Introduction

Anyone who ever deals with server managment knows the famous ping utility. Ping send ICMP request to a remote host, it’s commonly used to test if a server is alive or to know his ip address. However ping options allow us to customize this requests in some way, then it becomes possible to transfer any type of data. For the purpose I test my script with different media types like png or mp3 and it worked perfectly.

The idea

By default ping requests are formed with 98 bytes including 56 bytes of data and various headers. With the -p option, ping allows you to customize 16 of those 56 bytes:

ping test

Here is the request catched with tcpdump on the remote host:

ping capture

As you can see the submitted string repeats again and again until the end of the data request. If you provide a string longer than 16 bytes it will be truncated. From here, we can convert any data to hexa and send it through ping request.

...

Definition

Steganography is the art of hidding a message in another common message. The hidden message can be clear text or encrypted and the container can be anything: image, music, single text or whatever…  The main benefit of steganography is that you can get the final message only if you know the technic used to hide it, because you’ll need to use the same algorithm. As a second layer of protection, you can also encrypt the data with any algorithm you like or with a private key.

...

With the evolution of cybercrime this last years, security is became an important budget in large companies. For instance, Facebook has created a dedicated platform for security reseacher and frequently reward them ($1.3 million spent in 2014).

Ebay, Airbnb, Yahoo, Snapchat, Wordpress, all of these companies are now aware about security and all of them have subscribed a bug bounty program.  Even mobile plateform as Android and IOS apps are recently focused by the giant Google.

...

As a pentester, you might be able to take control of systems that have a direct access but you also might be able to test the internal network and check the machine who are inside a subnetwork.

For that task you’ll have to use an already compromised machine as a bridge/gateway, this technic is called “pivot”. Depending of the context, different solutions exist to perform that task.

Rinetd

The easiest one. First you need to install Rinetd:

aptitude search rinetd
p   rinetd                                     - Internet TCP redirection server</pre>

Then edit the /etc/rinetd.conf file:

# bindadress    bindport  connectaddress  connectport
192.168.0.10    80        91.121.139.22   8080

Restart Rinetd and from now, all incoming traffic on 192.168.0.10 on port 80 will be redirected to 91.121.139.22 on port 8080. This can be usefull if a firewall is restricting outbound traffic on certain port.

...

The famous Offensive Security Certified Professional aka OSCP is the certification of the Penetration Testing with Kali Linux course aka PWK  provided by Offensive Security.

Offensive Security

Offensive Security is one the most active organization on the Internet about offsec. In addition to providing pentest and attack simulation services to their customers, they also bring a lot of great solution to the community.

Currently 6 online/live/in-house courses are available (pentest, wireless security, windows exploiation, web attacks…) who go with 5 different well known certifications. An incredible online virtual lab composed of intentionally vulnerable machine (ubuntu, XP, webapps, mail service, ftp vulns and so on…) has been created to enhance you security knowledge. Offensive Security is also editor of awesome projects such as Kali Linux, Metasploit and Google Hacking Database, the most used tools by pentesters.

The quality of all of these solutions is well recognized by the community and many companies and actually everyone who have to deals with offsec :)

...