A weaponized ping implementation that includes concealed data in the packet payload.
WeaponizedPingDemonstration.mp4
This vulnerability exploits the fact that ICMP Echo Request packets have a significantly greater MTU than is required. Because an ICMP packet has a maximum MTU of 1500 bytes, subtracting the bytes required to send the header leaves 1472 bytes of payload space left to contain any data we wish (it has no format to comply with).
This is an ICMP Echo Request packet generated by the classic "ping" command found in every operating system:
The payload of this packet is only 48 bytes.
This, on the other hand, is a packet generated by weaponized ping:
Instead, the payload of this packet is 520 bytes. As mentioned earlier, within the payload of a weaponized ping any information can be included, in this case the following information is sent:
- MAC Address of the main network card
- Information about all network cards in the system (ip address, subnet mask, broadcast address)
- Public IP address
- DNS servers used
The data sent within the payload is encrypted using an RSA-4096 public key.
For a generation of the key pair needed to send data securely, you can run the keygen.py script found in the utility folder:
python3 utility/keygen.pyThis script will generate the following files within the current working folder:
-
receiver.pem- Public key
-
private.pem- Private key
Once the attacker manages to intercept the packet generated by the weaponized ping, and succeeds in exporting
the contents of the payload within a file (see video demonstration for more information), it is possible to perform
decrypt the information using the decrypt-dump.py scripty found in the utility folder, specifying the
location of the dump to be decrypted and the associated private key needed:
python3 utility/decrypt-dump.py -k <PRIVATE KEY> -f <DUMP FILE>This is an example of a payload (decrypted) sent to the attacker:
b"3E:22:FB:BE:86:0F|en0:[{'addr': '10.21.48.210', 'netmask': '255.255.240.0', 'broadcast': '10.21.63.255'}]|en1:[{'addr': '82:5c:4e:23:14:01'}]|en2:[{'addr': '82:5c:4e:23:14:00'}]|awdl0:[{'addr': 'b2:8e:f0:97:d1:15'}]|llw0:[{'addr': 'b2:8e:f0:97:d1:15'}]|en3:[{'addr': 'ac:de:48:00:11:22'}]|en8:[{'addr': '169.254.81.191', 'netmask': '255.255.0.0'}]|en9:[{'addr': '169.254.189.118', 'netmask': '255.255.0.0'}]||DNS:195.176.49.70,195.176.49.72|PUBLIC:195.176.44.50"
Each type of information in the payload is separated by a pipe ('|') to facilitate its extraction/reading by the user. This is the order of the information present:
- Mac Address
- Information related to the network interfaces
- DNS Servers
- Public IP