How To: C2 Over ICMP

Darin Roberts//


In previous blogs I have shown how to get various C2 sessions. In this blog, I will be showing how to do C2 over ICMP. First, what is ICMP? ICMP is Internet Control Message Protocol. It allows internet connected devices to send error messages back to the source IP address when problems in delivering packets have been encountered. It sounds like a very useful protocol, which it is. But, it can be very useful for attackers as well. It seems that almost everything that can be used for good can and is used for bad. ICMP is no different.

In order to set up our session, we need to download a couple of files. The first file is going to be run on the attacking machine. You can download it here: https://github.com/inquisb/icmpsh. I just did a clone of it on my Kali machine. The second file is a PowerShell script, which we will run on the victim. You can download the script here: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1.

On my attacking machine instance I cloned icmpsh.

 


I ran the python script to start up my listener.

As you can see, in order for the script to run, we need to give it our source IP and destination IP.

 

As you can see, nothing happened. This is because our client hasn’t been setup yet.  Go to the GitHub site and save the raw code.

 


Now that we have the PowerShell code we need to transfer this to the victim computer. Of course there is a myriad of ways this can be done. I won’t go in to details on how to do this in practice, and since this is just a trial, I just copied it over.

Now that I have my script ready, I will run it.  This is a PowerShell script, so I need to get a PowerShell command prompt.

 


Now that we have a PowerShell prompt I need to run my script.  I will navigate to where I put the file and run the following commands.

 


When I run the command, the script runs, and my listener that I had started on my Kali connects.  It is almost like magic!

 


You can see at the bottom of the screenshot that I have my PowerShell command prompt from my Windows machine.  Now I can run any commands as if I were on the victim’s computer.

So, what is the benefit of using ICMP as the method for the C2?  All of the communication is injected into ICMP packets, both the request and the response.  Because all of the traffic is in ICMP packets, the traffic is undetected by proxy-based firewalls.  This isn’t to say that these connections can’t be detected, but they can bypass some firewall rules.