Tags: exfiltration icmp wireshark

Rating: 5.0

The data was exfil'd in the data section of ICMP packets. If you open the pcap in wireshark and filter by data, you'll se this:

The no response found packets are not normal and are a bit sus. Click on one and you'll see data that looks like this:

We see data in the form data:1:39:some-hex. If you click through them, you'll notice that the first section is either data or checksum. data means data is being sent and checksum means it's the last exfil packet with the checksum of the entire data. The 2nd section is just the sequence number of the exfil packet and the 3rd section is the total number of data packets.

Here's a quick script to scrape out the data:
python
from scapy.all import *
import binascii

last_seqn = 0
result = ""

global last_seqn
global result

try:
except:
return

exfil = split[0]
if (exfil == 'data' or exfil == 'checksum'):
seqn = int(split[1])
total = int(split[2])
data = split[3]

if(exfil == "checksum"):
outf = open('out',"wb")
for i in range(0, len(result), 2):
outf.write(binascii.unhexlify(result[i:i+2]))
outf.close()
exit()
else:
result += data



Contents of the out file:
console
\$ cat out
[client]