Tightly restricting the traffic that leaves the protected network for the Internet is hard without breaking important applications. Among the protocols that are often allowed to cross the Internet boundary is ICMP, which helps ensure the reliable transmission of other network messages. Unfortunately, attackers can also use ICMP to remotely control a system compromised on the organization’s internal network.
ICMP is the protocol that allows the “ping” command to function when troubleshooting network connectivity. In this case, the “echo-request” message leaves the network when the administrator “pings” a host on the Internet. If the host is accessible by ICMP, it responds with an “echo-reply” message. Though it’s debatable whether the ability to use “ping” is necessary for many people, organizations often allow this tool’s traffic through the firewall.
The idea of encapsulating data and commands in ICMP traffic to create a stealthy remote control channel was first popularized by the tool Loki, which was described in Phrack Magazine in 1996. The Tribe Flood Network (TFN) botnet, analyzed by David Dittrich in 1999, used a similar ICMP-based scheme for remotely controlling infected systems. Among the more recent tools for implementing a simple ICMP-based backdoor is “icmpsh”, whose use I demonstrated in the video below.
In my demo, the Windows system plays the role of a compromised host to which the attacker on the Internet wants to maintain access. I used the icmpsh.exe program written by “nico” to have the Windows system issue ping-like messages to the designated system. The messages were directed by the Linux host in my lab, which played the role of the attacker’s system. On the Linux host I ran the icmpsh_m.py script by Bernardo Damele, which he described in an earlier blog posting.
The two components of the “icmpsh” tool allow the attacker to establish a reverse ICMP tunnel, remotely controlling the Windows host by having it issue ICMP “echo-request” messages and the Linux host sending “echo-reply” responses. This simple set up highlights the power that ICMP can offer the attacker in establishing a covert channel that can cross many network perimeter firewalls.
Do you allow ICMP traffic in and out of your network? If so, now might be a good time to lock it down.
For another example of a powerful tunneling technique, see my article on sending data and commands over DNS.