While working at a Community College, I had written a C# application that use WinPCAP library to do just what was explained in the article. I was able to receive information at my home from inside the college network using the wireless network. Granted, wireless networks are generally guest only but with the link outside of the network it wouldn't be difficult to move information from a "donor" system over to my laptop and then transfer it. I could also possibly sniff information and save and transfer that (or just save and walk out through the front door). Well, after demonstrating the process, the security guy and I came up with specific rules for our IPS to monitor pings (allowing them to still be of use) by clearing the data portion of the packet to zero's and allowing to continue on.

I would be much more worried if Joe Blow from accounting got root access on a machine inside the corporate network.

Exfiltration of data can be easily done by a simple http:-, oder https:-connection from a browser, accessing a form, that allows you to POST any file to a capture-point. I did such a thing, when I had to build a miniaturized IP-bug in an RJ45 patch-cable for my Govt. The contraption was powered by ethernet-signals (typically +/-2.5V). A microphone picked up the voices. After preamplification and AGC-ing, it went into the ADC of a MCU, that accessed a html-form from it's TCP/IP stack and exfiltrated the encrypted and base64-coded audio data in chunks to the computer of an intelligence officer.

You are gonna help me a lot in my journey to becoming a Network/Security Engineer, Thank for such an easy explanation

also block SIP then, or any other protocol that allows unbound data into outbound packets (unbound being not strictly required by the protocol intself) That said, this clip is an excellent wakeup call to people that care about security but might not have the techie skills.

Well made video and it looks like you have others that are on networking topics. You gained a new sub! Nice work on how clearly you explained things!

This is brilliant. Thanks to the algorithm to suggest your videos !!!

This is amazing. Thank you.

if you allow pings, you could deny pings that have any optional data fields, or strip the optional field entirely

SoftetherVPN can open a VPN tunnel over ICMP. It not as stable/fast as the normal SSL or Ipsec tunnel, but it comes handy, if some NGFW blocks common ports to outside.

Crystal clear , well done . Thank you …

great vid! what do you use to create your thumbnails?

Loved this!

When enterprise networks allow outbound access to any unauthorized server, it's possibile to pass data, it just comes down to how much data, and how fast. You could encode data in http requests with a simple '?data' append, all the way to using single binary bit transmissions using timed requests (albeit VERY slow, digital equivalent of blinking in Morse code on a video stream)

Basically, we need two VM for demonstration with one vm as reciever and other as sender. And we send packets which the reciever vm detects through wireshark ? Is my understanding Correct ?

Blocking ICMP traffic can be unhealthy for your internet bound services. ICMP is used for more then just pinging around. Simply blocking it at your firewall can result in severe latency problems and killing throughput for cloud services your company might use and if you don't know what you do, you will search forever for the reason.

Wouldn't it be possible to just fill in the ICMP packages that are going out( probably on the firewall or on a special server) with random bits, store the original data and when the package comes back fill the original data in those?

Very interesting 👌

Thanks for the education, and you explained it clean, good s××t..

just limit the packet length to that of echo-request and echo-reply only. anything bigger gets dropped. If you network engineers need to test MTU or something that requires optional data, you have them put in a request for a certain time frame, and only allow ICMP from that source. Then when they're done, you revert it back. easy defense.

A while ago somebody on yt made a video titled "Harder drives" and one of the things he did was store data in the pings and repeatedly ping random slow servers with it. In the time that said ping was in transit, he wasn't keeping it locally and it was effectively stored on the internet. EDIT: Found it kzbin.info/www/bejne/gJSthIpth9Wln9E

Run the same stuff on the other end and you got yourself a ping-powered walkie-talkie. 😎

Simple and cool video.... nicely explained .....great work

Much of the early Internet infrastructure is not secure. Different goals back then. I sometimes leave a bait system running inside a network for a day with Sniffnet to see what comes up, it's never pretty.

Ok. Thank you for this valuable info you shared, but I have some questions here. Everything is ok and I understand everything, but what I don't understand is the part how this can be a security issue? There are so many other options to send and receive data compared to this technique. There are so many issues which the hacker needs to overcome before he can use this technique. I really don't see clearly how this kind of "attack" compromises anything? In the end, you can't send gigs of data, you probably need to sit in front of the victim PC etc. etc.. I really would be happy to see this attack in a real situation, how would it end up. It looks to me like if we talk about a brake system in a car where there is a question "what if somebody compromises the brake pads?" That car would probably have breaking issues. But that doesn't mean you should not leave your car in an open parking yard. Where is the real deal with this ping problem?

As long as you’re not being watched (seems like you’re not) you could display screens of data to be recorded by your personal camera. Even if you’re being watched you could conceal it. How common are “no phone zones” at enterprises for this reason?

From the demo, it wasn't clear how you stuff ping packets without root access. Still a good demonstration why ping should be blocked. Even if data couldn't be stuffed into ping packets, another ping exploit could use the timing of ping packets to encode and exfiltrate data.

Great content, keep going

Really interesting, thanks for sharing!

Good job ！🤓

So this won't be detected under any SIEM tool? I mean it's not marked as suspicious with this many ping traffic?

I had a similar idea but instead using DNS. DNS is interesting because the traffic is often forwarded via at least one internal server and maybe more. So long as the queries are kind of random caching shouldn't be an issue. With DNS you can also send data back to control the program. Kind of scary.

It would be pretty easy to write a TCPIP client and server listener to transfer files via Ping, but you’d need to know C lang, Rust, Java, or some other low system level language. I could write in it C++ in an hour, and in C# in a few minutes.

The firewall could just randomize the data allowing regular ping to work as expected. As a power user having to complain to ISPs about outages often, I'd rather see it working. Yes, one could time those messages and send them to different IPs to encode some information, but at that point, an attacker could just generate a bunch of QR codes on screen and take photos with their phone. No root required and it would have reasonable data rate.

U can detect and stop that, but you need a packet sniffer. There are a couple of types; howver, if you are this concerned, just block ping and run have your firewall run a full memory duplication of all data sent and/or received. This software that does this is freeware, but the hardware required is steep. We’re talking about GBs of RAM being copied and needing to be saved to a HD, per day and per client machine with access to the internet.

An easier way to send data is to take the file, whether .TXT, or other file format, and just change the extension to .JPG and email it wherever you want. I don't think anyone checks every single email to make sure the picture files are legitimate, especially if you're sending a lot of actual picture files around the same time frame. BTW, this would allow a lot larger payload than a few characters in a ping command. Perhaps this might fit in the topic of steganography.

never thought about that , i normally block ping just to limit the amount of bots trying to hammer passwords , no reply = bot normally moves on , I normally only respond to list of IP's in the list allowed to talk to

Bro this is dope as hell, I never would have thought of this

would this work on a windows PC running WSL?

Thank you.

Noobie here, Wouldn't most network monitoring tools notice all that traffic? Especially if the packet sizes are abnormal, that then compounds with the fact that if you are exfiltrating large amounts of file data, you would need 'n*x' packets in order to move 'n' files, right? The quantity of packets should be greater than the quantity of files. could be quiiiite a bit of traffic. Unless of course each packet captures a whole file's worth of data? I guess to counter my point you could add custom delay to each ping in order to obfuscate things.

Often data security depends on the people with access being trustworthy.

Nice video. +1 sub

love the thumbnail

Interesting video, thnx for sharing! Be careful with that TTS intro btw, I almost immediately left, thinking the whole video would be TTS.

Man great videos, keep it up. You are hatsoff one of the best network security youtuber

Router/firewall should simply null out the optional data packet of ICMP. That doesn’t totally eliminate the problem, but it does drastically slow the data rate since any “data” would have to be encoded in unused bits/bytes of the header. There are similar mitigation approaches you can apply to the other portions of the ICMP packet, and you can use rate limiting of ICMP to make any such attempt impractical for data longer than a password.

Cool ))

I have tried to monitor the icmp packets on the target host using tcpdump. I do not see the message. Can someone help me with this?

Do you know how i would run this if i have a vm in my computer

damn, did not know this about ping...

This is really cool! Could this method be used to transfer a binary file (e.g. image, video, application)?

A word of caution. This technique is quite old and fairly well known among the skullduggerous. You can get things past a lot of sysops like this, but ISPs and tier-1 routers take an interest when they see unusual ICMP traffic, so don't try anything you wouldn't want to be seen.

In theory, this could a low level networking threat if end users have access to elevated permissions to install external tools. Crafting a custom icmp packet through windows native tools is just almost impossible. Unless the end user is using powershell, c and raw socket. Even then, that had its own limitations. I wouldn't worry too much when end users are not able to install third party tools without elevated permissions. There are potential risk that they can download a portable tool that does this 🤔. But as long as you habe your policy set up correctly to not allow unkown exe from running, you should be fine 😅.

U can specify a port to ping different from the default. FYI. ;)

Isn't it true that only those employees could pull this off who are already allowed to have a tool that can run Python scripts on their company laptop? Also, why would someone do this instead of saving files on a pendrive?

Is Windows also susceptible to the ping exfiltration? The video says script is for Linux?

One one side this is cool, but on the other side there are w million other, less suspicious and easier ways to exfiltrate data behind firewalls without even needing root.

create an api, have a header that describes the expected data, beginning of payload, end of payload, base64 encode the payload, exfiltrate whatever you want.

There is a practical use of this in real world scenario, or it is just a demo of what you can do with ping? If you want to send data from a ping prohibited network to another internet location you can just email it... I really cannot see a practical use of this 😊

clever

are u on linkedin

Generator requires Admin rights? Who are you giving those rights to, and why?

🤜🤛

With same method, one can use any access to transfer data.

You did the wire shark on from the sender side 🤣

i'm come in 😊

DLP = data loss prevention not digital loss prevention. Otherwise good video.

So, I need to try that on my company's internal network. Being a smart ass... get a rise.

Why does it need root? If you have root, you already have an issue.....

the shocking part is even they have a ssl you can still read the username and paasword which is information.

5:43 ICMP is not layer 4, IMHO

Ping is usually blocked by firewall at any half competent setup

It's not a vulnerability, because it does not harm a system. However, it could be used for infiltration. Why would you give root access to random people? That's the hazard!

So, where's the part where you PULL data with the ping... ?

Ping should be disabled outbound for all user subnets. Your firewall should be allowed to ping, because IPv6 depends on pinging to determine the correct MTU size and it also allows PMTUD to work correctly. Blocking ping completely will result in degraded functionality I think. Also, if you have a UTM worth a damn, you could also easily detect and prevent exfiltration

I iodine'd stuff in 2011 already. Lol

If you have internet access at your enterprise, that’s a big vulnerability. You should go disable that at your firewall at your enterprise. Very risky to have internet these days. 🙄. /s

I would add, blocking ping is nice, but it still gives a response back to someone doing recon. This can then be used of course to fingerprint the outside router/firewall. A better option in my opinion is to drop the packets. No response, no information being exfiltrated, data go poof. It's not a perfect solution of course, as nothing is perfect, but it does give less data.

This is already sanitised in large security conscious networks, nothing new. Same with time server packets and many more, not even just for ex filtrations, but for protection against padding out packets incase of ddos bots getting in. Nothing novel about it in the last 20 years.

Not if u have a good network gateway team.

Could have crunched that down to half the video length

Little league. Use TTL.