From the World of computer we live, Uhave atleast used the PING command once_but what it is ??(Answers for all your Q's in detail here!!)

From the small reference: https://tools.ietf.org/html/rfc792 and find it below the article and please to support for finding like these articles.

                   INTERNET CONTROL MESSAGE PROTOCOL

                         DARPA INTERNET PROGRAM
                         PROTOCOL SPECIFICATION

Introduction:

The Internet Protocol (IP) [1] is used for host-to-host datagram service in a system of interconnected networks called the Catenet [2].

 The network connecting devices are called Gateways.These gateways communicate between themselves for control purposes via a Gateway to Gateway Protocol (GGP) [3,4]. Occasionally a gateway or destination host will communicate with a source host, for example, to report an error in datagram processing. For such purposes this protocol, the Internet Control Message Protocol (ICMP), is used. ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module.

ICMP messages are sent in several situations: for example,

• when a datagram cannot reach its destination
• when the gateway does not have the buffering capacity to forward a datagram
• when the gateway can direct the host to send traffic on a shorter route.

The ICMP messages typically report errors in the processing of datagrams.

  Purpose of ICMP (ping) Protocol Creation:

1. The Internet Protocol is not designed to be absolutely reliable. 
2. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable.

What is a Computer Network ??

A computer network is a group of computers that use a set of common communication protocols over digital interconnections for the purpose of sharing resources located on or provided by the network nodes.

Is Ping a protocol or a function used in it ??

Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software

Structure of ICMP (ping) protocol:

All good, but wait !!

every invention has its uses and

its other-side too

The Payload Region of the ICMP packet:

After the IP header, comes the three field ICMP header. These contain a code that categories the error, a sub-code field, which refines the error code description, and then a checksum. After the ICMP field come the first eight bytes of the payload, which are actually the Transport Layer header (TCP or UDP)

Payload section is crucial because no rules are made for analysing the content of the ping data-section it carrying along with response request we can also include many things which bring back us too the ICMP TUNNELING

ICMP tunnel

Routers only look at the headers of an ICMP packet, including the TCP/UDP header that might be behind the ICMP data. So a normal packet with lots of data in it would be passed through just as long as it had an ICMP section in it. This is potentially a backdoor for visitors to get around the authentication and charging procedures of public networks. This is called an ICMP tunnel or Ping tunnel.

It isn’t possible to tunnel through gateways and firewalls just with the standard network Ping utility that most people have on their computers. An ICMP tunnel would have to be programmed. This is also a possible route into a network for a hacker. Unfortunately, for network administrators, there are a number of free ICMP tunnel packages available for download from the internet.

As with the previous two types of ICMP attacks, Ping tunnels can be blocked by web application firewalls, intrusion detection systems, or by simply blocking all ICMP activity at the network gateway.

?

Like this the tunnel is been created and used and once we get the ping done we can access the particular session of the server and this can be catestrophic for the Bussiness Clients as there can be: data_breach and many more...!!

How to CREATE ICMP tunneling ???

WORKING ON IT ....!!! will Update it soon when i get the satisified result_Love to share with you all

1. How to capture the ICMP packets with Wireshark

• -o icmp ==> will captre only ICMP packets
• -v verrbose capture
• -x only ASCII and Hexadecimal

We will run Tshark, then ping commands after the ping complete we will come back to the window and check the packet

Final packet file collected from the ping on the other-side of the system:

Frame 1: 149 bytes on wire (1192 bits), 149 bytes captured (1192 bits) on interface \Device\NPF_{F6C39AA5-4BC8-4FBD-8B95-3FF1C74EA29A}, id 0
Ethernet II, Src: 0a:00:27:00:00:2a (0a:00:27:00:00:2a), Dst: IPv6mcast_01:00:02 (33:33:00:01:00:02)
Internet Protocol Version 6, Src: fe80::31f8:d54a:ba01:5dfc, Dst: ff02::1:2
User Datagram Protocol, Src Port: 546, Dst Port: 547
DHCPv6


0000  33 33 00 01 00 02 0a 00 27 00 00 2a 86 dd 60 05   33......'..*..`.
0010  40 05 00 5f 11 01 fe 80 00 00 00 00 00 00 31 f8   @.._..........1.
0020  d5 4a ba 01 5d fc ff 02 00 00 00 00 00 00 00 00   .J..]...........
0030  00 00 00 01 00 02 02 22 02 23 00 5f a4 d9 01 a3   .......".#._....
0040  a3 4e 00 08 00 02 05 dd 00 01 00 0e 00 01 00 01   .N..............
0050  23 9c 01 c9 54 bf 64 45 56 bc 00 03 00 0c 57 0a   #...T.dEV.....W.
0060  00 27 00 00 00 00 00 00 00 00 00 27 00 09 00 07   .'.........'....
0070  43 41 50 54 41 49 4e 00 10 00 0e 00 00 01 37 00   CAPTAIN.......7.
0080  08 4d 53 46 54 20 35 2e 30 00 06 00 08 00 11 00   .MSFT 5.0.......
0090  17 00 18 00 27                                    ....'


Frame 2: 149 bytes on wire (1192 bits), 149 bytes captured (1192 bits) on interface \Device\NPF_{F6C39AA5-4BC8-4FBD-8B95-3FF1C74EA29A}, id 0
Ethernet II, Src: 0a:00:27:00:00:2a (0a:00:27:00:00:2a), Dst: IPv6mcast_01:00:02 (33:33:00:01:00:02)
Internet Protocol Version 6, Src: fe80::31f8:d54a:ba01:5dfc, Dst: ff02::1:2
User Datagram Protocol, Src Port: 546, Dst Port: 547
DHCPv6


0000  33 33 00 01 00 02 0a 00 27 00 00 2a 86 dd 60 0a   33......'..*..`.
0010  fa 8a 00 5f 11 01 fe 80 00 00 00 00 00 00 31 f8   ..._..........1.
0020  d5 4a ba 01 5d fc ff 02 00 00 00 00 00 00 00 00   .J..]...........
0030  00 00 00 01 00 02 02 22 02 23 00 5f 9e 99 01 a3   .......".#._....
0040  a3 4e 00 08 00 02 0c 1d 00 01 00 0e 00 01 00 01   .N..............
0050  23 9c 01 c9 54 bf 64 45 56 bc 00 03 00 0c 57 0a   #...T.dEV.....W.
0060  00 27 00 00 00 00 00 00 00 00 00 27 00 09 00 07   .'.........'....
0070  43 41 50 54 41 49 4e 00 10 00 0e 00 00 01 37 00   CAPTAIN.......7.
0080  08 4d 53 46 54 20 35 2e 30 00 06 00 08 00 11 00   .MSFT 5.0.......
0090  17 00 18 00 27                                    ....'

The overall packet is sorted out like this in the network when they are being sent. To get better insight i tried the SCAPY the easy way to generate a packet and send it via network using ICMP protocol instead of declassifying from the output.

Introduction to SCAPY:

Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks

Scapy is a powerful interactive packet manipulation program

Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark. So we started using SCAPY instead of Tshark now...!!!

And its complete capabilities ==>> WATCH HERE !!!

For the security in today's world :

• Reconnaissance -- including tools for network scanning such as nmap; vulnerability scanning tools for Windows and Linux; LAN reconnaissance; tools to help with wireless reconnaissance; and custom packet generation
• Penetration -- such as the Metasploit framework for automated penetration of remote computers; tools to find wireless networks; exploitation framework applications; and tricks and tools to manipulate shellcodes
• Control -- including the configuration of several tools for use as backdoors; and a review of known rootkits for Windows and Linux
• Defense -- including host-based firewalls; host hardening for Windows and Linux networks; communication security with ssh; email security and anti-malware; and device security testing
• Monitoring -- such as tools to capture, and analyze packets; network monitoring with Honeyd and snort; and host monitoring of production servers for file changes
• Discovery -- including The Forensic Toolkit, SysInternals and other popular forensic tools; application fuzzer and fuzzing techniques; and the art of binary reverse engineering using tools like Interactive Disassembler and Ollydbg

#Discovery..is what we going find here ??

Being able to infiltrate communications between devices is extremely valuable to a hacker and we need to keep

on searching for threats

Procedure followed:

1) https://scapy.readthedocs.io/en/latest/# (Feb 2018)

2) https://ipython.org/install.html

3) Install Python

4) Install Winpap

5) After installing Scapy, Unzip Scapy package

6) Add the python to environment path variables

7) Open Command-prompt via Admin and Run >python setup.py install and test Scapy

8) iPython install from Command-prompt using pip install ipython (make sure there is internet connectivity)

Test Scapy is done :

a. show_interfaces()

b. p=sniff(filter="icmp", count=3, iface="interface name not ethx as in Linux")

c. p.show() , p[packet_number].show(), p.summary()

Results can be seen as such:

Now lets check the features in scapy: (by #lsc() command)

By creating a duplicate packet and sent it via icmp to the destination IP:

Now we have sent the data via ICMP like this:

Finally the Output is seen via Tdump

In Wireshark:

And finally we chat via ICMP protocol and let me be clear this is not encrypted so any once who is within your surrounding can also see this message but wait...!!!

All not Hackers, and

Many would try hacking

your WhatsApp, Facebook instead you communicate via PING^~^????

Trying on TLS encryption if possible for the messages we are sending that would be much SAFE then.

How to Detect ICMP Tunneling??

Companies being hacked and data stolen. The bad actors appear to be ahead of the security solution curve. They have methods of infiltrating networks that are unknown from a signature standpoint. So lets try this even !!! Hacker's Part !!!

They use protocols and applications that disguise what they are doing and appear to be perfectly normal traffic streams

But How ?? to see the tunnel

A tunnel is a mechanism used to ship a foreign protocol across a network that normally would not support it. Tunneling protocols allow you to use IP to send another protocol in the “data” portion of the IP datagram. Most tunneling protocols have an agent on the client and server side that encapsulates TCP or UDP data into an allowed, commonly used protocol.

Just like in the case of DNS tunneling, where DNS is usually open, ICMP is generally not globally blocked either. 

 ICMP in a network environment to check internal or external address availability, or routes. Much like the applications available to do DNS tunneling, there are many programs available to pass data from one point to another via ICMP tunneling.

The client loads ICMP packets with file/data content and passes ICMP request packets to a destination. The destination has a listener program that reads and unpacks the ICMP packets.

Another method might be to have a packet capture like TCPDUMP listening for ICMP packets from the initiating client IP address.

Try using packet capture tools to better visualize the network flow

And this keep you Safe when you observed the abnormal Network-flow through your computer

Collecting flows from all of the firewalls, routers, and switches on your network essentially turns each device into a security probe and provides a great additional security layer to your network intrusion prevention solution.

Codes of ICMP basic:

Ping uses two ICMP codes: 8 (echo request) and 0 (echo reply). When you issue the Ping command at the prompt, the Ping program sends out an ICMP packet containing the code 8 in the Type field. The reply will have a Type of 0. The program times the gap between sending the echo request packet and the arrival of the reply. So, you can get the “round trip time” of a packet to the given destination network and back.

In Brief Mind-Map of the Topic:

REFERENCES : (which i have followed while working..!!)

• https://www.boiteaklou.fr/Data-exfiltration-with-PING-ICMP-NDH16.html#challenge-description
• https://sandilands.info/nsl/PacketCapture.html
• https://www.youtube.com/watch?v=pj1qGnx0MNE
• https://linuxexplore.com/2012/06/07/use-tcpdump-to-capture-in-a-pcap-file-wireshark-dump/?
• https://www.letmecrazy.com/how-to-use-tcpdump-on-windows/
• https://en.wikipedia.org/wiki/Ping_(networking_utility)
• https://ostec.blog/en/general/social-engineering-impacts

Tools:

• https://github.com/iputils/iputils ,
• https://www.dnsstuff.com/packet-sniffers

THANK YOU

Feel Free to share your thoughts !!

Open to suggestions in this " ARTICLE "