网安 - 专业的网络安全产业、社区、知识平台

NIDS(suricata) 中的 ICMP隐蔽隧道检测

VSole2021-12-24 08:32:25

介绍

我们先介绍一下 ICMP协议,ICMP的内容是放在ip数据包的数据部分里传输的,ICMP是基于IP协议工作的,我们要区别于传输层,它仍然属于网络层协议。ICMP报文包含在IP数据报中,IP报头在ICMP报文的最前面。一个ICMP报文包括IP报头(至少20字节)、ICMP报头(至少八字节)和ICMP报文(属于ICMP报文的数据部分)。当IP报头中的协议字段值为1时,就说明这是一个ICMP报文。ICMP报文如下图所示:

从上图看,也就是说,我们重点关注 Checksum 字段和Data字段,因为我们改变Data字段的时候,Checksum也要改变,我们把我们的payload或者数据放到Data字段里面即可.我们分别使用,Linux和Windows测试一下, Linux ping 发出的Data的内容为 :!\"#$%&'()*+,-./01234567 , Windows ping 的发出的Data的内容为 abcdefghijklmnopqrstuvwabcdefghi

如图,我们用wireshark抓的包

安装

我们测试一下,Linux 的icmp 的隐藏后门ish,如果是Windows,推荐 icmpsh,

受控机CentOS7 :172.19.25.53

控制机Parrot Linux :172.19.25.73

我们在受控机上编译(make linux),启动 ishd,在控制机上启动 ./ish 172.19.25.53

我们可以在 Data 里面可以看到一个ls

我们可以在响应里面发现 相关目录的数据

可以看出,payload 是放在Data字段的

我们总结一下ICMP隐蔽隧道的特征:

1、ICMP隧道短时间会产生大量 ICMP 数据包,用来数据发送,可能存在大于 64 比特的数据包。

2、ICMP隧道发送的 ICMP 数据包前后Data字段不一样,而且响应数据包中 payload 跟请求数据包不一致。

3、ICMP 数据包的协议标签可能存在特殊字段。例如,icmptunnel 会在所有的 ICMP Data 前面增加 ‘TUNL’ 标记以用于识别隧道

4,Data 里面可能存在一些系统命令

防御和检测手段:

1,禁止 ping(不太可能),会影响到很多运维和安全检测设备的运行。

2,ICMP Data字段 形成一个白名单,不在白名单内的告警

pass icmp any any -> any any (msg:"Whitecap: OSX or Linux ICMP Echo Request"; icode:0; itype:8; dsize:56; content:"!\"#$%&'()*+,-./01234567"; classtype:misc-activity; sid:5110001; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: OSX or Linux ICMP Echo Reply"; icode:0; itype:0; dsize:56; content:"!\"#$%&'()*+,-./01234567"; classtype:misc-activity; sid:5110002; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Windows XP/7/8 ICMP Echo Request"; icode:0; itype:8; dsize:32; content:"abcdefghijklmnopqrstuvwabcdefghi"; classtype:misc-activity; sid:5110003; rev:1; nocase;)
pass icmp any any -> any any (msg:"Whitecap: Windows XP/7/8 ICMP Echo Reply"; icode:0; itype:0; dsize:32; content:"abcdefghijklmnopqrstuvwabcdefghi"; classtype:misc-activity; sid:5110004; rev:1; nocase;)
pass icmp any any -> any any (msg:"Whitecap: Nmap ICMP Echo Request"; icode:0; itype:8; dsize:0; classtype:misc-activity; sid:5110005; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Nmap ICMP Echo Reply"; icode:0; itype:0; dsize:0; classtype:misc-activity; sid:5110006; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Group Policy Slow Link Detection"; icode:0; itype:8; dsize:>1400; content:"WANG2"; classtype:misc-activity; sid:5110007; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Group Policy Slow Link Detection"; icode:0; itype:0; dsize:>1400; content:"WANG2"; classtype:misc-activity; sid:5110008; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Solarwinds Status Query"; icode:0; itype:8; dsize:23; content:"SolarWinds Status Query"; classtype:misc-activity; sid:5110009; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Solarwinds Status Query"; icode:0; itype:0; dsize:23; content:"SolarWinds Status Query"; classtype:misc-activity; sid:5110010; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Domain Controller ICMP Traffic"; icode:0; itype:8; dsize:1; content:"?"; classtype:misc-activity; sid:5110011; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Domain Controller ICMP Traffic"; icode:0; itype:0; dsize:1; content:"?"; classtype:misc-activity; sid:5110012; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: McAfee ICMP ping Request"; icode:0; itype:8; dsize:36; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; offset:3; classtype:misc-activity; sid:5110013; rev:2;)
pass icmp any any -> any any (msg:"Whitecap: McAfee ICMP ping Reply"; icode:0; itype:0; dsize:36; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; offset:3; classtype:misc-activity; sid:5110014; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Lots of Xs"; icode:0; itype:8; dsize:32; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; classtype:misc-activity; sid:5110015; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Lots of Xs"; icode:0; itype:0; dsize:32; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; classtype:misc-activity; sid:5110016; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: DHCP ICMP Duplicate IP Check"; icode:0; itype:8; dsize:11; content:"DhcpIcmpChk"; classtype:misc-activity; sid:5110017; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: DHCP ICMP Duplicate IP Check"; icode:0; itype:0; dsize:11; content:"DhcpIcmpChk"; classtype:misc-activity; sid:5110018; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Solarwinds ICMP Version 5"; icode:0; itype:8; dsize:<80; content:"SolarWinds.Net ICMP Version 5.0.4.16Copyright  1995-2005 SolarWinds.Net"; classtype:misc-activity; sid:5110019; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Solarwinds ICMP Version 5"; icode:0; itype:0; dsize:<80; content:"SolarWinds.Net ICMP Version 5.0.4.16Copyright  1995-2005 SolarWinds.Net"; classtype:misc-activity; sid:5110020; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Solarwinds Sonar ICMP Scan"; icode:0; itype:8; dsize:24; content:"Orion Network Sonar Scan"; classtype:misc-activity; sid:5110021; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: Solarwinds Sonar ICMP Scan"; icode:0; itype:0; dsize:24; content:"Orion Network Sonar Scan"; classtype:misc-activity; sid:5110022; rev:1;)
pass icmp any any -> $DNS_SERVERS any (msg:"Whitecap: ICMP to DNS Servers"; icode:0; itype:8; dsize:<57; classtype:misc-activity; threshold:type limit, track by_src, count 1, seconds 60; sid:5110500; rev:2;) 
pass icmp any any -> $DNS_SERVERS any (msg:"Whitecap: ICMP to DNS Servers"; icode:0; itype:0; dsize:<57; classtype:misc-activity; threshold:type limit, track by_src, count 1, seconds 60; sid:5110501; rev:2;) 
pass icmp any any -> any any (msg:"Whitecap: Domain controller to domain controller"; icode:0; itype:8; dsize:32; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; threshold:type limit, track by_src, count 1, seconds 60; sid:5110502; rev:2;)
pass icmp any any -> any any (msg:"Whitecap: Domain controller to domain controller"; icode:0; itype:0; dsize:32; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; threshold:type limit, track by_src, count 1, seconds 60; sid:5110503; rev:2;)
pass icmp any any -> any any (msg:"Whitecap: All As"; icode:0; itype:8; dsize:64; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; classtype:misc-activity; sid:5110504; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: All As"; icode:0; itype:0; dsize:64; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; classtype:misc-activity; sid:5110505; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: All 0s"; icode:0; itype:8; dsize:56; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:5110506; rev:1;)
pass icmp any any -> any any (msg:"Whitecap: All 0s"; icode:0; itype:0; dsize:56; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:5110507; rev:1;)
pass icmp [$ICMP_SRC_HOSTS_IGNORE] any -> any any (msg:"ICMP Pass: Ignore Hosts"; icode:0; itype:8; classtype:misc-activity; sid:5111000; rev:1;)
pass icmp [$ICMP_SRC_HOSTS_IGNORE] any -> any any (msg:"ICMP Pass: Ignore Hosts"; icode:0; itype:0; classtype:misc-activity; sid:5111001; rev:1;)
pass icmp any any -> [$ICMP_DST_HOSTS_IGNORE] any (msg:"ICMP Pass: Ignore Hosts"; icode:0; itype:8; classtype:misc-activity; sid:5111002; rev:1;)
pass icmp any any -> [$ICMP_DST_HOSTS_IGNORE] any (msg:"ICMP Pass: Ignore Hosts"; icode:0; itype:0; classtype:misc-activity; sid:5111003; rev:1;)

3,检测包大于多少,或者发送频率高于某个数,报警

alert icmp any any -> any any (msg:"Whitecap Echo Request Payload > 100 bytes"; icode:0; itype:8; dsize:>100; classtype:misc-activity; sid:5113000; rev:1;)
alert icmp any any -> any any (msg:"Whitecap Echo Reply Payload > 100 bytes"; icode:0; itype:0; dsize:>100; classtype:misc-activity; sid:5113001; rev:1;)

4, 检测 Data里面包含的特殊字段报警(例子是检测base64)

drop icmp any any -> any any (msg:"LOCAL ICMP Large ICMP Packet (Base64)"; dsize:>800; content:"="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.notsosecure.com/2015/10/15/icmp-tunnels-a-case-study/; classtype:bad-unknown; sid:1000028; rev:1;)
icmpdata
本作品采用《CC 协议》,转载必须注明作者和本文链接
NIDS(suricata) 中的 ICMP隐蔽隧道检测
2021-12-24 08:32:25
一个ICMP报文包括IP报头、ICMP报头和ICMP报文。当IP报头中的协议字段值为1时,就说明这是一个ICMP报文。
信息熵在ICMP隧道检测中的实践
2021-11-02 14:02:41
ICMP协议通常用来测试网络通不通、主机可不可达、路由可不可用。宅男们打游戏时也常用来ping一下,看看延迟高不高,太高迅雷就得关一关了。 而网络攻击者通过ICMP协议,可以进行隧道传输,实现数据窃取,规避掉一些防火墙规则。 如何检测这种隧道?用传统的签名无法对抗负载加密,复杂的统计比对让检测引擎不堪重负,准确率也不高。 而基于ICMP常规的通讯数据和攻击时产生的畸形数据,利用信息熵来分析,
浅析Icmp原理及隐蔽攻击的方式
2021-11-26 06:38:49
它是TCP/IP协议簇的一个子协议,用于在IP主机、路由器之间传递控制消息。这些控制消息虽然并不传输用户数据,但是对于用户数据的传递起着重要的作用ICMP协议主要提供两种功能,一种是差错报文,一种是信息类报文。标识符和序号字段分别是16 位的字段。对于标识符,应用程序执行期间送出的所有报文里填入相同的值。例如,icmptunnel会在所有的ICMP payload前添加”TUNL”标记来识别隧道。
ICMPWatch:一款功能强大的ICMP数据包嗅探工具
2023-11-06 14:55:17
ICMPWatch是一款功能强大的ICMP数据包嗅探工具,该工具基于Python 3开发,可以帮助广大研究人员捕捉和分析ICMP(Internet控制报文协议)数据包。该工具能提供有关捕捉数据包的详细信息,包括数据包源IP地址、目标IP地址、MAC地址、ICMP类型以及Payload数据等。除此之外,该工具还支持将捕捉到的数据包存储到SQLite数据库中,并以pcap格式保存。
CTF—流量分析题型整理总结
2021-10-13 06:38:17
我见过的流量分析类型的题目总结: 一,ping 报文信息? 二,上传/下载文件 三,sql注入攻击 四,访问特定的加密解密网站 五,后台扫描+弱密码爆破+菜刀 六,usb流量分析 七,WiFi无线密码破解 八,根据一组流量包了解黑客的具体行为例题:一,ping 报文信息?如果是菜刀下载文件的流量,需要删除分组字节流前开头和结尾的X@Y字符,否则下载的文件会出错。
内网渗透-判断内网连通性
2022-01-15 07:10:02
判断内网的连通性是指判断机器能否上外网等。需要综合判断各种协议及端口通信的方式。
CyberScan – 网络取证工具包
2023-05-10 13:55:56
CyberScan是一个开源的网络取证渗透测试工具包,可以分析IP,包括(纬度,经度,区域,国家……)的数据包,解码,扫描端口,ping和地理定位。CyberScan模块用法CyberScan能够发送和捕获多个协议的数据包,伪造并对它们进行解码以用于大多数网络任务,如扫描,ping,探测和攻击。Pinging 网络CyberScan支持使用多种协议执行ping操作,在本地以太网上发现主机的最快方法是使用ARP:ARP Ping$ CyberScan -s 192.168.1.0/24 -p arp. Received 0 packets, got 0 answers, remaining 256 packets. WARNING: No route found for IPv6 destination :: (no default route?
发现内网存活主机的各种姿势
2022-08-12 08:05:09
在渗透中,当我们拿下一台服务器作为跳板机进一步进行内网渗透时,往往需要通过主机存活探测和端口扫描来收集内网资
VSole
网络安全专家