nerdexam
GIAC

GCIH · Question #636

Which tool can be used to exfiltrate data from a system that can only reach the remote host using ICMP?

The correct answer is A. Ptunnel. Ptunnel encapsulates TCP traffic inside ICMP echo request and reply packets, enabling data exfiltration through environments that permit only ICMP traffic.

Web Application Attacks & Post-Exploitation

Question

Which tool can be used to exfiltrate data from a system that can only reach the remote host using ICMP?

Options

  • APtunnel
  • BSCTP
  • CNetcat
  • DQUICK

How the community answered

(37 responses)
  • A
    89% (33)
  • B
    3% (1)
  • C
    3% (1)
  • D
    5% (2)

Why each option

Ptunnel encapsulates TCP traffic inside ICMP echo request and reply packets, enabling data exfiltration through environments that permit only ICMP traffic.

APtunnelCorrect

Ptunnel (Ping Tunnel) works by wrapping TCP session data inside ICMP echo packets, allowing an attacker to establish a functional data channel to a remote host even when the only permitted protocol is ICMP. Because the payload is hidden within standard ping traffic, it bypasses firewall rules that block TCP and UDP while still allowing the attacker to exfiltrate data bidirectionally.

BSCTP

SCTP (Stream Control Transmission Protocol) is a transport-layer protocol that operates directly over IP, not ICMP, and has no mechanism for encapsulating traffic inside ping packets.

CNetcat

Netcat establishes connections over TCP or UDP and cannot wrap its traffic inside ICMP packets, making it unusable when only ICMP is permitted.

DQUICK

QUIC is a Google-developed transport protocol built on UDP datagrams, not ICMP, and is not a tunneling or exfiltration utility.

Concept tested: ICMP tunneling for data exfiltration

Source: https://github.com/nicowillis/ptunnel

Topics

#ICMP tunneling#data exfiltration#Ptunnel#covert channel

Community Discussion

No community discussion yet for this question.

Full GCIH Practice