remote shell over icmp

I can say for sure that the Internet Control Message Protocol (ICMP) is more than just a tool for troubleshooting based on my experience in network protocols and security.

Since its creation in the early days of networking, ICMP has been used for more than just reporting errors and diagnosing problems. Smart cybersecurity experts have cleverly changed it to do more advanced things, like setting up remote shells and safe tunnels.

However, it’s important to note that new improvements in network security protocols and operating system architectures have made it harder to take advantage of ICMP.

In this article, I go into how ICMP tunneling has changed over time, how it works now, and what other options are available that meet today’s strict security needs.

Understanding ICMP

Network devices use ICMP, a supporting protocol in the Internet Protocol Suite, to send operational information and error messages. While not primarily designed for data transfer, creative utilization of ICMP can enable unique communication methods, such as Remote Shell over ICMP.

Key Features

  1. Error Handling: ICMP handles errors and provides feedback on problems related to routing and delivery.
  2. Diagnostic Functions: Tools like ping and traceroute utilize ICMP to diagnose network connectivity issues.
  3. Extension for IP: ICMP works closely with IP, enhancing its capabilities.

Remote Shell over ICMP: An Overview

Remote Shell over ICMP is a technique that leverages ICMP’s echo request and reply messages to establish a covert communication channel. This can be used to execute commands on a remote system.

icmp shell

How It Works

  1. Initialization: A client sends an ICMP echo request containing a command to the target system.
  2. Execution: The target system executes the command and encapsulates the result in an ICMP echo reply.
  3. Communication: The client receives the reply and extracts the result.
remote shell

Tools and Libraries

Several tools and libraries facilitate Remote Shell over ICMP, including:

  • Icmpsh: A simple reverse ICMP shell with a client and server.
  • PingTunnel: Allows tunneling TCP over ICMP.

Applications and Security Considerations


  • Network Troubleshooting: Remote Shell over ICMP can be used for remote diagnostics and troubleshooting.
  • Covert Communication: It can establish covert channels for data exfiltration or remote control.

Security Considerations

  • Detection: Modern Intrusion Detection Systems (IDS) can detect abnormal ICMP traffic.
  • Mitigation: Implementing proper firewall rules and monitoring ICMP traffic can mitigate risks

A Brief History of ICMP Tunneling

Back in the 1990s and early 2000s, ICMP tunneling was a relatively easy way for attackers to fly under the radar and bypass firewall rules. By encoding data into ICMP echo request and response packets, they could tunnel anything from a remote shell to voice traffic.

One of the first ICMP tunneling programs was Loki, released in the late 1990s. It allowed an attacker to remotely access a system by encoding traffic into ICMP echo request/response packets between client and server. At the time, many firewalls simply allowed ICMP traffic to pass through uninspected.

Other programs like Ping Tunnel, NSTX, and PTunnel followed over the years, each improving on the features and stealth of tunneling over ICMP. For a while, it proved to be a simple but effective way to achieve remote access and bypass security controls.

The Decline of ICMP Tunneling

Over time, operating systems and network security evolved to limit the abuse of ICMP for tunneling.

For one, the widespread use of NAT (Network Address Translation) has made it much harder to initiate an outbound ICMP tunnel from behind a firewall. NAT prevents systems behind a firewall from being directly addressed, which these tunnels relied on.

Additionally, many modern firewalls perform deep packet inspection, looking for patterns of ICMP traffic that suggest tunneling. Signatures can match things like excessive ICMP requests or ICMP packets with highly uniform payload sizes.

Operating systems have also clamped down. In Windows Vista and higher, Microsoft disabled the ICMP redirect functionality often needed for tunneling. Linux and other OSes now randomize ICMP payload sizes and have additional restrictions around crafting ICMP packets.

While not impossible, ICMP tunneling requires far more effort to pull off compared to 20 years ago. The risks and complexities often outweigh the benefits when easier options exist.

Alternative Options in 2023

So if ICMP tunneling is no longer an easy path to remote shell access, what other options exist in 2023? Here are a few good ones:

Virtual Private Networks (VPN)

One of the most common and effective ways to remotely access systems these days is using a VPN. By establishing an encrypted tunnel between client and server, a VPN allows you to securely access remote networks and systems across the internet.

Popular options like OpenVPN, WireGuard, and IKEv2 IPsec can evade firewalls and masquerade your traffic.

LAN to VPN Reverse Shell

LAN to VPN Reverse Shell (Reverse SSH Technique)

SSH Tunneling

Secure Shell (SSH) is another go-to option for remote access. SSH tunnels provide encryption and can carry many types of traffic over protocols like HTTP or DNS, making them tough for firewalls to block. This gives you secure point-to-point access to remote systems.

Web Proxies

For quick, simple access to remote systems, anonymous web proxies can be handy. They allow you to route traffic through an intermediary web server, which makes requests on your behalf. While they lack encryption, they provide an easy way to bypass local restrictions and access remote systems.

Reverse Shells

If you’ve already compromised a target system, executing a reverse shell is a sneaky way to route access through the target and back out to your system. This disguises your traffic as originating from the target rather than accessing it remotely. Just beware that reverse shells can be unstable and lack encryption.

reverse shell

Port Forwarding

For an ongoing remote connection, port forwarding via SSH or other services may be an option. This allows you to forward traffic from remote ports to a client system as if it were local. While not a full remote shell, it enables access to remote services.

The key point is that in 2023, options abound for securely accessing remote systems aside from antiquated ICMP tunnels. When stealth is required, a commercial VPN service with shared IPs or traffic running over SSH may be your best bet.

For quick remote access, web proxies still have their place. And when presence is established, port forwards get the job done.

Just don’t rely solely on ICMP; while you may get it working, it’s an uphill battle compared to better options available today. Focus your efforts on tools built for remote access rather than trying to resurrect a mostly defunct hack from decades ago!

Frequently Asked Questions

Q. Is ICMP just used for ping?

A: No, ICMP is used for more than just the common ping command. It also conveys error messages, helps with diagnostics, performs router discovery, and more. But its core functions revolve around troubleshooting issues.

Q. Why did ICMP work well for tunneling in the past?

A: In the 1990s and early 2000s, firewalls and networks were less sophisticated. They often allowed all ICMP traffic to pass through without inspection, so tunneling protocols could hide in that traffic.

Q. What are some examples of ICMP tunneling programs?

A: Some examples include Loki, Ping Tunnel, PTunnel, and NSTX. They all leverage ICMP in different ways to encode tunnels for remote access, shells, file transfer, etc.

Q. How do modern firewalls detect ICMP tunneling?

A: Firewalls look for patterns like excessive ICMP traffic, uniform packet sizes, and other signs that indicate the protocol is being used for tunneling rather than diagnostics.

Q. How have operating systems like Windows limited ICMP abuse?

A: In Vista and newer Windows versions, the ICMP redirect functionality often needed for tunneling is disabled. Other OSes randomize packet sizes and restrict ICMP packet crafting.

Q. Why is NAT a challenge for ICMP tunnels today?

A: Network address translation (NAT) gives systems private IP addresses behind a firewall. This prevents them from being directly addressed for inbound ICMP tunnel initiation.

Q. Are VPNs more secure and flexible than ICMP tunnels?

A: Yes, modern VPN protocols like OpenVPN, WireGuard, and IKEv2 allow far more flexibility and security. They encrypt traffic, evade firewalls, and provide stable connectivity.

Q. When would a web proxy make sense vs SSH or VPN?

A: Web proxies provide quick, simple access without encryption when you just need to bypass a local restriction. SSH and VPNs are preferred for encryption and robust access.

Q. What are the risks of using reverse shells?

A: Reverse shells can be unstable since they route through the target system and back to you. They also lack encryption, so traffic is sent in the clear.

Q. Why use port forwarding instead of a full remote shell?

A: Port forwarding provides access to individual services rather than full shell access. It’s useful when you just need access to specific remote ports.

Other Topics:

Similar Posts