Exfiltrating data in ping packet padding: Video demo

In this hack demo video we cover how to exfiltrate data from a corporate environment without the credentials to use the proxy, we’ll be doing it using a simple ping.

The attack

Here we have a Unix machine that’s set up to behave like it’s on a corporate network. We can’t get out to the internet via the corporate proxy, but as with most scenarios we do have
ICMP.

We also up a box set up listening on the internet. This needs to be running TCP Dump with ICMP.

The final component is a script written by George Bakos from the SANS Institute. What the script does is take a file that you provide, splits it up into 16 byte chunks, and inserts those chunks into the padding space found in ping packets. It then sends the ping packets AND the secret data that you want exfilitrated out to the box you have waiting and listening for them.

In practice the script asks for something to ping send, so we give it our “secret file” called note.txt. We then send our file out over ICMP, which is chopped up by the script and inserted into the ping packet padding.

Our listening box then gets those packets and rebuilds the chunks they contain into the original file. For this demo we used a small file, so it only needed three packets. We then rebuild the file and get the “secret” information:
No socks in here!

This is a very simple method for getting data through a corporate perimeter without having to go to the effort of stealing credentials. The fix is easy too, block IMCP outbound from your corporate environment.