While ICMP packets do have a data section, their purpose is not to wrap and carry protocols like HTTP and DNS. Instead, ICMP is designed as a low-level management protocol for the internet. It carries error messages and implements simple management functions.  As a result, an organization’s ICMP traffic should largely be confined inside the network boundary, but it is a common protocol to see in network traffic captures.

ICMP in Wireshark

As an error messaging protocol, the structure of an ICMP packet is designed to provide the necessary information to the recipient. Error data in ICMP is carried in two values: the type and the code.

As shown above, the type of an ICMP packet contains the overall message that the message is intended to convey. For example, a type value of 3 means that the intended destination is unreachable. For some types, there are multiple code values intended to provide additional information. For example, a type 3 ICMP message with a 0 code points to issues with the destination network, while a 1 code means that the issue is that the particular host is unreachable. While many ICMP messages are designed to be sent as error messages in response to packets of other protocols, some are designed to implement standalone functionality. The purpose of ping is to determine if the system at a certain IP address exists and is currently functional, and that a route to that system can be found. Typing ping into the Windows or Linux terminal will send a series of ping packets and provide a percentage value for the reachability of the destination based upon the number of ping requests that received a response.  The images below show an ICMP ping request and response in Wireshark.

As shown above, a ping packet (and any ICMP packet in general) is fairly simple. The first two values in the packet are the type and code, indicating the purpose of the packet. Next, the packet contains a checksum, which is important since a single bit flip in the type or code can convey a completely different error message. After that, ping packets contain identifiers and sequence numbers. Since ICMP is a stateless protocol, these values help to match a response received by the sender to the corresponding request.

ICMP analysis for incident response

The ICMP protocol is designed to provide error information and perform simple diagnostic actions (like ping) i.e incident response. As such, even passive monitoring of ICMP traffic on a network can provide a wealth of data to an adversary. Eavesdropping on ICMP packet can help to identify the hosts on a network and if certain systems are up, down or malfunctioning. However, an attacker can also actively use ICMP in a number of different ways. Two of the most common are using the protocol for network scanning/mapping and for data exfiltration and command-and-control.

Scanning

The ICMP protocol is crucial to the operation of the ping and traceroute protocols. Ping involves sending an ICMP ping request and looking for an ICMP ping response. Traceroute, on the other hand, uses UDP packets for requests and ICMP for responses. The primary purpose of these protocols is to determine if a system at a particular IP address exists and is operational. As a result, they can be used for mapping a network during the reconnaissance phase of an attack. ICMP packets should be blocked at the network boundary, and unusual ICMP traffic from a host may indicate scanning by an attacker in preparation for lateral movement through the network.

Data exfiltration

As an error handling/diagnostic protocol, ICMP is not intended for carrying data. The intended message of each ICMP packet is contained in its type value. However, the ICMP protocol can be abused for data exfiltration. One way of accomplishing this is by passing data in the ICMP type field itself. An example of this is shown in the packet capture below.

As shown above, Wireshark identifies many of the ICMP packets in the capture as obsolete or malformed. However, not all of these packets are identified as such. The reason for this is that, by chance, the data that ICMP is being abused to carry occasionally has a value that matches a valid ICMP type value. For example, notice that many of the “valid” ICMP packets are identified as Echo (ping) replies. The type value for a ping reply is zero, meaning that packets 6982–6986 are simply a series of null characters in the exfiltrated file.

The summary of the ICMP packets provided by Wireshark does not show the actual values being carried by the malformed ICMP packets. However, this data is visible in each individual packet summary. The image above is the summary of the first malformed ICMP packet, which has a type value of 71. The exfiltrated file can be reassembled manually using Wireshark or more efficiently using a tool like the scapy package in Python. This is only one way that ICMP can be used for data exfiltration. In the screenshots of the ping request and response shown earlier, the data contained in the packets is all zeros; however, this is not necessary for the protocol to function. Placing non-zero data in ping packets is another way to abuse ICMP for command-and-control and is another reason why ICMP packets should be blocked at the network perimeter.

Conclusion: Investigating ICMP traffic in Wireshark

ICMP traffic is mainly intended to carry error messages, so any ICMP traffic on the network may be of interest. However, ICMP can also be deliberately abused by an attacker and used for scanning and data exfiltration. 

Sources

ICMP: The Good, the Bad, and the Ugly, Security Evaluators SampleCaptures, Wireshark Analyzing Data Exfiltration over ICMP, sec.alexflor.es