How to Smuggle Data out of the Network with Ping
Ғылым және технология
In this video I'll be showing you how easy it is for a bad actor to leak sensitive information out of your network with ping, and why you should be blocking ping at your firewall.
For this video I created a python script which can send a text file to a receiver using ping:
github.com/plaintextpackets/p...
Note: this video is for educational purposes only
Пікірлер: 192
While working at a Community College, I had written a C# application that use WinPCAP library to do just what was explained in the article. I was able to receive information at my home from inside the college network using the wireless network. Granted, wireless networks are generally guest only but with the link outside of the network it wouldn't be difficult to move information from a "donor" system over to my laptop and then transfer it. I could also possibly sniff information and save and transfer that (or just save and walk out through the front door). Well, after demonstrating the process, the security guy and I came up with specific rules for our IPS to monitor pings (allowing them to still be of use) by clearing the data portion of the packet to zero's and allowing to continue on.
@plaintextpackets
Ай бұрын
Nice!
@toddzillaswrist
Ай бұрын
Thats really awesome!
@aicccooocococ
Ай бұрын
with replacing the data with 0s, was it a set amount of 0s or just replaced every character in the data with 0?
@Skaffa
Ай бұрын
@@aicccooocococ good question
@LittleRainGames
Ай бұрын
@@aicccooocococ oohh smart
You are gonna help me a lot in my journey to becoming a Network/Security Engineer, Thank for such an easy explanation
@plaintextpackets
Ай бұрын
Glad to hear that!
This is brilliant. Thanks to the algorithm to suggest your videos !!!
Well made video and it looks like you have others that are on networking topics. You gained a new sub! Nice work on how clearly you explained things!
@plaintextpackets
2 ай бұрын
Thanks and welcome!
also block SIP then, or any other protocol that allows unbound data into outbound packets (unbound being not strictly required by the protocol intself) That said, this clip is an excellent wakeup call to people that care about security but might not have the techie skills.
@plaintextpackets
Ай бұрын
Protocols like SIP should be blocked from user workstations if going directly out to the internet, instead calls should be routed through an SBC for proper logging and monitoring
This is amazing. Thank you.
Exfiltration of data can be easily done by a simple http:-, oder https:-connection from a browser, accessing a form, that allows you to POST any file to a capture-point. I did such a thing, when I had to build a miniaturized IP-bug in an RJ45 patch-cable for my Govt. The contraption was powered by ethernet-signals (typically +/-2.5V). A microphone picked up the voices. After preamplification and AGC-ing, it went into the ADC of a MCU, that accessed a html-form from it's TCP/IP stack and exfiltrated the encrypted and base64-coded audio data in chunks to the computer of an intelligence officer.
@plaintextpackets
Ай бұрын
In typical enterprise scenarios HTTP or other common web protocols aren’t permitted directly through the perimeter to the web, rather the traffic is proxies where it is logged, possibly decrypted and inspected. I explain this a bit more in the next video.
@dominikvonlavante6113
Ай бұрын
Https cannot be decryted on route. It is MITM attack proof. That is, if you have full control over the client.
@plaintextpackets
Ай бұрын
@dominikvonlavante6113 in enterprise settings they have that control and can install custom certs on workstations to perform MITM and inspect HTTPS. Check out Broadcom SSLV as an example
@debrainwasher
Ай бұрын
@@plaintextpackets Who cares, when HTTP, or SSL-Connections are proxied? DPI-Firewalls (Deep Packet Inspection, like e.g. Fortinet) can only see gibberish from a G.729-encoded, encrypted and Base64-encoded audio-stream. If there should be any problem, there is always a beauty in every commercial, military and intelligence network: SIP and/or SSIP. According to my experience, there is nothing more unsuspicious within SIP-context, than an audio stream, transmitted by SIP-RTP/UDP data-packets.
@muskrat7312
Ай бұрын
@@debrainwasherit depends on the company. In a company that actually cares and securing things correctly, you won't be allowed to send that traffic outbound at all. Only a few companies actually go this far but in those setups outbound internet is blocked and only the proxy is allowed out. Then you would need to authenticate to the proxy (usually) and surf. The proxy would not allow 100% access either and might be whitelisted for server access or for user access a heavily restricted set of categories etc may be allowed. But it won't allow all protocols, etc.
Crystal clear , well done . Thank you …
I would be much more worried if Joe Blow from accounting got root access on a machine inside the corporate network.
great vid! what do you use to create your thumbnails?
if you allow pings, you could deny pings that have any optional data fields, or strip the optional field entirely
@plaintextpackets
2 ай бұрын
Yes if your firewall can do that, I use PaloAltos which are enterprise grade and they can’t.
@petew5130
Ай бұрын
@@plaintextpackets Path MTU Discovery (PMTUD) would like to have a word. Bummer about the lack of blocking certain payloads, you should at least be able to block/allow PANs based on ICMP types. Great video, though; most people don't know about all the protocol options.
@stevenclarke4228
Ай бұрын
Even if you only allowed empty pings, you could encode a timing based way to code pings. A lot slower, but maybe that’s ok for small or high value payloads…
@stevenclarke4228
Ай бұрын
Further to the last comment, you could also send commands back into the network from outside by encoding the replies and non responses…
@pauldwalker
Ай бұрын
@@stevenclarke4228 if you use that as an exfiltration vector, then any allowed network connectivity will enable this attack. the moral of the story is, if you want to secure your computers and network, you cannot allow any external network connectivity at all.
SoftetherVPN can open a VPN tunnel over ICMP. It not as stable/fast as the normal SSL or Ipsec tunnel, but it comes handy, if some NGFW blocks common ports to outside.
@plaintextpackets
Ай бұрын
That’s an awesome option to have
Simple and cool video.... nicely explained .....great work
Loved this!
Man great videos, keep it up. You are hatsoff one of the best network security youtuber
@plaintextpackets
Ай бұрын
Thank you so much 😀
Very interesting 👌
Bro this is dope as hell, I never would have thought of this
@etcetc3800
Ай бұрын
You should check your computer or phone if someone is doing it to you
Really interesting, thanks for sharing!
Thanks for the education, and you explained it clean, good s××t..
Blocking ICMP traffic can be unhealthy for your internet bound services. ICMP is used for more then just pinging around. Simply blocking it at your firewall can result in severe latency problems and killing throughput for cloud services your company might use and if you don't know what you do, you will search forever for the reason.
@plaintextpackets
Ай бұрын
Icmp is needed for these services but should be selectively permitted by policy and not allowed from end user workstations
@McClane6666
Ай бұрын
@@plaintextpackets that't not how it works. check Path MTU Discovery for an instance. and that's just one application of icmp. if the application can't dynamicly apply proper a MTU, you will be in a world of pain with 1000 people sharing one internet connection.
@AbstractType1
Ай бұрын
Jumbo packets use ICMP for comms back to client for DF
@dermick
Ай бұрын
Completely agree. I've seen so many problems caused by people that just "blOcK EVErytHInG, for seCUriTY" - then they complain that their networks are slow and unreliable.
Basically, we need two VM for demonstration with one vm as reciever and other as sender. And we send packets which the reciever vm detects through wireshark ? Is my understanding Correct ?
Thank you.
@plaintextpackets
Ай бұрын
You're welcome!
Wouldn't it be possible to just fill in the ICMP packages that are going out( probably on the firewall or on a special server) with random bits, store the original data and when the package comes back fill the original data in those?
@plaintextpackets
Ай бұрын
In theory but it takes processing power to rewrite packets. It would be simpler to block icmp from workstations and only permit select devices using firewall policy
just limit the packet length to that of echo-request and echo-reply only. anything bigger gets dropped. If you network engineers need to test MTU or something that requires optional data, you have them put in a request for a certain time frame, and only allow ICMP from that source. Then when they're done, you revert it back. easy defense.
From the demo, it wasn't clear how you stuff ping packets without root access. Still a good demonstration why ping should be blocked. Even if data couldn't be stuffed into ping packets, another ping exploit could use the timing of ping packets to encode and exfiltrate data.
@plaintextpackets
Ай бұрын
You do need root for this for sure, I have seen companies however who either don’t have network access control in place (so anyone can plug into the LAN), or allow some users admin rights for development work, etc. This is totally preventable if you have the right access layer and device control. But at the same time I would also restrict icmp on firewalls to only devices which need it
As long as you’re not being watched (seems like you’re not) you could display screens of data to be recorded by your personal camera. Even if you’re being watched you could conceal it. How common are “no phone zones” at enterprises for this reason?
@plaintextpackets
Ай бұрын
This is sadly how a lot of data is still exfiltrated today. Corporations can mandate use of their own phones but can’t stop someone from using a personal device and snapping photos or video. Work from home makes that even easier to do. I haven’t worked in any organizations which ban personal phones on site but I’d imagine certain military tech teams would
@RowanHawkins
Ай бұрын
Instant termination is the result if caught with a phone in those facilities. If you are an insider, rather than a phone there are other camera options which don't look like cameras that would be much better options.
A while ago somebody on yt made a video titled "Harder drives" and one of the things he did was store data in the pings and repeatedly ping random slow servers with it. In the time that said ping was in transit, he wasn't keeping it locally and it was effectively stored on the internet. EDIT: Found it kzread.info/dash/bejne/fJd-tblwgtPYmdI.html
@notaras1985
24 күн бұрын
😮😮😮😮
When enterprise networks allow outbound access to any unauthorized server, it's possibile to pass data, it just comes down to how much data, and how fast. You could encode data in http requests with a simple '?data' append, all the way to using single binary bit transmissions using timed requests (albeit VERY slow, digital equivalent of blinking in Morse code on a video stream)
Much of the early Internet infrastructure is not secure. Different goals back then. I sometimes leave a bait system running inside a network for a day with Sniffnet to see what comes up, it's never pretty.
@plaintextpackets
19 күн бұрын
One of my earliest memories on the internet was of the Hotmail.com “forget my password” page. You entered your email and then checked the source, and the password was right there. Different times
Run the same stuff on the other end and you got yourself a ping-powered walkie-talkie. 😎
@plaintextpackets
Ай бұрын
I’d love to code a voice app which uses ping!
@DerSolinski
Ай бұрын
@@plaintextpackets If you do, please call it Echochamber...
The firewall could just randomize the data allowing regular ping to work as expected. As a power user having to complain to ISPs about outages often, I'd rather see it working. Yes, one could time those messages and send them to different IPs to encode some information, but at that point, an attacker could just generate a bunch of QR codes on screen and take photos with their phone. No root required and it would have reasonable data rate.
Ok. Thank you for this valuable info you shared, but I have some questions here. Everything is ok and I understand everything, but what I don't understand is the part how this can be a security issue? There are so many other options to send and receive data compared to this technique. There are so many issues which the hacker needs to overcome before he can use this technique. I really don't see clearly how this kind of "attack" compromises anything? In the end, you can't send gigs of data, you probably need to sit in front of the victim PC etc. etc.. I really would be happy to see this attack in a real situation, how would it end up. It looks to me like if we talk about a brake system in a car where there is a question "what if somebody compromises the brake pads?" That car would probably have breaking issues. But that doesn't mean you should not leave your car in an open parking yard. Where is the real deal with this ping problem?
@plaintextpackets
Ай бұрын
Good question, many high security corporate environments (banks, governments, etc) monitor and / or lock down most obvious forms of communication to the outside world. This is mainly to prevent employees themselves from leaking data outside of proper channels. So if these companies have already put mitigations in place for web traffic, email, but still allow ping it leaves the door open for data to leave.
@christianrobertadzic9321
Ай бұрын
From my experience, most of the time the hack is done from inside from a compromised technician or user, who has his/she's own reason to open a leak path in the IT system of the company. And that type of threat is not a cyber security issue but in some cases a bad and corrupted person. Of course it is more attractive to promote such a situation also as a hacker attack ... I'm really concerned about the OS which are running on IoT devices, routers etc. which are nowadays mostly a derivative of Linux. And such of "firmware" are really easy to compromise. In many cases much information is left over from the guys who worked on the development of such a "firmware". Even on high end tools too...
It would be pretty easy to write a TCPIP client and server listener to transfer files via Ping, but you’d need to know C lang, Rust, Java, or some other low system level language. I could write in it C++ in an hour, and in C# in a few minutes.
U can detect and stop that, but you need a packet sniffer. There are a couple of types; howver, if you are this concerned, just block ping and run have your firewall run a full memory duplication of all data sent and/or received. This software that does this is freeware, but the hardware required is steep. We’re talking about GBs of RAM being copied and needing to be saved to a HD, per day and per client machine with access to the internet.
never thought about that , i normally block ping just to limit the amount of bots trying to hammer passwords , no reply = bot normally moves on , I normally only respond to list of IP's in the list allowed to talk to
@plaintextpackets
Ай бұрын
Limiting which devices can ping is a must
So this won't be detected under any SIEM tool? I mean it's not marked as suspicious with this many ping traffic?
@plaintextpackets
Ай бұрын
If the volume is high enough it will get marked, if you keep the rate to a reasonable level it likely wouldn't. However if an organization has left ping open to end user workstations I would assume they don't have a good SIEM tool
Good job !🤓
Great content, keep going
@plaintextpackets
Ай бұрын
Thanks, will do!
A word of caution. This technique is quite old and fairly well known among the skullduggerous. You can get things past a lot of sysops like this, but ISPs and tier-1 routers take an interest when they see unusual ICMP traffic, so don't try anything you wouldn't want to be seen.
@plaintextpackets
Ай бұрын
The send rate you choose will definitely be important in order to not raise suspicion.
love the thumbnail
This is really cool! Could this method be used to transfer a binary file (e.g. image, video, application)?
@lbgstzockt8493
Ай бұрын
I don’t see why not, nothing is stopping you from just transmitting the bytes as characters and interpreting them as bytes on your receiver machine.
@davidgari3240
Ай бұрын
@@lbgstzockt8493uuencode has entered the chat.
@plaintextpackets
Ай бұрын
Absolutely it could
I had a similar idea but instead using DNS. DNS is interesting because the traffic is often forwarded via at least one internal server and maybe more. So long as the queries are kind of random caching shouldn't be an issue. With DNS you can also send data back to control the program. Kind of scary.
@plaintextpackets
Ай бұрын
You’re right! I did a video showing dns exfiltration as well in a simple way
Noobie here, Wouldn't most network monitoring tools notice all that traffic? Especially if the packet sizes are abnormal, that then compounds with the fact that if you are exfiltrating large amounts of file data, you would need 'n*x' packets in order to move 'n' files, right? The quantity of packets should be greater than the quantity of files. could be quiiiite a bit of traffic. Unless of course each packet captures a whole file's worth of data? I guess to counter my point you could add custom delay to each ping in order to obfuscate things.
@plaintextpackets
Ай бұрын
So if you’re sending terabytes of files it may be noticed, but if you keep the send rate at a reasonable amount the volume of traffic would be
Often data security depends on the people with access being trustworthy.
damn, did not know this about ping...
Router/firewall should simply null out the optional data packet of ICMP. That doesn’t totally eliminate the problem, but it does drastically slow the data rate since any “data” would have to be encoded in unused bits/bytes of the header. There are similar mitigation approaches you can apply to the other portions of the ICMP packet, and you can use rate limiting of ICMP to make any such attempt impractical for data longer than a password.
@plaintextpackets
Ай бұрын
IMO I’d rather not spend firewall processing cycles on inspecting ICMP if only some devices need it. In that case I would just use policy to only permit those IPs to connect to the internet and block everything else. But if you needed it open and had a vendor that could re-write / inspect icmp in real time that would work too
@geoffstrickler
Ай бұрын
@@plaintextpackets You’re spending the processing time already to filter them out. Simply nulling out the optional data portion isn’t going to have any material impact on performance. Similar argument for rate limiting. Low CPU cost for each.
An easier way to send data is to take the file, whether .TXT, or other file format, and just change the extension to .JPG and email it wherever you want. I don't think anyone checks every single email to make sure the picture files are legitimate, especially if you're sending a lot of actual picture files around the same time frame. BTW, this would allow a lot larger payload than a few characters in a ping command. Perhaps this might fit in the topic of steganography.
@MarkStoddard
Ай бұрын
Using your corporate email? That’s definitely logged
@plaintextpackets
Ай бұрын
They have email scanners which inspect the contents of all files regardless of extension. And I think Exchange offers this service when using O365
@bite-sizedshorts9635
Ай бұрын
@@MarkStoddard But that was many years ago, and being a law firm, I think they were deleting old email so it couldn't be available in discovery.
Cool ))
Interesting video, thnx for sharing! Be careful with that TTS intro btw, I almost immediately left, thinking the whole video would be TTS.
@plaintextpackets
Ай бұрын
Noted!
clever
In theory, this could a low level networking threat if end users have access to elevated permissions to install external tools. Crafting a custom icmp packet through windows native tools is just almost impossible. Unless the end user is using powershell, c and raw socket. Even then, that had its own limitations. I wouldn't worry too much when end users are not able to install third party tools without elevated permissions. There are potential risk that they can download a portable tool that does this 🤔. But as long as you habe your policy set up correctly to not allow unkown exe from running, you should be fine 😅.
@plaintextpackets
2 ай бұрын
Agreed, however in my experience most large orgs either don’t have proper network access control, or don’t lock down admin access properly to workstations, or do silly things like mix guest wifi with prod, etc
@bluesirva3574
2 ай бұрын
you are a hacker's wet dream.. given you are not capable of writing a paragraph without missing entire words and a few spelling mistakes to boot, it can be reasonably assumed that any policy, security or otherwise, set up by you would be of similar quality.. the smug smiley at the end, made me smile too.. BTW, have you ever tried say the Non-Administrative chocolatey install to start with..
@UnfiItered
2 ай бұрын
@@bluesirva3574 lol thanks for the judgmental comment on my work ethic based on the structure of my comment. I will strive to better myself at writing // after working 12-16 hour shifts. I also might consider turning on auto correct on my phone and allow them to collect algorithmic data on my typing habits. But my comment was based off the very little knowledge I know of in the network, infrastructure, group policy and scripting/programming world. Luckily, I don't do any of that and is just a end user who knows enough to get by my daily job. Luckily, anything done and or made by me has not have any major security concerns yet to date. Unluckily, we're only a multi-billion dollar company that deals with both commercials and military contracts 😥. Unluckily, we have to manage roughly around 600 employees and 300 contractors average each site. Thanks for the constructive criticism though, I will take it to heart.
@UnfiItered
2 ай бұрын
@@plaintextpackets yeah, our workplace policy are pretty strict. Even when grabbing print drivers from our own internal print server, elevated access is needed. I thought print nightmare was a ghost of the past but hey. Can't say anything about other corps because I don't have much experience working with other corps.
@khatharrmalkavian3306
Ай бұрын
Me and my ethernet mitm dongle are smiling at you.
I have tried to monitor the icmp packets on the target host using tcpdump. I do not see the message. Can someone help me with this?
@plaintextpackets
Ай бұрын
Join the discord we can help
Isn't it true that only those employees could pull this off who are already allowed to have a tool that can run Python scripts on their company laptop? Also, why would someone do this instead of saving files on a pendrive?
@plaintextpackets
Ай бұрын
Many orgs lock down usb drive usage as well as direct internet communication, also if you have developers working for you chances are they have elevated privileges on their machines
@alittax
Ай бұрын
@@plaintextpackets Good points, thank you.
Nice video. +1 sub
U can specify a port to ping different from the default. FYI. ;)
Do you know how i would run this if i have a vm in my computer
@plaintextpackets
Ай бұрын
It would need to be a Linux VM but yes you can run it from that
would this work on a windows PC running WSL?
@plaintextpackets
Ай бұрын
The video showing the windows version comes out tomorrow
Is Windows also susceptible to the ping exfiltration? The video says script is for Linux?
@plaintextpackets
Ай бұрын
I have a video coming on Friday to show the windows method :-)
🤜🤛
create an api, have a header that describes the expected data, beginning of payload, end of payload, base64 encode the payload, exfiltrate whatever you want.
@plaintextpackets
2 ай бұрын
Exactly
With same method, one can use any access to transfer data.
There is a practical use of this in real world scenario, or it is just a demo of what you can do with ping? If you want to send data from a ping prohibited network to another internet location you can just email it... I really cannot see a practical use of this 😊
@MarkStoddard
Ай бұрын
You’re going to send an email to an external address containing data you’re stealing using your corporate account? I guess if you could use a colleague’s computer, email as them, and send to an anonymous temp email address
@plaintextpackets
Ай бұрын
All emails are monitored in secured corporate settings. So is web traffic to websites.
@yamiljaskolowski3288
Ай бұрын
Oh... this is for steal. Maybe there is more practical ways to get data without even use the network. Ok, I get it, I didn't even think about it. Now I can see, the point is to learn how other people can cheat your security to steal your data and maaaybe how to prevent it.
One one side this is cool, but on the other side there are w million other, less suspicious and easier ways to exfiltrate data behind firewalls without even needing root.
Generator requires Admin rights? Who are you giving those rights to, and why?
@plaintextpackets
Ай бұрын
Common example of this would be a developer. Lots of companies give developers MacBook with admin rights to do their dev work
You did the wire shark on from the sender side 🤣
@plaintextpackets
Ай бұрын
🤪 for simplicity! Actually I’m releasing one soon showing the windows method and it will demonstrate the remote end capture as well
are u on linkedin
@plaintextpackets
2 ай бұрын
I am but keep it private
DLP = data loss prevention not digital loss prevention. Otherwise good video.
@plaintextpackets
Ай бұрын
D’oh!
So, I need to try that on my company's internal network. Being a smart ass... get a rise.
@plaintextpackets
Ай бұрын
Pointing out security flaws proactively is a great way to build your reputation at work 👍🏽
the shocking part is even they have a ssl you can still read the username and paasword which is information.
Why does it need root? If you have root, you already have an issue.....
@plaintextpackets
Ай бұрын
In Linux to craft custom packets you need root. But in my windows version video I show a method that doesn’t require root at all
@1337GameDev
Ай бұрын
@@plaintextpackets Really? Why? That's so strange.... You can create a socket in code, and send any arbitrary data you want.... But I guess that's a network layer up in the OSI model
So, where's the part where you PULL data with the ping... ?
Ping is usually blocked by firewall at any half competent setup
@plaintextpackets
Ай бұрын
I agree people should, in experience many do not to their own detriment
i'm come in 😊
Ping should be disabled outbound for all user subnets. Your firewall should be allowed to ping, because IPv6 depends on pinging to determine the correct MTU size and it also allows PMTUD to work correctly. Blocking ping completely will result in degraded functionality I think. Also, if you have a UTM worth a damn, you could also easily detect and prevent exfiltration
5:43 ICMP is not layer 4, IMHO
@plaintextpackets
Ай бұрын
No you’re right technically it’s layer 3
@AlexeyElishaVoloshin
Ай бұрын
@@plaintextpackets Right. The question is why Wireshark displays it this way so it's seems to be layer 4?
@plaintextpackets
Ай бұрын
I think it’s difficult to dissect an ICMP packet which has an IP layer without showing the ip layer as distinct. This is why I was confused as well. ARP is also a layer3 protocol but does not use IP addressing and thus it only has three layers of dissection. IMO ICMP is really layer 4 in practice but technically layer 3 I agree
It's not a vulnerability, because it does not harm a system. However, it could be used for infiltration. Why would you give root access to random people? That's the hazard!
I would add, blocking ping is nice, but it still gives a response back to someone doing recon. This can then be used of course to fingerprint the outside router/firewall. A better option in my opinion is to drop the packets. No response, no information being exfiltrated, data go poof. It's not a perfect solution of course, as nothing is perfect, but it does give less data.
@plaintextpackets
Ай бұрын
Agreed
I iodine'd stuff in 2011 already. Lol
If you have internet access at your enterprise, that’s a big vulnerability. You should go disable that at your firewall at your enterprise. Very risky to have internet these days. 🙄. /s
Not if u have a good network gateway team.
@plaintextpackets
Ай бұрын
Those are in short supply 🤣
This is already sanitised in large security conscious networks, nothing new. Same with time server packets and many more, not even just for ex filtrations, but for protection against padding out packets incase of ddos bots getting in. Nothing novel about it in the last 20 years.
Could have crunched that down to half the video length
@plaintextpackets
2 ай бұрын
Probably!
@christopherstaples6758
Ай бұрын
but why , it was under 30 mins , decent length with ongoing info
Little league. Use TTL.
@plaintextpackets
Ай бұрын
I thought about that but TTL will change in transit from src to dst and if you have multiple paths between it may not be a predictable change
@dougaltolan3017
Ай бұрын
@@plaintextpackets sure, a bit of noise reduction and error correction would be required.
@plaintextpackets
Ай бұрын
@dougaltolan3017 take a look at the version I did for windows, I used the packet length to encode the data there