Shulou(Shulou.com)05/31 Report--

This article will explain in detail the principles and characteristics of ICMP tunnel communication. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

I. Analysis of ICMP tunnel technology

ICMP protocol

ICMP (Internet Control Message Protocol) Internet Control message Protocol. It is a subprotocol of the TCP/IP protocol suite, which is used to transmit control messages between IP hosts and routers. The control message refers to the message of the network itself, such as whether the network is unreachable, whether the host is reachable, whether the route is available, and so on. Although these control messages do not transmit user data, they play an important role in the transmission of user data.

The main concepts are:

1. Confirm that the ip packet has successfully arrived at its destination

two。 Notify the source host of the reason for the loss of the ip packet sent

3.ICMP works based on IP protocol

4.ICMP can only work under IPV4,IPV6, using ICMPv6

The ICMP frame format is as follows

Where the type and code fields determine the type of ICMP message, as shown in the following figure

Principle of ICMP tunnel technology

Because the ICMP message itself can carry data, and the ICMP message is processed by the system kernel and does not occupy any port, so it has a high concealment.

ICMP tunneling technology usually uses ICMP_ECHO and ICMP_ECHOREPLY messages of ICMP, hides the data in the option domain of ICMP packet header, and uses ping command to establish a covert channel.

During the covert transmission, the broiler (inside the firewall) runs and accepts the ICMP_ECHO data packet from the external attack end, and the attack end hides the command to be executed in the ICMP_ECHO data packet. The broiler receives the data packet, solves the hidden command, and executes it on the host inside the firewall, and then hides the execution result in the ICMP_ECHOREPLY data packet and sends it to the external attack end.

To put it simply, the request and reply data packets of ICMP are used to forge the data packet form of Ping commands to achieve the blocking of bypassing the firewall and intrusion detection system.

Advantages and disadvantages of ICMP tunnel

Advantages:

1. The firewall is allowed to ICMP_ECHO packets, and the internal host will not check the data content carried by ICMP packets, so it is highly hidden.

Disadvantages:

The 1.ICMP covert transmission is connectionless, the transmission is not very stable, and the bandwidth of the covert channel is very low.

two。 When using tunneling, you need to access lower-level protocols, which requires advanced user privileges.

2. Implementation of ICMP tunnel attack and display of popular tools

Icmpsh

This tool is simple and portable. The controlled end (client) is implemented in C language. It can only run on the target Windows machine, while the master (server) can run on any platform's attacker's machine because it already has C and Perl implementations and is later ported to Python.

Establishment of tunneling and packet Analysis in icmpsh

You can see that it has been successful.

Grab the bag, you can see the command we entered.

Icmptunnel

Icmptunnel is to create a virtual network card to pass all traffic through the virtual network card. The ICMP tunnel.

Establishment of tunneling and packet Analysis in icmptunnel

All user traffic on the client host is routed to the virtual network card tun0. Icmptunnel listens for IP packets on this interface. These packets are encapsulated in ICMP echo packets.

Establish an ICMP tunnel

At this point, all traffic passes through the virtual network card, that is, the icmp tunnel.

Ptunnel

Ptunnel supports most operating systems with libpcap, and starting with version 0.7, ptunnel can also be compiled on Windows.

The premise is to install WinPcap.

Establishment of tunneling and packet Analysis in petunnel

Use the command to establish an ICMP tunnel

Third, detect the characteristics of icmp tunnel communication

Total number of packets in the icmp session

A normal ping sends at most two packets per second, while browsers that use ICMP tunnels generate a large number of ICMP packets at the same time.

Tunnel data is usually large.

DATA in ICMP tunnel packets is often greater than 64 bits.

The contents of the request package and the response package are inconsistent.

In a normal icmp packet, the request and response data are consistent.

Some tunneling tools will display the tun logo

On the ICMP tunnel communication principles and communication characteristics what is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.