I'm learning about data exfiltration using ICMP and delivery of a payload is generally done using the -p "pad bytes" in ping -c 1 -p $encoded_payload. Are there often legitimate use for "pad bytes"? Can it simply be stripped by a firewall in most cases?
Asked
Active
Viewed 29 times
1
ChocolateOverflow
- 3,452
- 4
- 17
- 34
-
To add something of potential value :) Why don't you just drop ICMP ping/pong? Many firewalls seems to, and while it's annoying when trying to diagnose network issues, it's probably less surprising than changed packets. – domen Mar 02 '22 at 11:04
-
*Are there often legitimate use for "pad bytes"?* - Android [ping](https://android.googlesource.com/platform/external/ping/+/27ca8cd5cb0891c8a15175b52c5c24253dea5b17/ping.c#637) uses it to include a timestamp for computing the round-trip time. – Steffen Ullrich Mar 02 '22 at 13:34
-
@domen While dropping ICMP is a great option, I'm looking into attacking & defending when certain ports & protocols are allowed, looking for ways to hide data in transit from people in the SOC & how to detect such things. – ChocolateOverflow Mar 02 '22 at 14:13