:: Deepquest ::

This paper will introduce the reader to an ICMP communication type (this is done by hooking a particular syscall). With this technique is possible to start a communication client/server without open a port on the remote system. A basic knowledge of C language and of syscall hooking is required.

This technique will be used to open a client/server communication, without opening any ports, by creating a dialog like this:
Client -> Filter -> Interpreter

The filter will hook the “icmp_rcv()” syscall, changing the mode to receive ICMP packets, by comparing packets’ “code_no” with a list of MAGIC CODES, that we have preset. On the base of the received “code_no”, the filter will call the interpreter, resident on the user-space, by using the “execve()” call thus the required action will be executed. By using the environment associated to the corresponding MAGIC CODE.

The client in this case isn’t really important; it will only automate the configuration of ICMP packets and of their “code_no”, by using a simple prompt. Nothing that a simple packets generator couldn’t do. This type of communication is totally anonymous, there will be no logs and the IP address will be spoofed by using the raw socket ICMP connection. Unfortunately the commands that we are able to execute on the remote system are limited to the MAGIC CODE stored on the interpreter and we will not have our own binded shell.

The code examples are well documented and show the creation of a simple client server communicating via ICMP packets.

by evil [url=http://deepquest.code511.com/blog/images/uploads/txt/icmprcv.pdf]download[/url] icmp paper