-
Notifications
You must be signed in to change notification settings - Fork 70
ICMP module
Base protocol: ICMP
Type: Stateless
Parent: Stateless
The ICMP transport module uses type 0 and 8 ICMP packets to transmit data. These packet types are well-known packets, from the ping utility. The client sends a type 8 ICMP (echo/ping request) message with a payload that consists an IP packet and then the server responses with a type 0 ICMP (echo/ping response) message with a payload. One of the best property of these message types that the payload can be as big as 65507 bytes (65535-IP&ICMP header), but because of the fragmentation it does not really worth to use more than the MTU.
This module works just like the Generic UDP one, with some additional things. The header of the ICMP packets consists two interesting fields:
- identifier
- sequence number
The identifier is usually a random number that identifies the stream. Every packet that is sent from the client must use the same identifier, to be able to recognize the "connection" between the two endpoints. The sequence number starts from 0 and is incremented with every packet. The server must answer with a yet unanswered sequence number and the same identifier.
If the network is NAT'd or a firewall tracks the packets then:
- only one response can be sent to a request - burnt sequence numbers cannot be reused without a request
- multiple responses with the same identifier and sequence numbers will be dropped
- responses cannot be sent without requests (upstream needs to be generated even if there is nothing to send)
- some NAT solutions or firewalls have a threshold, if the difference of the sequence numbers (request-response) are too high, the response will be dropped.
The module handles all above mentioned problems:
- It sends keep-alives to generate upstream
- The server can request more ICMP echo requests (type 8) to be able to send responses
- Queuing is introduced for this
- Threshold checks are implemented not to allow the differences move away from each other (request-response sequence numbers)
The client's network allows ICMP type 8 and 0 packets, basically means that you can ping servers on the Internet.
Hint: ping 8.8.8.8
[ICMP]
enabled = yes
The value of this attribute is either yes or no. If it was set to yes, then the module will be initiated when the framework is started.
Allow incoming ICMP echo requests (type 8).
Only Linux allows to disable ICMP in general or echo ICMP packet processing. Any other operating system will process the packet and if it is an echo request, it will answer to that. The only solution against this is to set up a firewall rule that filters out the packet, and just before that a kernel module (libpcap, WinPcap, Microsoft Network Monitor) captures the soon-to-be-filtered packet.
Although this could be implemented in the framework, the return on investment does not look promising. It is simply recommended to use a Linux server to run this module in server mode.
XFLTReaT 2017-2020 Balazs Bucsay @xoreipeip
- Home - Introduction to XFLTReaT
- The framework - The framework explained
- Installation - How to install the tool
- Configuration - How to configure the framework
- Operating System support - See the supported Operating Systems
- Transport modules - Explanation of the transport modules
- Authentication modules - Explanation of the authentication modules
- Encryption modules - Explanation of the encryption modules
- Use Cases - Examples use cases
- Development - How to develop for the framework