Stealing data using PING

In Red Teaming exercise once we are inside the internal network of our target, we try to avoid our presence from the network security during the exfiltration of data to our C2 Servers. While doing so Red teamers always look for alternative means of Data exfiltration's.

Usually, attackers use covert channels for data exfiltration because these channels are usually very difficult to detect .

In this post, I will list out a few common data exfiltration techniques and pick one of them in detail(Which one ?? :P)

1. Hypertext Transfer Protocol (HTTP): Most common technique to use HTTP to exfiltrate data because this traffic is very common in enterprise networks and is always permitted. In case of the high volume of HTTP traffic attackers will try to hide their tracks by data mixing with legitimate traffic.
2. SMTP: SMTP is another most used common techniques for data exfiltration. Several malware programs are designed to exfiltrate the stolen information to an attacker-controlled SMTP server.
3. DNS Tunnel:-DNS tunneling is a popular technique used to exfiltrate data through features of the DNS protocol. If a host tries to exfiltrate data through DNS then we expect the number of requests to port 53 to be much larger than usual.
4. ICMP tunnel: ICMP is a supporting protocol in the Internet protocol suite and is widely known for its applications such as ping or traceroute. Malicious actors can use ICMP to exfiltrate data, by taking advantage of organizations that allow outbound ICMP traffic. In this article we will focus mainly on this in detail.
5. ARP Tunnel: ARP is a communication protocol used for discovering link-layer addresses, such as a MAC address, associated with a given Internet layer address. The ARP protocol also allows data to be transferred in local networks.
6. IPV6 Tunnel: Though this new method of exfiltration in its nascent stage still it is possible to exfiltrates data from an internal network using a covert channel built on top of the IPv6 header flow label field.

Now back to our shot of today…which is How PING can be abused???

ICMP (Internet Control Message Protocol) is a protocol in the Internet protocol suite. It is used by network devices to send error messages and operational information and the most commonly used ICMP message is the Ping . Ping is a control message that is a part of the ICMP (Internet Control Message Protocol).

Ping is sent from one device in a network to another. The sending device will set a destination parameter and if the message is received by the destination it will return it right back

But still question remains that how this simple PING can be abused ???

Lets see basic of ICMP, You can see the below the structure of an ICMP packet. The payload portion is one where an attacker mostly try to inject their data ,however at the same time they can adopt different methods in ICMP parameters.

Two use cases I would be showing/demonstrating here :

1. First through my python script which generates icmp packets to exfiltrate secret file from my system.
2. Taking one case from CTF which I have participated long back, where the attacker has adopted different means for exfiltration of data.

GitHub - R0aDt0OSCP/ICMPdataexfil

Video Demo

Thanks for your Time .

Clap!!!! if you like