ICMP Data Field Modified - What does it Mean?
- by Lucretius
Normal ICMP Data fields are composed of a pretty standard 32 byte string of alphabet characters.
abcdefghijklmnopqrstuvwabcdefghi
I have captured a series of ICMP echo requests using WireShark with a modified Data field and I have no idea what it means. (Underscores represent spaces.)
abcdefghijklmnopprstuvwxyzabcdefghi
abcdefghijklmnoparstuvwxyzabcdefghi
__abcdefghijklmnopsrstuvwxyzabcdefghi
__abcdefghijklmnopsrstuvwxyzabcdefghi
__abcdefghijklmnopwrstuvwxyzabcdefghi
__abcdefghijklmnopdrstuvwxyzabcdefghi__
Note:
The position of the "q" character
The addition of "xyz"
The addition of spaces before and after the payload
When you look at the position of "q" horizontally it spells "passwd" which is a Linux/Unix command for changing a users password.
Any ideas?