ICMP protocol with Wireshark
Unlike the Transport Control Protocol (TCP) and User Datagram Protocol (UDP), the Internet Control Message Protocol (ICMP) is not designed for carrying data.
While ICMP packets do have a data section, their purpose is not to wrap and carry protocols like HTTP and DNS. Instead, ICMP is designed as a low-level management protocol for the internet. It carries error messages and implements simple management functions.
Learn Incident Response
As a result, an organization’s ICMP traffic should largely be confined inside the network boundary, but it is a common protocol to see in network traffic captures.
ICMP in Wireshark
As an error messaging protocol, the structure of an ICMP packet is designed to provide the necessary information to the recipient. Error data in ICMP is carried in two values: the type and the code.
As shown above, the type of an ICMP packet contains the overall message that the message is intended to convey. For example, a type value of 3 means that the intended destination is unreachable.
For some types, there are multiple code values intended to provide additional information. For example, a type 3 ICMP message with a 0 code points to issues with the destination network, while a 1 code means that the issue is that the particular host is unreachable.
While many ICMP messages are designed to be sent as error messages in response to packets of other protocols, some are designed to implement standalone functionality.
The purpose of ping is to determine if the system at a certain IP address exists and is currently functional, and that a route to that system can be found. Typing ping into the Windows or Linux terminal will send a series of ping packets and provide a percentage value for the reachability of the destination based upon the number of ping requests that received a response.
The images below show an ICMP ping request and response in Wireshark.
As shown above, a ping packet (and any ICMP packet in general) is fairly simple. The first two values in the packet are the type and code, indicating the purpose of the packet. Next, the packet contains a checksum, which is important since a single bit flip in the type or code can convey a completely different error message.
After that, ping packets contain identifiers and sequence numbers. Since ICMP is a stateless protocol, these values help to match a response received by the sender to the corresponding request.
ICMP analysis for incident response
The ICMP protocol is designed to provide error information and perform simple diagnostic actions (like ping) i.e incident response. As such, even passive monitoring of ICMP traffic on a network can provide a wealth of data to an adversary. Eavesdropping on ICMP packet can help to identify the hosts on a network and if certain systems are up, down or malfunctioning.
However, an attacker can also actively use ICMP in a number of different ways. Two of the most common are using the protocol for network scanning/mapping and for data exfiltration and command-and-control.
Scanning
The ICMP protocol is crucial to the operation of the ping and traceroute protocols. Ping involves sending an ICMP ping request and looking for an ICMP ping response. Traceroute, on the other hand, uses UDP packets for requests and ICMP for responses.
The primary purpose of these protocols is to determine if a system at a particular IP address exists and is operational. As a result, they can be used for mapping a network during the reconnaissance phase of an attack. ICMP packets should be blocked at the network boundary, and unusual ICMP traffic from a host may indicate scanning by an attacker in preparation for lateral movement through the network.
Data exfiltration
As an error handling/diagnostic protocol, ICMP is not intended for carrying data. The intended message of each ICMP packet is contained in its type value. However, the ICMP protocol can be abused for data exfiltration.
One way of accomplishing this is by passing data in the ICMP type field itself. An example of this is shown in the packet capture below.
As shown above, Wireshark identifies many of the ICMP packets in the capture as obsolete or malformed. However, not all of these packets are identified as such. The reason for this is that, by chance, the data that ICMP is being abused to carry occasionally has a value that matches a valid ICMP type value.
For example, notice that many of the “valid” ICMP packets are identified as Echo (ping) replies. The type value for a ping reply is zero, meaning that packets 6982–6986 are simply a series of null characters in the exfiltrated file.
The summary of the ICMP packets provided by Wireshark does not show the actual values being carried by the malformed ICMP packets. However, this data is visible in each individual packet summary. The image above is the summary of the first malformed ICMP packet, which has a type value of 71. The exfiltrated file can be reassembled manually using Wireshark or more efficiently using a tool like the scapy package in Python.
This is only one way that ICMP can be used for data exfiltration. In the screenshots of the ping request and response shown earlier, the data contained in the packets is all zeros; however, this is not necessary for the protocol to function. Placing non-zero data in ping packets is another way to abuse ICMP for command-and-control and is another reason why ICMP packets should be blocked at the network perimeter.
Conclusion: Investigating ICMP traffic in Wireshark
ICMP traffic is mainly intended to carry error messages, so any ICMP traffic on the network may be of interest. However, ICMP can also be deliberately abused by an attacker and used for scanning and data exfiltration.
Learn Network Traffic Analysis for Incident Response
Sources
- ICMP: The Good, the Bad, and the Ugly, Security Evaluators
- SampleCaptures, Wireshark
- Analyzing Data Exfiltration over ICMP, sec.alexflor.es
Learn Network Traffic Analysis for Incident Response
Get hands-on experience with nine courses covering how to collect, identify, extract and analyze network traffic. What you'll learn:- Traffic analysis case studies
- Common network threats
- Data analysis methods
- Tools like Wireshark
- And more
In this Series
- ICMP protocol with Wireshark
- Disaster recovery: What's missing in your cyber emergency response?
- How will zero trust change the incident response process?
- How to build a proactive incident response plan
- Sparrow.ps1: Free Azure/Microsoft 365 incident response tool
- Uncovering and remediating malicious activity: From discovery to incident handling
- DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know
- When and how to report a breach: Data breach reporting best practices
- Cyber Work Podcast recap: What does a military forensics and incident responder do?
- Top 8 cybersecurity books for incident responders in 2020
- Digital forensics and incident response: Is it the career for you?
- 2020 NIST ransomware recovery guide: What you need to know
- Network traffic analysis for IR: Data exfiltration
- Network traffic analysis for IR: Basic protocols in networking
- Network traffic analysis for IR: Introduction to networking
- Network Traffic Analysis for IR — Discovering RATs
- Network traffic analysis for IR: Analyzing IoT attacks
- Network traffic analysis for IR: TFTP with Wireshark
- Network traffic analysis for IR: SSH protocol with Wireshark
- Network traffic analysis for IR: Analyzing DDoS attacks
- Wireshark for incident response 101
- Network traffic analysis for IR: UDP with Wireshark
- Network traffic analysis for IR: TCP protocol with Wireshark
- Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark
- Cyber Work with Infosec: How to become an incident responder
- Simple Mail Transfer Protocol (SMTP) with Wireshark
- Internet Relay Chat (IRC) protocol with Wireshark
- Hypertext transfer protocol (HTTP) with Wireshark
- Network traffic analysis for IR: FTP protocol with Wireshark
- Infosec skills - Network traffic analysis for IR: DNS protocol with Wireshark
- Network traffic analysis for IR: Data collection and monitoring
- Network traffic analysis for Incident Response (IR): TLS decryption
- Network traffic analysis for IR: Address resolution protocol (ARP) with Wireshark
- Network traffic analysis for IR: Alternatives to Wireshark
- Network traffic analysis for IR: Statistical analysis
- Network traffic analysis for incident response (IR): What incident responders should know about networking
- Network traffic analysis for IR: Event-based analysis
- Network traffic analysis for IR: Connection analysis
- Network traffic analysis for IR: Data analysis for incident response
- Network traffic analysis for IR: Network mapping for incident response
- Network traffic analysis for IR: Analyzing fileless malware
- Network traffic analysis for IR: Credential capture
- Network traffic analysis for IR: Content deobfuscation
- Traffic analysis for incident response (IR): How to use Wireshark for traffic analysis
- Network traffic analysis for IR: Threat intelligence collection and analysis
- Network traffic analysis for incident response
- Creating your personal incident response plan
- Security Orchestration, Automation and Response (SOAR)
- Top six SIEM use cases
- Expert Tips on Incident Response Planning & Communication
- How to Use AlientVault SIEM for Threat Detection & Incident Response
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Incident response
Disaster recovery: What's missing in your cyber emergency response?
Incident response
Incident response
Incident response
Sparrow.ps1: Free Azure/Microsoft 365 incident response tool