1

Normal ICMP Data fields are composed of a pretty standard 32 byte string of alphabet characters.

abcdefghijklmnopqrstuvwabcdefghi

I have captured a series of ICMP echo requests using WireShark with a modified Data field and I have no idea what it means. (Underscores represent spaces.)

abcdefghijklmnopprstuvwxyzabcdefghi

abcdefghijklmnoparstuvwxyzabcdefghi

__abcdefghijklmnopsrstuvwxyzabcdefghi

__abcdefghijklmnopsrstuvwxyzabcdefghi

__abcdefghijklmnopwrstuvwxyzabcdefghi

__abcdefghijklmnopdrstuvwxyzabcdefghi__

Note:

  • The position of the "q" character
  • The addition of "xyz"
  • The addition of spaces before and after the payload
  • When you look at the position of "q" horizontally it spells "passwd" which is a Linux/Unix command for changing a users password.

Any ideas?

Lucretius
  • 459
  • 1
  • 4
  • 14
  • Do the echoes come from your source system, or from a remote system? – Matthew Ife Nov 30 '11 at 17:14
  • This is actually an assignment from class, so we're given a packet capture file, basically no details and asked generically "whats going on here?" I've submitted an answer resembling what syneticon-dj posted, but the professor has been rejecting basically all answers with short unhelpful responses like "think harder." – Lucretius Nov 30 '11 at 22:15

1 Answers1

1

There is no standard which would define what data an ICMP echo request / reply packet has to carry, so any implementation might do what it wants to. There even are implementations of ICMP echo packets as a covert channel. Find out, who or what is sending the packets in question, it should help you deduce the "why".

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • This is what he was asking us for but every time I said "ICMP Tunneling" the professor would respond "No" or give some generic answer like "Think harder." Turns out I was right all along. – Lucretius Jan 29 '12 at 22:05