decent version of WireShark using MacPorts if you are running MacOS X

Happy debug!

Incoming search terms:

• dd-wrt wireshark (87)
• tcpdump iphone (46)
• ddwrt wireshark (39)
• dd wrt wireshark (35)
• wireshark dd-wrt (30)
• iphone tcpdump (28)
• wireshark ddwrt (18)
• wireshark ssh (16)
• wireshark over ssh (16)
• ddwrt tcpdump (13)

Assuming the router you’re connected to does not filter any IPv4 broadcasts, you can easily use ping to perform a quick scan of your network.

For example, if your network is 192.168.1.0/24:

ping 192.168.1.255

Will give you something like:

Thireus:~ thireus$ ping 192.168.1.255
 PING 192.168.1.255 (192.168.1.255): 56 data bytes
 64 bytes from 192.168.1.102: icmp_seq=0 ttl=64 time=0.087 ms
 64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.553 ms (DUP!)
 64 bytes from 192.168.1.152: icmp_seq=0 ttl=64 time=124.870 ms (DUP!)
 64 bytes from 192.168.1.102: icmp_seq=1 ttl=64 time=0.065 ms
 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.454 ms (DUP!)
 64 bytes from 192.168.1.152: icmp_seq=1 ttl=64 time=39.073 ms (DUP!)

Then arp will list you all MAC adresses associated to the IP that replied:

Thireus:~ thireus$ arp -a
 ? (192.168.1.1) at 0:14:8d:41:87:1a on en0 ifscope [ethernet]
 ? (192.168.1.102) at e3:7a:2b:79:55:11 on en0 ifscope [ethernet]
 ? (192.168.1.152) at e1:15:d6:55:34:12 on en0 ifscope [ethernet]
 ? (192.168.1.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]

Note: On Linux platform the -b option is required to perform a broadcast ping.

Incoming search terms:

• 192 168 1 1 192 168 1 255 (1)
• broadcast scan hosts (1)