While working at a Community College, I had written a C# application that use WinPCAP library to do just what was explained in the article. I was able to receive information at my home from inside the college network using the wireless network. Granted, wireless networks are generally guest only but with the link outside of the network it wouldn't be difficult to move information from a "donor" system over to my laptop and then transfer it. I could also possibly sniff information and save and transfer that (or just save and walk out through the front door). Well, after demonstrating the process, the security guy and I came up with specific rules for our IPS to monitor pings (allowing them to still be of use) by clearing the data portion of the packet to zero's and allowing to continue on.

@plaintextpackets

Ай бұрын

Nice!

@toddzillaswrist

Ай бұрын

Thats really awesome!

@aicccooocococ

Ай бұрын

with replacing the data with 0s, was it a set amount of 0s or just replaced every character in the data with 0?

@Skaffa

Ай бұрын

​@@aicccooocococ good question

@LittleRainGames

Ай бұрын

​@@aicccooocococ oohh smart

You are gonna help me a lot in my journey to becoming a Network/Security Engineer, Thank for such an easy explanation

@plaintextpackets

Ай бұрын

Glad to hear that!

This is brilliant. Thanks to the algorithm to suggest your videos !!!

Well made video and it looks like you have others that are on networking topics. You gained a new sub! Nice work on how clearly you explained things!

@plaintextpackets

2 ай бұрын

Thanks and welcome!

also block SIP then, or any other protocol that allows unbound data into outbound packets (unbound being not strictly required by the protocol intself) That said, this clip is an excellent wakeup call to people that care about security but might not have the techie skills.

@plaintextpackets

Ай бұрын

Protocols like SIP should be blocked from user workstations if going directly out to the internet, instead calls should be routed through an SBC for proper logging and monitoring

This is amazing. Thank you.

Exfiltration of data can be easily done by a simple http:-, oder https:-connection from a browser, accessing a form, that allows you to POST any file to a capture-point. I did such a thing, when I had to build a miniaturized IP-bug in an RJ45 patch-cable for my Govt. The contraption was powered by ethernet-signals (typically +/-2.5V). A microphone picked up the voices. After preamplification and AGC-ing, it went into the ADC of a MCU, that accessed a html-form from it's TCP/IP stack and exfiltrated the encrypted and base64-coded audio data in chunks to the computer of an intelligence officer.

@plaintextpackets

Ай бұрын

In typical enterprise scenarios HTTP or other common web protocols aren’t permitted directly through the perimeter to the web, rather the traffic is proxies where it is logged, possibly decrypted and inspected. I explain this a bit more in the next video.

@dominikvonlavante6113

Ай бұрын

Https cannot be decryted on route. It is MITM attack proof. That is, if you have full control over the client.

@plaintextpackets

Ай бұрын

@dominikvonlavante6113 in enterprise settings they have that control and can install custom certs on workstations to perform MITM and inspect HTTPS. Check out Broadcom SSLV as an example

@debrainwasher

Ай бұрын

@@plaintextpackets Who cares, when HTTP, or SSL-Connections are proxied? DPI-Firewalls (Deep Packet Inspection, like e.g. Fortinet) can only see gibberish from a G.729-encoded, encrypted and Base64-encoded audio-stream. If there should be any problem, there is always a beauty in every commercial, military and intelligence network: SIP and/or SSIP. According to my experience, there is nothing more unsuspicious within SIP-context, than an audio stream, transmitted by SIP-RTP/UDP data-packets.

@muskrat7312

Ай бұрын

​​@@debrainwasherit depends on the company. In a company that actually cares and securing things correctly, you won't be allowed to send that traffic outbound at all. Only a few companies actually go this far but in those setups outbound internet is blocked and only the proxy is allowed out. Then you would need to authenticate to the proxy (usually) and surf. The proxy would not allow 100% access either and might be whitelisted for server access or for user access a heavily restricted set of categories etc may be allowed. But it won't allow all protocols, etc.

Crystal clear , well done . Thank you …

I would be much more worried if Joe Blow from accounting got root access on a machine inside the corporate network.

great vid! what do you use to create your thumbnails?

if you allow pings, you could deny pings that have any optional data fields, or strip the optional field entirely

@plaintextpackets

2 ай бұрын

Yes if your firewall can do that, I use PaloAltos which are enterprise grade and they can’t.

@petew5130

Ай бұрын

@@plaintextpackets Path MTU Discovery (PMTUD) would like to have a word. Bummer about the lack of blocking certain payloads, you should at least be able to block/allow PANs based on ICMP types. Great video, though; most people don't know about all the protocol options.

@stevenclarke4228

Ай бұрын

Even if you only allowed empty pings, you could encode a timing based way to code pings. A lot slower, but maybe that’s ok for small or high value payloads…

@stevenclarke4228

Ай бұрын

Further to the last comment, you could also send commands back into the network from outside by encoding the replies and non responses…

@pauldwalker

Ай бұрын

@@stevenclarke4228 if you use that as an exfiltration vector, then any allowed network connectivity will enable this attack. the moral of the story is, if you want to secure your computers and network, you cannot allow any external network connectivity at all.

SoftetherVPN can open a VPN tunnel over ICMP. It not as stable/fast as the normal SSL or Ipsec tunnel, but it comes handy, if some NGFW blocks common ports to outside.

@plaintextpackets

Ай бұрын

That’s an awesome option to have

Simple and cool video.... nicely explained .....great work

Loved this!

Man great videos, keep it up. You are hatsoff one of the best network security youtuber

@plaintextpackets

Ай бұрын

Thank you so much 😀

Very interesting 👌

Bro this is dope as hell, I never would have thought of this

@etcetc3800

Ай бұрын

You should check your computer or phone if someone is doing it to you

Really interesting, thanks for sharing!

Thanks for the education, and you explained it clean, good s××t..

Blocking ICMP traffic can be unhealthy for your internet bound services. ICMP is used for more then just pinging around. Simply blocking it at your firewall can result in severe latency problems and killing throughput for cloud services your company might use and if you don't know what you do, you will search forever for the reason.

@plaintextpackets

Ай бұрын

Icmp is needed for these services but should be selectively permitted by policy and not allowed from end user workstations

@McClane6666

Ай бұрын

@@plaintextpackets that't not how it works. check Path MTU Discovery for an instance. and that's just one application of icmp. if the application can't dynamicly apply proper a MTU, you will be in a world of pain with 1000 people sharing one internet connection.

@AbstractType1

Ай бұрын

Jumbo packets use ICMP for comms back to client for DF

@dermick

Ай бұрын

Completely agree. I've seen so many problems caused by people that just "blOcK EVErytHInG, for seCUriTY" - then they complain that their networks are slow and unreliable.

Basically, we need two VM for demonstration with one vm as reciever and other as sender. And we send packets which the reciever vm detects through wireshark ? Is my understanding Correct ?

Thank you.

@plaintextpackets

Ай бұрын

You're welcome!

Wouldn't it be possible to just fill in the ICMP packages that are going out( probably on the firewall or on a special server) with random bits, store the original data and when the package comes back fill the original data in those?

@plaintextpackets

Ай бұрын

In theory but it takes processing power to rewrite packets. It would be simpler to block icmp from workstations and only permit select devices using firewall policy

just limit the packet length to that of echo-request and echo-reply only. anything bigger gets dropped. If you network engineers need to test MTU or something that requires optional data, you have them put in a request for a certain time frame, and only allow ICMP from that source. Then when they're done, you revert it back. easy defense.

From the demo, it wasn't clear how you stuff ping packets without root access. Still a good demonstration why ping should be blocked. Even if data couldn't be stuffed into ping packets, another ping exploit could use the timing of ping packets to encode and exfiltrate data.

@plaintextpackets

Ай бұрын

You do need root for this for sure, I have seen companies however who either don’t have network access control in place (so anyone can plug into the LAN), or allow some users admin rights for development work, etc. This is totally preventable if you have the right access layer and device control. But at the same time I would also restrict icmp on firewalls to only devices which need it

As long as you’re not being watched (seems like you’re not) you could display screens of data to be recorded by your personal camera. Even if you’re being watched you could conceal it. How common are “no phone zones” at enterprises for this reason?

@plaintextpackets

Ай бұрын

This is sadly how a lot of data is still exfiltrated today. Corporations can mandate use of their own phones but can’t stop someone from using a personal device and snapping photos or video. Work from home makes that even easier to do. I haven’t worked in any organizations which ban personal phones on site but I’d imagine certain military tech teams would

@RowanHawkins

Ай бұрын

Instant termination is the result if caught with a phone in those facilities. If you are an insider, rather than a phone there are other camera options which don't look like cameras that would be much better options.

A while ago somebody on yt made a video titled "Harder drives" and one of the things he did was store data in the pings and repeatedly ping random slow servers with it. In the time that said ping was in transit, he wasn't keeping it locally and it was effectively stored on the internet. EDIT: Found it kzread.info/dash/bejne/fJd-tblwgtPYmdI.html

@notaras1985

24 күн бұрын

😮😮😮😮

When enterprise networks allow outbound access to any unauthorized server, it's possibile to pass data, it just comes down to how much data, and how fast. You could encode data in http requests with a simple '?data' append, all the way to using single binary bit transmissions using timed requests (albeit VERY slow, digital equivalent of blinking in Morse code on a video stream)

Much of the early Internet infrastructure is not secure. Different goals back then. I sometimes leave a bait system running inside a network for a day with Sniffnet to see what comes up, it's never pretty.

@plaintextpackets

19 күн бұрын

One of my earliest memories on the internet was of the Hotmail.com “forget my password” page. You entered your email and then checked the source, and the password was right there. Different times

Run the same stuff on the other end and you got yourself a ping-powered walkie-talkie. 😎

@plaintextpackets

Ай бұрын

I’d love to code a voice app which uses ping!

@DerSolinski

Ай бұрын

@@plaintextpackets If you do, please call it Echochamber...

The firewall could just randomize the data allowing regular ping to work as expected. As a power user having to complain to ISPs about outages often, I'd rather see it working. Yes, one could time those messages and send them to different IPs to encode some information, but at that point, an attacker could just generate a bunch of QR codes on screen and take photos with their phone. No root required and it would have reasonable data rate.

Ok. Thank you for this valuable info you shared, but I have some questions here. Everything is ok and I understand everything, but what I don't understand is the part how this can be a security issue? There are so many other options to send and receive data compared to this technique. There are so many issues which the hacker needs to overcome before he can use this technique. I really don't see clearly how this kind of "attack" compromises anything? In the end, you can't send gigs of data, you probably need to sit in front of the victim PC etc. etc.. I really would be happy to see this attack in a real situation, how would it end up. It looks to me like if we talk about a brake system in a car where there is a question "what if somebody compromises the brake pads?" That car would probably have breaking issues. But that doesn't mean you should not leave your car in an open parking yard. Where is the real deal with this ping problem?

@plaintextpackets

Ай бұрын

Good question, many high security corporate environments (banks, governments, etc) monitor and / or lock down most obvious forms of communication to the outside world. This is mainly to prevent employees themselves from leaking data outside of proper channels. So if these companies have already put mitigations in place for web traffic, email, but still allow ping it leaves the door open for data to leave.

@christianrobertadzic9321

Ай бұрын

From my experience, most of the time the hack is done from inside from a compromised technician or user, who has his/she's own reason to open a leak path in the IT system of the company. And that type of threat is not a cyber security issue but in some cases a bad and corrupted person. Of course it is more attractive to promote such a situation also as a hacker attack ... I'm really concerned about the OS which are running on IoT devices, routers etc. which are nowadays mostly a derivative of Linux. And such of "firmware" are really easy to compromise. In many cases much information is left over from the guys who worked on the development of such a "firmware". Even on high end tools too...

It would be pretty easy to write a TCPIP client and server listener to transfer files via Ping, but you’d need to know C lang, Rust, Java, or some other low system level language. I could write in it C++ in an hour, and in C# in a few minutes.

U can detect and stop that, but you need a packet sniffer. There are a couple of types; howver, if you are this concerned, just block ping and run have your firewall run a full memory duplication of all data sent and/or received. This software that does this is freeware, but the hardware required is steep. We’re talking about GBs of RAM being copied and needing to be saved to a HD, per day and per client machine with access to the internet.

never thought about that , i normally block ping just to limit the amount of bots trying to hammer passwords , no reply = bot normally moves on , I normally only respond to list of IP's in the list allowed to talk to

@plaintextpackets

Ай бұрын

Limiting which devices can ping is a must

So this won't be detected under any SIEM tool? I mean it's not marked as suspicious with this many ping traffic?

@plaintextpackets

Ай бұрын

If the volume is high enough it will get marked, if you keep the rate to a reasonable level it likely wouldn't. However if an organization has left ping open to end user workstations I would assume they don't have a good SIEM tool

Good job ！🤓

Great content, keep going

@plaintextpackets

Ай бұрын

Thanks, will do!

A word of caution. This technique is quite old and fairly well known among the skullduggerous. You can get things past a lot of sysops like this, but ISPs and tier-1 routers take an interest when they see unusual ICMP traffic, so don't try anything you wouldn't want to be seen.

@plaintextpackets

Ай бұрын

The send rate you choose will definitely be important in order to not raise suspicion.

love the thumbnail

This is really cool! Could this method be used to transfer a binary file (e.g. image, video, application)?

@lbgstzockt8493

Ай бұрын

I don’t see why not, nothing is stopping you from just transmitting the bytes as characters and interpreting them as bytes on your receiver machine.

@davidgari3240

Ай бұрын

​@@lbgstzockt8493uuencode has entered the chat.

@plaintextpackets

Ай бұрын

Absolutely it could

I had a similar idea but instead using DNS. DNS is interesting because the traffic is often forwarded via at least one internal server and maybe more. So long as the queries are kind of random caching shouldn't be an issue. With DNS you can also send data back to control the program. Kind of scary.

@plaintextpackets

Ай бұрын

You’re right! I did a video showing dns exfiltration as well in a simple way

Noobie here, Wouldn't most network monitoring tools notice all that traffic? Especially if the packet sizes are abnormal, that then compounds with the fact that if you are exfiltrating large amounts of file data, you would need 'n*x' packets in order to move 'n' files, right? The quantity of packets should be greater than the quantity of files. could be quiiiite a bit of traffic. Unless of course each packet captures a whole file's worth of data? I guess to counter my point you could add custom delay to each ping in order to obfuscate things.

@plaintextpackets

Ай бұрын

So if you’re sending terabytes of files it may be noticed, but if you keep the send rate at a reasonable amount the volume of traffic would be

Often data security depends on the people with access being trustworthy.

damn, did not know this about ping...

Router/firewall should simply null out the optional data packet of ICMP. That doesn’t totally eliminate the problem, but it does drastically slow the data rate since any “data” would have to be encoded in unused bits/bytes of the header. There are similar mitigation approaches you can apply to the other portions of the ICMP packet, and you can use rate limiting of ICMP to make any such attempt impractical for data longer than a password.

@plaintextpackets

Ай бұрын

IMO I’d rather not spend firewall processing cycles on inspecting ICMP if only some devices need it. In that case I would just use policy to only permit those IPs to connect to the internet and block everything else. But if you needed it open and had a vendor that could re-write / inspect icmp in real time that would work too

@geoffstrickler

Ай бұрын

@@plaintextpackets You’re spending the processing time already to filter them out. Simply nulling out the optional data portion isn’t going to have any material impact on performance. Similar argument for rate limiting. Low CPU cost for each.

An easier way to send data is to take the file, whether .TXT, or other file format, and just change the extension to .JPG and email it wherever you want. I don't think anyone checks every single email to make sure the picture files are legitimate, especially if you're sending a lot of actual picture files around the same time frame. BTW, this would allow a lot larger payload than a few characters in a ping command. Perhaps this might fit in the topic of steganography.

@MarkStoddard

Ай бұрын

Using your corporate email? That’s definitely logged

@plaintextpackets

Ай бұрын

They have email scanners which inspect the contents of all files regardless of extension. And I think Exchange offers this service when using O365

@bite-sizedshorts9635

Ай бұрын

@@MarkStoddard But that was many years ago, and being a law firm, I think they were deleting old email so it couldn't be available in discovery.

Cool ))

Interesting video, thnx for sharing! Be careful with that TTS intro btw, I almost immediately left, thinking the whole video would be TTS.

@plaintextpackets

Ай бұрын

Noted!

clever

In theory, this could a low level networking threat if end users have access to elevated permissions to install external tools. Crafting a custom icmp packet through windows native tools is just almost impossible. Unless the end user is using powershell, c and raw socket. Even then, that had its own limitations. I wouldn't worry too much when end users are not able to install third party tools without elevated permissions. There are potential risk that they can download a portable tool that does this 🤔. But as long as you habe your policy set up correctly to not allow unkown exe from running, you should be fine 😅.

@plaintextpackets

2 ай бұрын

Agreed, however in my experience most large orgs either don’t have proper network access control, or don’t lock down admin access properly to workstations, or do silly things like mix guest wifi with prod, etc

@bluesirva3574

2 ай бұрын

you are a hacker's wet dream.. given you are not capable of writing a paragraph without missing entire words and a few spelling mistakes to boot, it can be reasonably assumed that any policy, security or otherwise, set up by you would be of similar quality.. the smug smiley at the end, made me smile too.. BTW, have you ever tried say the Non-Administrative chocolatey install to start with..

@UnfiItered

2 ай бұрын

@@bluesirva3574 lol thanks for the judgmental comment on my work ethic based on the structure of my comment. I will strive to better myself at writing // after working 12-16 hour shifts. I also might consider turning on auto correct on my phone and allow them to collect algorithmic data on my typing habits. But my comment was based off the very little knowledge I know of in the network, infrastructure, group policy and scripting/programming world. Luckily, I don't do any of that and is just a end user who knows enough to get by my daily job. Luckily, anything done and or made by me has not have any major security concerns yet to date. Unluckily, we're only a multi-billion dollar company that deals with both commercials and military contracts 😥. Unluckily, we have to manage roughly around 600 employees and 300 contractors average each site. Thanks for the constructive criticism though, I will take it to heart.

@UnfiItered

2 ай бұрын

@@plaintextpackets yeah, our workplace policy are pretty strict. Even when grabbing print drivers from our own internal print server, elevated access is needed. I thought print nightmare was a ghost of the past but hey. Can't say anything about other corps because I don't have much experience working with other corps.

@khatharrmalkavian3306

Ай бұрын

Me and my ethernet mitm dongle are smiling at you.

I have tried to monitor the icmp packets on the target host using tcpdump. I do not see the message. Can someone help me with this?

@plaintextpackets

Ай бұрын

Join the discord we can help

Isn't it true that only those employees could pull this off who are already allowed to have a tool that can run Python scripts on their company laptop? Also, why would someone do this instead of saving files on a pendrive?

@plaintextpackets

Ай бұрын

Many orgs lock down usb drive usage as well as direct internet communication, also if you have developers working for you chances are they have elevated privileges on their machines

@alittax

Ай бұрын

@@plaintextpackets Good points, thank you.

Nice video. +1 sub

U can specify a port to ping different from the default. FYI. ;)

Do you know how i would run this if i have a vm in my computer

@plaintextpackets

Ай бұрын

It would need to be a Linux VM but yes you can run it from that

would this work on a windows PC running WSL?

@plaintextpackets

Ай бұрын

The video showing the windows version comes out tomorrow

Is Windows also susceptible to the ping exfiltration? The video says script is for Linux?

@plaintextpackets

Ай бұрын

I have a video coming on Friday to show the windows method :-)

🤜🤛

create an api, have a header that describes the expected data, beginning of payload, end of payload, base64 encode the payload, exfiltrate whatever you want.

@plaintextpackets

2 ай бұрын

Exactly

With same method, one can use any access to transfer data.

There is a practical use of this in real world scenario, or it is just a demo of what you can do with ping? If you want to send data from a ping prohibited network to another internet location you can just email it... I really cannot see a practical use of this 😊

@MarkStoddard

Ай бұрын

You’re going to send an email to an external address containing data you’re stealing using your corporate account? I guess if you could use a colleague’s computer, email as them, and send to an anonymous temp email address

@plaintextpackets

Ай бұрын

All emails are monitored in secured corporate settings. So is web traffic to websites.

@yamiljaskolowski3288

Ай бұрын

Oh... this is for steal. Maybe there is more practical ways to get data without even use the network. Ok, I get it, I didn't even think about it. Now I can see, the point is to learn how other people can cheat your security to steal your data and maaaybe how to prevent it.

One one side this is cool, but on the other side there are w million other, less suspicious and easier ways to exfiltrate data behind firewalls without even needing root.

Generator requires Admin rights? Who are you giving those rights to, and why?

@plaintextpackets

Ай бұрын

Common example of this would be a developer. Lots of companies give developers MacBook with admin rights to do their dev work

You did the wire shark on from the sender side 🤣

@plaintextpackets

Ай бұрын

🤪 for simplicity! Actually I’m releasing one soon showing the windows method and it will demonstrate the remote end capture as well

are u on linkedin

@plaintextpackets

2 ай бұрын

I am but keep it private

DLP = data loss prevention not digital loss prevention. Otherwise good video.

@plaintextpackets

Ай бұрын

D’oh!

So, I need to try that on my company's internal network. Being a smart ass... get a rise.

@plaintextpackets

Ай бұрын

Pointing out security flaws proactively is a great way to build your reputation at work 👍🏽

the shocking part is even they have a ssl you can still read the username and paasword which is information.

Why does it need root? If you have root, you already have an issue.....

@plaintextpackets

Ай бұрын

In Linux to craft custom packets you need root. But in my windows version video I show a method that doesn’t require root at all

@1337GameDev

Ай бұрын

@@plaintextpackets Really? Why? That's so strange.... You can create a socket in code, and send any arbitrary data you want.... But I guess that's a network layer up in the OSI model

So, where's the part where you PULL data with the ping... ?

Ping is usually blocked by firewall at any half competent setup

@plaintextpackets

Ай бұрын

I agree people should, in experience many do not to their own detriment

i'm come in 😊

Ping should be disabled outbound for all user subnets. Your firewall should be allowed to ping, because IPv6 depends on pinging to determine the correct MTU size and it also allows PMTUD to work correctly. Blocking ping completely will result in degraded functionality I think. Also, if you have a UTM worth a damn, you could also easily detect and prevent exfiltration

5:43 ICMP is not layer 4, IMHO

@plaintextpackets

Ай бұрын

No you’re right technically it’s layer 3

@AlexeyElishaVoloshin

Ай бұрын

@@plaintextpackets Right. The question is why Wireshark displays it this way so it's seems to be layer 4?

@plaintextpackets

Ай бұрын

I think it’s difficult to dissect an ICMP packet which has an IP layer without showing the ip layer as distinct. This is why I was confused as well. ARP is also a layer3 protocol but does not use IP addressing and thus it only has three layers of dissection. IMO ICMP is really layer 4 in practice but technically layer 3 I agree

It's not a vulnerability, because it does not harm a system. However, it could be used for infiltration. Why would you give root access to random people? That's the hazard!

I would add, blocking ping is nice, but it still gives a response back to someone doing recon. This can then be used of course to fingerprint the outside router/firewall. A better option in my opinion is to drop the packets. No response, no information being exfiltrated, data go poof. It's not a perfect solution of course, as nothing is perfect, but it does give less data.

@plaintextpackets

Ай бұрын

Agreed

I iodine'd stuff in 2011 already. Lol

If you have internet access at your enterprise, that’s a big vulnerability. You should go disable that at your firewall at your enterprise. Very risky to have internet these days. 🙄. /s

Not if u have a good network gateway team.

@plaintextpackets

Ай бұрын

Those are in short supply 🤣

This is already sanitised in large security conscious networks, nothing new. Same with time server packets and many more, not even just for ex filtrations, but for protection against padding out packets incase of ddos bots getting in. Nothing novel about it in the last 20 years.

Could have crunched that down to half the video length

@plaintextpackets

2 ай бұрын

Probably!

@christopherstaples6758

Ай бұрын

but why , it was under 30 mins , decent length with ongoing info

Little league. Use TTL.

@plaintextpackets

Ай бұрын

I thought about that but TTL will change in transit from src to dst and if you have multiple paths between it may not be a predictable change

@dougaltolan3017

Ай бұрын

@@plaintextpackets sure, a bit of noise reduction and error correction would be required.

@plaintextpackets

Ай бұрын

@dougaltolan3017 take a look at the version I did for windows, I used the packet length to encode the data there