Thursday, March 4, 2010

ICMP Tunneling


ICMP Tunneling

  • Covert Channels are methods in which an attacker can hide the data in a protocol that is undetectable.
  • Covert Channels rely on techniques called tunneling, which allows one protocol to be carried over another protocol.
  • ICMP tunneling is a method of using ICMP echo-request and echo-reply as a carrier of any payload an attacker may wish to use, in an attempt to stealthily access, or control a compromised system.
The Internet Control Message Protocol is an adjunct to the IP layer. It is a connectionless protocol used to convey error messages and other information to unicast addresses . ICMP packets are encapsulated inside of IP datagram. The first 4-bytes of the header are same for every ICMP message, with the remainder of the header differing for different ICMP message types. There are 15 different types of ICMP messages.

The ICMP types we are concerned with are type ox8 and type 0x8. ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type 0x8 indicates an ICMP _ECHO (the query). The normal course of action is for a type 0x8 to elicit a type 0x0 response from a listening server. (Normally, this server is actually the OS kernel of the target host. Most ICMP traffic is, by default, handled by the kernel). This is what the ping program does.
The concept of ICMP Tunneling involves arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets and using them to carry the payload.
Covert Channels are methods in which an attacker can hide the data in a protocol that is undetectable. Covert Channels rely on techniques called tunneling, which allows one protocol to be carried over another protocol. A covert channel is a vessel in which information can pass, but this vessel is not ordinarily used for information exchange.
Therefore, as a matter of consequence, covert channels are impossible to detect and deter using a system's normal (read: unmodified) security policy. In theory, almost any process or bit of data can be a covert channel. In practice, it is usually quite difficult to elicit meaningful data from most covert channels in a timely fashion.
This makes it an attractive mode of transmission for a Trojan. The attacker can use the covert channel and install the backdoor on the target machine.
The concept of ICMP Tunneling is simple: arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets. This exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHO traffic. They simply pass them, drop them, or return them. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. We can encapsulate (tunnel) any information we want.
Hacking Tool: Loki

  • Loki was written by daemon9 to provide shell access over ICMP making it much more difficult to detect than TCP or UDP based backdoors.
  • As far as the network is concerned, a series of ICMP packets are shot back and forth: Ping, Pong-response. As far as the attacker is concerned, commands can be typed into the loki client and executed on the server.
This program is a working proof-of-concept to demonstrate that data can be transmitted rather stealthily across a network by hiding it in traffic that normally does not contain payloads. The example code in the original Phrack magazine can tunnel the equivalent of a Unix RCMD/RSH session in either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door into a UNIX system after root access has been compromised. Presence of LOKI on a system is evidence that the system has been compromised in the past.
Although the payload of ICMP packet is often timing information, there is no check by any device as to the content of the data. So, as it turns out, this amount of data can also be arbitrary in content as well. Therein lies the covert channel. A covert channel is a vessel in which information can pass, but this vessel is not ordinarily used for information exchange. Therefore, covert channels are impossible to detect and deter using a system's normal security policy.
Loki exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHO traffic. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. It can be used as a backdoor into a system by providing a covert method of getting commands executed on a target machine. The LOKI packet with a forged source IP address will arrive at the target (and will elicit a legitimate ICMP_ECHOREPLY, which will travel to the spoofed host, and will be subsequently dropped silently) and can contain the 4-byte IP address of the desired target of the Loki response packets, as well as 51-bytes of malevolent data.
The important aspect of Loki is that routers, firewalls, packet-filters, dual-homed hosts all can serve as conduits for Loki. A surplus of ICMP_ECHOREPLY packets with a garbled payload can be ready indication the channel is in use. The standalone Loki server program can be easily detected. However, if the attacker can keep traffic on the channel down to a minimum, and was to hide the Loki server inside the kernel, detection is almost impossible.
Loki Countermeasures

  • Configure your firewall to block ICMP incoming and outgoing echo packets.
  • Blocking ICMP will disable ping request and may cause inconvenience to users.
  • So you need to carefully decide on security Vs convenience.
  • Loki also has the option to run over UDP port 53 (DNS queries and responses.)
Disable external ICMP_ECHO traffic entirely. This does have serious implications to normal network management since it does affect network communication management within the local segment. However, this can be configured to allow internal ping traffic and disable packets coming from the outside.
Disable ICMP_ECHO_REPLY traffic on a Cisco router. Security implications make this a prudent choice.
Ensure that the routers are configured to not send ICMP_UNREACHABLE error packets to hosts that do not respond to ARPs.
........................................................................................................................... ..................................................
........................................................................................................................... .................................................. 

0 comments:

Post a Comment