File transfer with ping

Introduction

Anyone who ever deals with server managment knows the famous ping utility. Ping send ICMP request to a remote host, it’s commonly used to test if a server is alive or to know his ip address. However ping options allow us to customize this requests in some way, then it becomes possible to transfer any type of data. For the purpose I test my script with different media types like png or mp3 and it worked perfectly.

The idea

By default ping requests are formed with 98 bytes including 56 bytes of data and various headers. With the -p option, ping allows you to customize 16 of those 56 bytes:

ping test

Here is the request catched with tcpdump on the remote host:

ping capture

As you can see the submitted string repeats again and again until the end of the data request. If you provide a string longer than 16 bytes it will be truncated. From here, we can convert any data to hexa and send it through ping request.

The POC

For my tests I used the following Anonymous image:

anonymous

This image is about 7Ko so the script sent near 1200 ping requests, which is alot… It’s also time consuming but to be honest it’s so fun :) Below the poc:

icmp transfer poc

icmp transfer capture

Note: the script also works if echo request has been disable on the remote host (with icmp_echo_ignore_all equal to 1), but slower. Feel free to mail me if you want to take a look at the scripts.

My way to go

## Project* Find Amazon s3 buckets: `s3-buckets-bruteforce /opt/SecLists/mine/s3-buckets.txt -` if found: `s3-buckets-extractor ` * Ex...… Continue reading

« Sqlmap

Published on January 18, 2016

Steganography »

Published on October 18, 2015