WEBVTT 00:00.700 --> 00:04.750 Chapter 13 exploiting the ICMP protocol 00:08.240 --> 00:14.750 the unauthorized reproduction in whole or in part of this publication in any form is prohibited. 00:26.570 --> 00:30.560 In this chapter we will get to know how the ICMP protocol works. 00:30.650 --> 00:43.060 Let's start by learning about the basic tools ping and traceroute. 00:43.260 --> 00:47.020 We'll look at the useful option of the ping program and see how they work. 01:03.010 --> 01:07.090 Thanks to the paramita minus C minus s and minus t.. 01:07.150 --> 01:13.240 It is possible to determine the number of ICMP packets sent as well as their sizes and time to live 01:13.510 --> 01:14.370 or TTL 01:34.400 --> 01:40.670 as we can see after terminating the lifetime of packet number two we see the information we need on 01:40.670 --> 01:41.470 the screen. 01:46.990 --> 01:52.180 After investigating the root of the packet with the trace route program we discover why the packet has 01:52.180 --> 01:54.150 been rejected by the second node. 01:54.220 --> 01:59.810 Radio we can now test the option that will be helpful during the attack. 01:59.860 --> 02:10.510 The first of them is the minus option which determines the packet sending interval. 02:10.510 --> 02:15.640 Another option is minus F which causes flooding with large number of packets. 02:15.640 --> 02:23.170 This option is available only to the system administrator as we can see within less than a second. 02:23.170 --> 02:25.400 We managed to send 10000 packets 02:28.840 --> 02:33.040 but let's try to improve our performance using a specially prepared program. 02:33.040 --> 03:01.320 We will now copy the files we need. 03:01.340 --> 03:08.420 Our program uses raw sockets to send packets after properly filling in the IP and ICMP structures. 03:08.420 --> 03:13.900 The packet can be sent. 03:13.990 --> 03:55.870 We will find the description of the specific structures in the header files. 03:55.900 --> 04:01.690 Finally after having filled in the structures it is possible to create a RA type socket using the socket 04:01.690 --> 04:06.990 function we will now check the functioning of our program. 04:07.040 --> 04:11.420 We should remember that to create a raw socket administrator privileges are required 04:19.120 --> 04:22.460 each dot printed on the screen represents one sent packing. 04:22.540 --> 04:26.700 Let's save the output of our program and count the number of dots in the program 04:41.240 --> 04:48.410 as we can see within approximately five seconds we had managed to send almost 400000 packets. 04:48.410 --> 04:52.310 Now let's consider the ICMP protocol for other purposes. 04:52.490 --> 04:54.910 This protocol is often used in back doors. 04:54.950 --> 04:56.690 Let's have a look at examples. 05:11.610 --> 05:18.210 As we can see the sending of the ICMP packet generates significantly fewer suspicious records in the 05:18.210 --> 05:20.370 net set program to a hacker. 05:20.370 --> 05:23.660 This is a huge advantage. 05:23.820 --> 05:29.680 Now we'll unpacking compile the netcat program that will transmit data in the next example. 06:18.380 --> 06:23.540 Our back door will create a raw socket that will analyze the packets being received when it intercepts 06:23.570 --> 06:27.780 two packets differing in size by 1337. 06:27.800 --> 06:29.830 It will start up the netcat program 06:43.630 --> 06:46.350 as we can see after starting up the back door. 06:46.360 --> 07:11.990 The next step program indicates the presence of only the raw socket. 07:12.250 --> 07:20.890 After having sent two ICMP packets differing in size by 1337 a netcat application has been started that 07:20.890 --> 07:23.780 enables access to the shell. 07:23.800 --> 07:27.720 Unfortunately the connection with the shell is visible at first glance. 07:27.760 --> 07:30.360 To prevent this we will use our next program 07:42.630 --> 07:48.960 the client program will send a properly prepared ICMP packet containing the password and the name of 07:48.960 --> 07:50.010 the file to send 08:08.260 --> 08:09.680 while the server program. 08:09.700 --> 08:26.060 After registering an appropriate packet will send the indicated data in the answer. 08:26.090 --> 08:56.750 Let's compile our programs and see them work. 08:56.780 --> 08:58.180 We have been successful. 08:58.250 --> 09:04.700 The server returned the content of the indicated file this time the net stat program has indicated the 09:04.700 --> 09:06.680 presence of only the raw socket.