mKill Ping, an outdated way to brick a Modem
We had way too much fun using this, In my day...
Modems, most younger people today will never know what it was and what this sound was. Many sleepless nights were spent hearing it. I could distinguish at what speed and at what quality my modem got the connection to the BBS and later to the Internet.
For those younger than 30, modems are devices that were used to connect computers to the Internet or other networks through telephone lines. The king of them was U.S. Robotics 56K Modem while most of us had to contend with 14.4k and later 28.8K modems while salivating over speeds of much more expensive 56K modems.
These devices use AT (Attention) commands to communicate with them and issue commands. These commands can be used to perform various functions such as dialing phone numbers, answering incoming calls, and sending and receiving data. AT commands are sent to the modem through the computer's serial port or USB port, and they are typically in the format "AT+command". You could type them in manually or let the dialer program do that for you.
There are a wide variety of AT commands that can be used with modems, some of the more common are:
ATD<number>: Dial a phone number
ATA: Answer an incoming call
ATH: Hang up a call
ATZ: Reset the modem
AT&F: Reset the modem to its factory settings
AT&V: View the modem's current configuration
Ping is a command line tool that is used to test the connectivity between two devices on a network. Ping sends an ICMP (Internet Control Message Protocol) Echo Request packet to a target host and waits for an Echo-Reply packet. This is typically used to check if a host is reachable on the network and measure the round-trip time for packets. If the device does not respond, it means that there is a problem with the connection.
Did you know that you can craft Ping packets and add arbitrary data to the ICMP packet? Ping or if we look deeper ICMP has an optional content field in its protocol specification. That content/payload section of the ICMP packet is traditionally used for timing and echo requests but can be repurposed to include any type of data, such as text, binary information, or even custom protocols.
So why am I now talking about Ping? Well, if you sent an ICMP ECHO_REQUEST or in normal speak, a Ping, to the modem and fill the packet with the characters "+++ATH0<CR>" it would cause the modem to drop the connection. The equivalent of the '+++ATH0<CR>' string in hex is "2b2b2b415448300d".
Under Linux, it’s much easier to craft ICMP payload as the ping command already has a builtin command line switch -p so a mKill command would look like this:
ping -p 2B2B2B415448300D 143.164.112.4-p switch allows you to specify up to 16 ''pad'' bytes to fill out the packet you send and the last part is the IP address of the modem we would like to disconnect.
For a short but informative look at how to do this nowadays with Python regardless of platform check out the inc0x0 writeup on how to Manually create and send ICMP/IP packets or use nping which is part of the tool we talked about before, Nmap.
When the modem receives the ICMP ECHO_REQUEST packet, it will respond with an ICMP ECHO_REPLY packet that contains the same data as the original packet. The modem will interpret the "+++" characters as an escape sequence, which will put it into command mode. The ATH0 command will then hang up the call and close the connection.
Now, the reason why this worked is that the PPP (Point-to-Point Protocol) driver expects the modem to pass the string "+++" unchanged to the other side, while the modem interprets it as the 'escape string' - a request to exit from data mode and accept a command. Once the modem is in command mode, the string "ATH0" instructs it to hang up immediately.
To protect your modem from this type of attack, you can disable the escape sequence by adding the string "S02=255" to the end of your modem's init string. If your modem has no init string set, use the string "ATS02=255". This will prevent the modem from interpreting the "+++" characters as an escape sequence and hanging up the call.
This type of attack is obsolete now. With the widespread availability of high-speed internet connections, the vast majority of internet users have moved on from the days of dial-up, and modern technologies like broadband, fiber, and mobile internet have largely made this type of attack obsolete.
It is a piece of Internet nostalgia that I find fun.
On a side note, ICMP and Ping can be used for so much more, from creating data tunnels in networks to creating a custom protocol that, if not configured properly, will just blow past any firewall. Just some food for thought.
For some reason this reminds me of a prank that I've heard of but never witnessed: sending a 6 foot long completely black fax. The amount of ink required, plus the heat it would generate, would really mess up a fax machine. Supposedly.