How to Smuggle Data out of the Network with Ping
2024 ж. 18 Мам.
114 204 Рет қаралды
In this video I'll be showing you how easy it is for a bad actor to leak sensitive information out of your network with ping, and why you should be blocking ping at your firewall.
For this video I created a python script which can send a text file to a receiver using ping:
github.com/plaintextpackets/p...
Note: this video is for educational purposes only
While working at a Community College, I had written a C# application that use WinPCAP library to do just what was explained in the article. I was able to receive information at my home from inside the college network using the wireless network. Granted, wireless networks are generally guest only but with the link outside of the network it wouldn't be difficult to move information from a "donor" system over to my laptop and then transfer it. I could also possibly sniff information and save and transfer that (or just save and walk out through the front door). Well, after demonstrating the process, the security guy and I came up with specific rules for our IPS to monitor pings (allowing them to still be of use) by clearing the data portion of the packet to zero's and allowing to continue on.
Nice!
Thats really awesome!
with replacing the data with 0s, was it a set amount of 0s or just replaced every character in the data with 0?
@@aicccooocococ good question
@@aicccooocococ oohh smart
This is brilliant. Thanks to the algorithm to suggest your videos !!!
This is amazing. Thank you.
Exfiltration of data can be easily done by a simple http:-, oder https:-connection from a browser, accessing a form, that allows you to POST any file to a capture-point. I did such a thing, when I had to build a miniaturized IP-bug in an RJ45 patch-cable for my Govt. The contraption was powered by ethernet-signals (typically +/-2.5V). A microphone picked up the voices. After preamplification and AGC-ing, it went into the ADC of a MCU, that accessed a html-form from it's TCP/IP stack and exfiltrated the encrypted and base64-coded audio data in chunks to the computer of an intelligence officer.
In typical enterprise scenarios HTTP or other common web protocols aren’t permitted directly through the perimeter to the web, rather the traffic is proxies where it is logged, possibly decrypted and inspected. I explain this a bit more in the next video.
Https cannot be decryted on route. It is MITM attack proof. That is, if you have full control over the client.
@dominikvonlavante6113 in enterprise settings they have that control and can install custom certs on workstations to perform MITM and inspect HTTPS. Check out Broadcom SSLV as an example
@@plaintextpackets Who cares, when HTTP, or SSL-Connections are proxied? DPI-Firewalls (Deep Packet Inspection, like e.g. Fortinet) can only see gibberish from a G.729-encoded, encrypted and Base64-encoded audio-stream. If there should be any problem, there is always a beauty in every commercial, military and intelligence network: SIP and/or SSIP. According to my experience, there is nothing more unsuspicious within SIP-context, than an audio stream, transmitted by SIP-RTP/UDP data-packets.
@@debrainwasherit depends on the company. In a company that actually cares and securing things correctly, you won't be allowed to send that traffic outbound at all. Only a few companies actually go this far but in those setups outbound internet is blocked and only the proxy is allowed out. Then you would need to authenticate to the proxy (usually) and surf. The proxy would not allow 100% access either and might be whitelisted for server access or for user access a heavily restricted set of categories etc may be allowed. But it won't allow all protocols, etc.
You are gonna help me a lot in my journey to becoming a Network/Security Engineer, Thank for such an easy explanation
Glad to hear that!
also block SIP then, or any other protocol that allows unbound data into outbound packets (unbound being not strictly required by the protocol intself) That said, this clip is an excellent wakeup call to people that care about security but might not have the techie skills.
Protocols like SIP should be blocked from user workstations if going directly out to the internet, instead calls should be routed through an SBC for proper logging and monitoring
I would be much more worried if Joe Blow from accounting got root access on a machine inside the corporate network.
Crystal clear , well done . Thank you …
if you allow pings, you could deny pings that have any optional data fields, or strip the optional field entirely
Yes if your firewall can do that, I use PaloAltos which are enterprise grade and they can’t.
@@plaintextpackets Path MTU Discovery (PMTUD) would like to have a word. Bummer about the lack of blocking certain payloads, you should at least be able to block/allow PANs based on ICMP types. Great video, though; most people don't know about all the protocol options.
Even if you only allowed empty pings, you could encode a timing based way to code pings. A lot slower, but maybe that’s ok for small or high value payloads…
Further to the last comment, you could also send commands back into the network from outside by encoding the replies and non responses…
@@stevenclarke4228 if you use that as an exfiltration vector, then any allowed network connectivity will enable this attack. the moral of the story is, if you want to secure your computers and network, you cannot allow any external network connectivity at all.
Loved this!
Well made video and it looks like you have others that are on networking topics. You gained a new sub! Nice work on how clearly you explained things!
Thanks and welcome!
Bro this is dope as hell, I never would have thought of this
You should check your computer or phone if someone is doing it to you
Very interesting 👌
SoftetherVPN can open a VPN tunnel over ICMP. It not as stable/fast as the normal SSL or Ipsec tunnel, but it comes handy, if some NGFW blocks common ports to outside.
That’s an awesome option to have
Blocking ICMP traffic can be unhealthy for your internet bound services. ICMP is used for more then just pinging around. Simply blocking it at your firewall can result in severe latency problems and killing throughput for cloud services your company might use and if you don't know what you do, you will search forever for the reason.
Icmp is needed for these services but should be selectively permitted by policy and not allowed from end user workstations
@@plaintextpackets that't not how it works. check Path MTU Discovery for an instance. and that's just one application of icmp. if the application can't dynamicly apply proper a MTU, you will be in a world of pain with 1000 people sharing one internet connection.
Jumbo packets use ICMP for comms back to client for DF
Completely agree. I've seen so many problems caused by people that just "blOcK EVErytHInG, for seCUriTY" - then they complain that their networks are slow and unreliable.
Simple and cool video.... nicely explained .....great work
Great content, keep going
Thanks, will do!
When enterprise networks allow outbound access to any unauthorized server, it's possibile to pass data, it just comes down to how much data, and how fast. You could encode data in http requests with a simple '?data' append, all the way to using single binary bit transmissions using timed requests (albeit VERY slow, digital equivalent of blinking in Morse code on a video stream)
Good job !🤓
A while ago somebody on yt made a video titled "Harder drives" and one of the things he did was store data in the pings and repeatedly ping random slow servers with it. In the time that said ping was in transit, he wasn't keeping it locally and it was effectively stored on the internet. EDIT: Found it kzhead.info/sun/fceDg7tviaKonKc/bejne.html
😮😮😮😮
Basically, we need two VM for demonstration with one vm as reciever and other as sender. And we send packets which the reciever vm detects through wireshark ? Is my understanding Correct ?
just limit the packet length to that of echo-request and echo-reply only. anything bigger gets dropped. If you network engineers need to test MTU or something that requires optional data, you have them put in a request for a certain time frame, and only allow ICMP from that source. Then when they're done, you revert it back. easy defense.
Much of the early Internet infrastructure is not secure. Different goals back then. I sometimes leave a bait system running inside a network for a day with Sniffnet to see what comes up, it's never pretty.
One of my earliest memories on the internet was of the Hotmail.com “forget my password” page. You entered your email and then checked the source, and the password was right there. Different times
Really interesting, thanks for sharing!
Thanks for the education, and you explained it clean, good s××t..
Thank you.
You're welcome!
The firewall could just randomize the data allowing regular ping to work as expected. As a power user having to complain to ISPs about outages often, I'd rather see it working. Yes, one could time those messages and send them to different IPs to encode some information, but at that point, an attacker could just generate a bunch of QR codes on screen and take photos with their phone. No root required and it would have reasonable data rate.
Man great videos, keep it up. You are hatsoff one of the best network security youtuber
Thank you so much 😀
From the demo, it wasn't clear how you stuff ping packets without root access. Still a good demonstration why ping should be blocked. Even if data couldn't be stuffed into ping packets, another ping exploit could use the timing of ping packets to encode and exfiltrate data.
You do need root for this for sure, I have seen companies however who either don’t have network access control in place (so anyone can plug into the LAN), or allow some users admin rights for development work, etc. This is totally preventable if you have the right access layer and device control. But at the same time I would also restrict icmp on firewalls to only devices which need it
I had a similar idea but instead using DNS. DNS is interesting because the traffic is often forwarded via at least one internal server and maybe more. So long as the queries are kind of random caching shouldn't be an issue. With DNS you can also send data back to control the program. Kind of scary.
You’re right! I did a video showing dns exfiltration as well in a simple way
It would be pretty easy to write a TCPIP client and server listener to transfer files via Ping, but you’d need to know C lang, Rust, Java, or some other low system level language. I could write in it C++ in an hour, and in C# in a few minutes.
A word of caution. This technique is quite old and fairly well known among the skullduggerous. You can get things past a lot of sysops like this, but ISPs and tier-1 routers take an interest when they see unusual ICMP traffic, so don't try anything you wouldn't want to be seen.
The send rate you choose will definitely be important in order to not raise suspicion.
Run the same stuff on the other end and you got yourself a ping-powered walkie-talkie. 😎
I’d love to code a voice app which uses ping!
@@plaintextpackets If you do, please call it Echochamber...
love the thumbnail
U can detect and stop that, but you need a packet sniffer. There are a couple of types; howver, if you are this concerned, just block ping and run have your firewall run a full memory duplication of all data sent and/or received. This software that does this is freeware, but the hardware required is steep. We’re talking about GBs of RAM being copied and needing to be saved to a HD, per day and per client machine with access to the internet.
Ok. Thank you for this valuable info you shared, but I have some questions here. Everything is ok and I understand everything, but what I don't understand is the part how this can be a security issue? There are so many other options to send and receive data compared to this technique. There are so many issues which the hacker needs to overcome before he can use this technique. I really don't see clearly how this kind of "attack" compromises anything? In the end, you can't send gigs of data, you probably need to sit in front of the victim PC etc. etc.. I really would be happy to see this attack in a real situation, how would it end up. It looks to me like if we talk about a brake system in a car where there is a question "what if somebody compromises the brake pads?" That car would probably have breaking issues. But that doesn't mean you should not leave your car in an open parking yard. Where is the real deal with this ping problem?
Good question, many high security corporate environments (banks, governments, etc) monitor and / or lock down most obvious forms of communication to the outside world. This is mainly to prevent employees themselves from leaking data outside of proper channels. So if these companies have already put mitigations in place for web traffic, email, but still allow ping it leaves the door open for data to leave.
From my experience, most of the time the hack is done from inside from a compromised technician or user, who has his/she's own reason to open a leak path in the IT system of the company. And that type of threat is not a cyber security issue but in some cases a bad and corrupted person. Of course it is more attractive to promote such a situation also as a hacker attack ... I'm really concerned about the OS which are running on IoT devices, routers etc. which are nowadays mostly a derivative of Linux. And such of "firmware" are really easy to compromise. In many cases much information is left over from the guys who worked on the development of such a "firmware". Even on high end tools too...
Nice video. +1 sub
never thought about that , i normally block ping just to limit the amount of bots trying to hammer passwords , no reply = bot normally moves on , I normally only respond to list of IP's in the list allowed to talk to
Limiting which devices can ping is a must
An easier way to send data is to take the file, whether .TXT, or other file format, and just change the extension to .JPG and email it wherever you want. I don't think anyone checks every single email to make sure the picture files are legitimate, especially if you're sending a lot of actual picture files around the same time frame. BTW, this would allow a lot larger payload than a few characters in a ping command. Perhaps this might fit in the topic of steganography.
Using your corporate email? That’s definitely logged
They have email scanners which inspect the contents of all files regardless of extension. And I think Exchange offers this service when using O365
@@MarkStoddard But that was many years ago, and being a law firm, I think they were deleting old email so it couldn't be available in discovery.
Router/firewall should simply null out the optional data packet of ICMP. That doesn’t totally eliminate the problem, but it does drastically slow the data rate since any “data” would have to be encoded in unused bits/bytes of the header. There are similar mitigation approaches you can apply to the other portions of the ICMP packet, and you can use rate limiting of ICMP to make any such attempt impractical for data longer than a password.
IMO I’d rather not spend firewall processing cycles on inspecting ICMP if only some devices need it. In that case I would just use policy to only permit those IPs to connect to the internet and block everything else. But if you needed it open and had a vendor that could re-write / inspect icmp in real time that would work too
@@plaintextpackets You’re spending the processing time already to filter them out. Simply nulling out the optional data portion isn’t going to have any material impact on performance. Similar argument for rate limiting. Low CPU cost for each.
In theory, this could a low level networking threat if end users have access to elevated permissions to install external tools. Crafting a custom icmp packet through windows native tools is just almost impossible. Unless the end user is using powershell, c and raw socket. Even then, that had its own limitations. I wouldn't worry too much when end users are not able to install third party tools without elevated permissions. There are potential risk that they can download a portable tool that does this 🤔. But as long as you habe your policy set up correctly to not allow unkown exe from running, you should be fine 😅.
Agreed, however in my experience most large orgs either don’t have proper network access control, or don’t lock down admin access properly to workstations, or do silly things like mix guest wifi with prod, etc
you are a hacker's wet dream.. given you are not capable of writing a paragraph without missing entire words and a few spelling mistakes to boot, it can be reasonably assumed that any policy, security or otherwise, set up by you would be of similar quality.. the smug smiley at the end, made me smile too.. BTW, have you ever tried say the Non-Administrative chocolatey install to start with..
@@bluesirva3574 lol thanks for the judgmental comment on my work ethic based on the structure of my comment. I will strive to better myself at writing // after working 12-16 hour shifts. I also might consider turning on auto correct on my phone and allow them to collect algorithmic data on my typing habits. But my comment was based off the very little knowledge I know of in the network, infrastructure, group policy and scripting/programming world. Luckily, I don't do any of that and is just a end user who knows enough to get by my daily job. Luckily, anything done and or made by me has not have any major security concerns yet to date. Unluckily, we're only a multi-billion dollar company that deals with both commercials and military contracts 😥. Unluckily, we have to manage roughly around 600 employees and 300 contractors average each site. Thanks for the constructive criticism though, I will take it to heart.
@@plaintextpackets yeah, our workplace policy are pretty strict. Even when grabbing print drivers from our own internal print server, elevated access is needed. I thought print nightmare was a ghost of the past but hey. Can't say anything about other corps because I don't have much experience working with other corps.
Me and my ethernet mitm dongle are smiling at you.
Wouldn't it be possible to just fill in the ICMP packages that are going out( probably on the firewall or on a special server) with random bits, store the original data and when the package comes back fill the original data in those?
In theory but it takes processing power to rewrite packets. It would be simpler to block icmp from workstations and only permit select devices using firewall policy
As long as you’re not being watched (seems like you’re not) you could display screens of data to be recorded by your personal camera. Even if you’re being watched you could conceal it. How common are “no phone zones” at enterprises for this reason?
This is sadly how a lot of data is still exfiltrated today. Corporations can mandate use of their own phones but can’t stop someone from using a personal device and snapping photos or video. Work from home makes that even easier to do. I haven’t worked in any organizations which ban personal phones on site but I’d imagine certain military tech teams would
Instant termination is the result if caught with a phone in those facilities. If you are an insider, rather than a phone there are other camera options which don't look like cameras that would be much better options.
Noobie here, Wouldn't most network monitoring tools notice all that traffic? Especially if the packet sizes are abnormal, that then compounds with the fact that if you are exfiltrating large amounts of file data, you would need 'n*x' packets in order to move 'n' files, right? The quantity of packets should be greater than the quantity of files. could be quiiiite a bit of traffic. Unless of course each packet captures a whole file's worth of data? I guess to counter my point you could add custom delay to each ping in order to obfuscate things.
So if you’re sending terabytes of files it may be noticed, but if you keep the send rate at a reasonable amount the volume of traffic would be
Cool ))
Interesting video, thnx for sharing! Be careful with that TTS intro btw, I almost immediately left, thinking the whole video would be TTS.
Noted!
damn, did not know this about ping...
U can specify a port to ping different from the default. FYI. ;)
clever
This is really cool! Could this method be used to transfer a binary file (e.g. image, video, application)?
I don’t see why not, nothing is stopping you from just transmitting the bytes as characters and interpreting them as bytes on your receiver machine.
@@lbgstzockt8493uuencode has entered the chat.
Absolutely it could
Often data security depends on the people with access being trustworthy.
So this won't be detected under any SIEM tool? I mean it's not marked as suspicious with this many ping traffic?
If the volume is high enough it will get marked, if you keep the rate to a reasonable level it likely wouldn't. However if an organization has left ping open to end user workstations I would assume they don't have a good SIEM tool
create an api, have a header that describes the expected data, beginning of payload, end of payload, base64 encode the payload, exfiltrate whatever you want.
Exactly
🤜🤛
With same method, one can use any access to transfer data.
would this work on a windows PC running WSL?
The video showing the windows version comes out tomorrow
There is a practical use of this in real world scenario, or it is just a demo of what you can do with ping? If you want to send data from a ping prohibited network to another internet location you can just email it... I really cannot see a practical use of this 😊
You’re going to send an email to an external address containing data you’re stealing using your corporate account? I guess if you could use a colleague’s computer, email as them, and send to an anonymous temp email address
All emails are monitored in secured corporate settings. So is web traffic to websites.
Oh... this is for steal. Maybe there is more practical ways to get data without even use the network. Ok, I get it, I didn't even think about it. Now I can see, the point is to learn how other people can cheat your security to steal your data and maaaybe how to prevent it.
Isn't it true that only those employees could pull this off who are already allowed to have a tool that can run Python scripts on their company laptop? Also, why would someone do this instead of saving files on a pendrive?
Many orgs lock down usb drive usage as well as direct internet communication, also if you have developers working for you chances are they have elevated privileges on their machines
@@plaintextpackets Good points, thank you.
i'm come in 😊
One one side this is cool, but on the other side there are w million other, less suspicious and easier ways to exfiltrate data behind firewalls without even needing root.
I have tried to monitor the icmp packets on the target host using tcpdump. I do not see the message. Can someone help me with this?
Join the discord we can help
Do you know how i would run this if i have a vm in my computer
It would need to be a Linux VM but yes you can run it from that
You did the wire shark on from the sender side 🤣
🤪 for simplicity! Actually I’m releasing one soon showing the windows method and it will demonstrate the remote end capture as well
DLP = data loss prevention not digital loss prevention. Otherwise good video.
D’oh!
are u on linkedin
I am but keep it private
Is Windows also susceptible to the ping exfiltration? The video says script is for Linux?
I have a video coming on Friday to show the windows method :-)
Generator requires Admin rights? Who are you giving those rights to, and why?
Common example of this would be a developer. Lots of companies give developers MacBook with admin rights to do their dev work
the shocking part is even they have a ssl you can still read the username and paasword which is information.
Ping is usually blocked by firewall at any half competent setup
I agree people should, in experience many do not to their own detriment
5:43 ICMP is not layer 4, IMHO
No you’re right technically it’s layer 3
@@plaintextpackets Right. The question is why Wireshark displays it this way so it's seems to be layer 4?
I think it’s difficult to dissect an ICMP packet which has an IP layer without showing the ip layer as distinct. This is why I was confused as well. ARP is also a layer3 protocol but does not use IP addressing and thus it only has three layers of dissection. IMO ICMP is really layer 4 in practice but technically layer 3 I agree
So, I need to try that on my company's internal network. Being a smart ass... get a rise.
Pointing out security flaws proactively is a great way to build your reputation at work 👍🏽
It's not a vulnerability, because it does not harm a system. However, it could be used for infiltration. Why would you give root access to random people? That's the hazard!
Why does it need root? If you have root, you already have an issue.....
In Linux to craft custom packets you need root. But in my windows version video I show a method that doesn’t require root at all
@@plaintextpackets Really? Why? That's so strange.... You can create a socket in code, and send any arbitrary data you want.... But I guess that's a network layer up in the OSI model
Ping should be disabled outbound for all user subnets. Your firewall should be allowed to ping, because IPv6 depends on pinging to determine the correct MTU size and it also allows PMTUD to work correctly. Blocking ping completely will result in degraded functionality I think. Also, if you have a UTM worth a damn, you could also easily detect and prevent exfiltration
I would add, blocking ping is nice, but it still gives a response back to someone doing recon. This can then be used of course to fingerprint the outside router/firewall. A better option in my opinion is to drop the packets. No response, no information being exfiltrated, data go poof. It's not a perfect solution of course, as nothing is perfect, but it does give less data.
Agreed
This is already sanitised in large security conscious networks, nothing new. Same with time server packets and many more, not even just for ex filtrations, but for protection against padding out packets incase of ddos bots getting in. Nothing novel about it in the last 20 years.
So, where's the part where you PULL data with the ping... ?
If you have internet access at your enterprise, that’s a big vulnerability. You should go disable that at your firewall at your enterprise. Very risky to have internet these days. 🙄. /s
I iodine'd stuff in 2011 already. Lol
Not if u have a good network gateway team.
Those are in short supply 🤣
Could have crunched that down to half the video length
Probably!
but why , it was under 30 mins , decent length with ongoing info
Little league. Use TTL.
I thought about that but TTL will change in transit from src to dst and if you have multiple paths between it may not be a predictable change
@@plaintextpackets sure, a bit of noise reduction and error correction would be required.
@dougaltolan3017 take a look at the version I did for windows, I used the packet length to encode the data there