-
Notifications
You must be signed in to change notification settings - Fork 60
ICMP Redirector #2068
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ICMP Redirector #2068
Changes from all commits
ed4721f
e4ac51b
5189ab3
a081968
ec87635
28b175d
3ac587a
be30699
af1a64e
7b092f0
aad3341
a89832c
e720563
8409e3c
4aa7c80
d359778
d6d56c8
a21ecac
68de99d
2683207
ff4f9ee
91051ef
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -110,11 +110,12 @@ By default Tavern only supports gRPC connections directly to the server. To enab | |
|
|
||
| ### Available Redirectors | ||
|
|
||
| Realm includes three built-in redirector implementations: | ||
| Realm includes four built-in redirector implementations: | ||
|
|
||
| - **`grpc`** - Direct gRPC passthrough redirector | ||
| - **`http1`** - HTTP/1.1 to gRPC redirector | ||
| - **`dns`** - DNS to gRPC redirector | ||
| - **`icmp`** - ICMP Echo to gRPC redirector | ||
|
|
||
| ### Basic Usage | ||
|
|
||
|
|
@@ -166,6 +167,35 @@ tavern redirector --transport dns --listen "0.0.0.0:53?domain=c2.example.com&dom | |
|
|
||
| See the [DNS Transport Configuration](/user-guide/imix#dns-transport-configuration) section in the Imix user guide for more details on agent-side configuration. | ||
|
|
||
| ### ICMP Redirector | ||
|
|
||
| The ICMP redirector tunnels C2 traffic through ICMP Echo Request/Reply packets. | ||
|
|
||
| ```bash | ||
| # Start ICMP redirector, listening on all interfaces | ||
| tavern redirector --transport icmp --listen 0.0.0.0 http://localhost:8000 | ||
| ``` | ||
|
|
||
| **Host Configuration Requirements:** | ||
|
|
||
| Before starting the ICMP redirector, the Linux kernel's automatic ICMP echo reply must be disabled. Without this, the kernel responds to incoming ICMP echo requests by mirroring the payload back to the sender before the user-space redirector can act. Agents receive this kernel reply first and parse their own request payload as a response, breaking the protocol. | ||
|
|
||
| ```bash | ||
| echo 1 | sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all | ||
| ``` | ||
|
|
||
| The redirector will refuse to start if this is not set. To make the setting persistent across reboots: | ||
|
|
||
| ```bash | ||
| echo "net.ipv4.icmp_echo_ignore_all = 1" | sudo tee -a /etc/sysctl.conf | ||
| sysctl -p | ||
| ``` | ||
|
|
||
| **Other requirements:** | ||
|
|
||
| - Must run as root (raw ICMP sockets require `CAP_NET_RAW`) | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. RAW?!?!!
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is for the tavern redirector, not the beacons. |
||
| - Not supported on Windows hosts | ||
|
|
||
| ### gRPC Redirector | ||
|
|
||
| The gRPC redirector provides a passthrough for gRPC traffic, useful for deploying multiple Tavern endpoints or load balancing. | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -131,7 +131,7 @@ For more complex setups, such as configuring multiple transports or specifying d | |
| ```yaml | ||
| transports: | ||
| - URI: <string> | ||
| type: <grpc|http1|dns> | ||
| type: <grpc|http1|dns|icmp> | ||
| interval: <integer> # optional, seconds | ||
| extra: <json_string> # required (use "" if none) | ||
| server_pubkey: <string> # optional - defaults to checking the first transport URI status page. | ||
|
|
@@ -167,7 +167,7 @@ cargo build --release --bin imix --target=x86_64-unknown-linux-musl | |
|
|
||
| ## Transport configuration | ||
|
|
||
| Imix supports pluggable transports making it easy to adapt to your environment. Out of the box it supports `grpc` (default), `http1` and `dns`. Each transport has a corresponding redirector subcommand in tavern. In order to use a non grpc transport a redirector that can speak to your transport is required. | ||
| Imix supports pluggable transports making it easy to adapt to your environment. Out of the box it supports `grpc` (default), `http1`, `dns`, and `icmp`. Each transport has a corresponding redirector subcommand in tavern. In order to use a non grpc transport a redirector that can speak to your transport is required. | ||
|
|
||
| ### global configuration options | ||
| - `uri`: specifies the upstream server or redirector the agent should connect to eg. `https://example.com` custom ports can be specified as `https://example.com:8443` | ||
|
|
@@ -199,7 +199,7 @@ This transport doesn't support eldritch functions that require bi-directional st | |
|
|
||
| ### dns | ||
|
|
||
| The DNS transport enables covert C2 communication by tunneling traffic through DNS queries and responses. This transport supports multiple DNS record types (TXT, A, AAAA). | ||
| The DNS transport enables covert C2 communication by tunneling `ConvPacket` traffic through DNS queries and responses. This transport supports multiple DNS record types (TXT, A, AAAA). | ||
|
|
||
| This transport doesn't support eldritch functions that require bi-directional streaming like reverse shell, or SOCKS5 proxying. | ||
|
|
||
|
|
@@ -242,6 +242,16 @@ transports: | |
| - **Connection Persistence**: The TCP connection is maintained and reused across multiple C2 cycles. If the connection drops, a new upstream connection must be initiated. | ||
| - **Not Suitable for Wide-Area Networks**: This transport is designed for local or trusted network chaining. For remote communication, use standard grpc, http1, or dns transports. | ||
|
|
||
| ### icmp | ||
|
|
||
| The ICMP transport tunnels `ConvPacket` traffic through ICMP Echo Request/Reply packets. Raw protobuf bytes are carried directly in the echo payload, allowing up to 1400 byte chunks per packet. | ||
|
|
||
| This transport doesn't support eldritch functions that require bi-directional streaming like reverse shell, or SOCKS5 proxying. | ||
|
|
||
| *Note*: The URI must be the IPv4 address of the ICMP redirector, e.g. `icmp://192.168.1.1`. The redirector host must have kernel ICMP echo replies disabled - see the [ICMP Redirector](/admin-guide/tavern#icmp-redirector) section in the Tavern admin guide for setup instructions. | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No support for FQDN?
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also didnt plan on supporting this either |
||
|
|
||
| **Extra Keys Supported:** None | ||
|
|
||
| ## Logging | ||
|
|
||
| At runtime, you may use the `IMIX_LOG` environment variable to control log levels and verbosity. See [these docs](https://docs.rs/pretty_env_logger/latest/pretty_env_logger/) for more information. **When building a release version of imix, logging is disabled** and is not included in the released binary. | ||
|
|
||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update the terraform to include support for ICMP.
Probably need to copy the DNS pattern but will need a separate VM per redirector otherwise they'll have the same IP.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didnt plan on supporting public infra icmp. Ill look into it tho