Cатсн²² (in)sесuяitу / ChrisJohnRiley

As part of another project I’m working on in the background I’ve been playing some with Python’s ctypes. As a casual (and sadly bad) programmer Python ctypes are new to me, so I wanted to knock out a few simple scripts to test the waters. As it fit well with what I needed for my other project, and I couldn’t find anything already do it, I decided to write a simple script to send ICMP echo requests using Windows IcmpSendEcho function. The benefit of using this over something like RAW SOCKETS is the ability for non-administrative users to send ICMP echo requests and retain the ability to specify the data portion of the packet. This makes it useful for data exfiltration and shell over ICMP purposes.

Now, this idea isn’t new, and there are various tools that do more (or less) similar things. Some (most?) seem to need administrative access however, which is a pain, especially if you’re stuck as a standard user or need to prove that ICMP can be used for more than network troubleshooting.

A list of the ICMP related shells I found with the help of Google is at the end of this post.

I can’t really post the full source code in this blogpost, it’s far too long. However below is the basic structure of the call to IcmpSendEcho. To make this work there’s a lot of things that also need to be present obviously.

def IcmpSendEcho(handle, addr, data, options, timeout):
    reply = ICMP_ECHO_REPLY()
    data = data or ''
    if options:
       options = byref(options)
    r = icmp.IcmpSendEcho(handle, inet_addr(addr),
                          data,
                          len(data),
                          options,
                          byref(reply),
                          sizeof(ICMP_ECHO_REPLY) + len(data),
                          timeout)

For those with more than a passing interest a link to the Python source and a pyinstaller Windows 32 bit .exe are at the end of this post.

Example use:

A quick packet capture shows that 2 ICMP echo requests are sent to 8.8.8.8 containing the text “test icmp ” and “packet”.

As it is, this script isn’t that useful for anything but party tricks and showing your network team why ping from the desktop might be a security issue. However the code base can easily be worked into a full exfiltration tool by accepting a file input, and enabling some kind of encryption to avoid simple detection. Obviously this would need some sort of server end to easily decrypt the data, but that’s not a far stretch… unless you like fishing things out of PCAP files!

If you want to build the Python code into an exe yourself (what do you mean you don’t trust me ) then I strongly suggest getting the SVN version of PyInstaller (earlier versions have caused me problems in the past).

I’ll leave these as exercises for the reader while I work on some other projects

Simpleicmp :

• Python sourcecode –> HERE
• Win32 (pyinstaller .exe) –> HERE

Feel free to leave any comments if you have ideas, uses, or generally want to laugh at by bad coding

Links:

• Background Information
  • 2001 paper – “On the security and vulnerability of ping“
• Alternative tools
  • Shell over ICMP (SOICMP) –> Admin privs req.
  • ICMPTX –> POSIX only
  • ICMPshell –> POSIX only
  • ICMPsh –> Pos non-admin win32 .exe
• Anything I missed ? Let me know…